100d43995STushar Sugandhi====== 200d43995STushar Sugandhidm-ima 300d43995STushar Sugandhi====== 400d43995STushar Sugandhi 500d43995STushar SugandhiFor a given system, various external services/infrastructure tools 600d43995STushar Sugandhi(including the attestation service) interact with it - both during the 700d43995STushar Sugandhisetup and during rest of the system run-time. They share sensitive data 800d43995STushar Sugandhiand/or execute critical workload on that system. The external services 900d43995STushar Sugandhimay want to verify the current run-time state of the relevant kernel 1000d43995STushar Sugandhisubsystems before fully trusting the system with business-critical 1100d43995STushar Sugandhidata/workload. 1200d43995STushar Sugandhi 1300d43995STushar SugandhiDevice mapper plays a critical role on a given system by providing 1400d43995STushar Sugandhivarious important functionalities to the block devices using various 1500d43995STushar Sugandhitarget types like crypt, verity, integrity etc. Each of these target 1600d43995STushar Sugandhitypes’ functionalities can be configured with various attributes. 1700d43995STushar SugandhiThe attributes chosen to configure these target types can significantly 1800d43995STushar Sugandhiimpact the security profile of the block device, and in-turn, of the 1900d43995STushar Sugandhisystem itself. For instance, the type of encryption algorithm and the 2000d43995STushar Sugandhikey size determines the strength of encryption for a given block device. 2100d43995STushar Sugandhi 2200d43995STushar SugandhiTherefore, verifying the current state of various block devices as well 2300d43995STushar Sugandhias their various target attributes is crucial for external services before 2400d43995STushar Sugandhifully trusting the system with business-critical data/workload. 2500d43995STushar Sugandhi 2600d43995STushar SugandhiIMA kernel subsystem provides the necessary functionality for 2700d43995STushar Sugandhidevice mapper to measure the state and configuration of 2800d43995STushar Sugandhivarious block devices - 2917bfa968STushar Sugandhi 3017bfa968STushar Sugandhi- by device mapper itself, from within the kernel, 3100d43995STushar Sugandhi- in a tamper resistant way, 3200d43995STushar Sugandhi- and re-measured - triggered on state/configuration change. 3300d43995STushar Sugandhi 3400d43995STushar SugandhiSetting the IMA Policy: 3500d43995STushar Sugandhi======================= 3600d43995STushar SugandhiFor IMA to measure the data on a given system, the IMA policy on the 3700d43995STushar Sugandhisystem needs to be updated to have following line, and the system needs 3800d43995STushar Sugandhito be restarted for the measurements to take effect. 3900d43995STushar Sugandhi 4017bfa968STushar Sugandhi:: 4117bfa968STushar Sugandhi 4200d43995STushar Sugandhi /etc/ima/ima-policy 4300d43995STushar Sugandhi measure func=CRITICAL_DATA label=device-mapper template=ima-buf 4400d43995STushar Sugandhi 4500d43995STushar SugandhiThe measurements will be reflected in the IMA logs, which are located at: 4600d43995STushar Sugandhi 4717bfa968STushar Sugandhi:: 4817bfa968STushar Sugandhi 4900d43995STushar Sugandhi /sys/kernel/security/integrity/ima/ascii_runtime_measurements 5000d43995STushar Sugandhi /sys/kernel/security/integrity/ima/binary_runtime_measurements 5100d43995STushar Sugandhi 5200d43995STushar SugandhiThen IMA ASCII measurement log has the following format: 5317bfa968STushar Sugandhi 5417bfa968STushar Sugandhi:: 5517bfa968STushar Sugandhi 5617bfa968STushar Sugandhi <PCR> <TEMPLATE_DATA_DIGEST> <TEMPLATE_NAME> <TEMPLATE_DATA> 5700d43995STushar Sugandhi 5800d43995STushar Sugandhi PCR := Platform Configuration Register, in which the values are registered. 5900d43995STushar Sugandhi This is applicable if TPM chip is in use. 6017bfa968STushar Sugandhi 6117bfa968STushar Sugandhi TEMPLATE_DATA_DIGEST := Template data digest of the IMA record. 6217bfa968STushar Sugandhi TEMPLATE_NAME := Template name that registered the integrity value (e.g. ima-buf). 6317bfa968STushar Sugandhi 6417bfa968STushar Sugandhi TEMPLATE_DATA := <ALG> ":" <EVENT_DIGEST> <EVENT_NAME> <EVENT_DATA> 6517bfa968STushar Sugandhi It contains data for the specific event to be measured, 6617bfa968STushar Sugandhi in a given template data format. 6717bfa968STushar Sugandhi 6817bfa968STushar Sugandhi ALG := Algorithm to compute event digest 6917bfa968STushar Sugandhi EVENT_DIGEST := Digest of the event data 7017bfa968STushar Sugandhi EVENT_NAME := Description of the event (e.g. 'dm_table_load'). 7100d43995STushar Sugandhi EVENT_DATA := The event data to be measured. 7200d43995STushar Sugandhi 7317bfa968STushar Sugandhi| 7417bfa968STushar Sugandhi 7517bfa968STushar Sugandhi| *NOTE #1:* 7617bfa968STushar Sugandhi| The DM target data measured by IMA subsystem can alternatively 7700d43995STushar Sugandhi be queried from userspace by setting DM_IMA_MEASUREMENT_FLAG with 7800d43995STushar Sugandhi DM_TABLE_STATUS_CMD. 7900d43995STushar Sugandhi 8017bfa968STushar Sugandhi| 8117bfa968STushar Sugandhi 8217bfa968STushar Sugandhi| *NOTE #2:* 8317bfa968STushar Sugandhi| The Kernel configuration CONFIG_IMA_DISABLE_HTABLE allows measurement of duplicate records. 8417bfa968STushar Sugandhi| To support recording duplicate IMA events in the IMA log, the Kernel needs to be configured with 8517bfa968STushar Sugandhi CONFIG_IMA_DISABLE_HTABLE=y. 8617bfa968STushar Sugandhi 8700d43995STushar SugandhiSupported Device States: 8800d43995STushar Sugandhi======================== 8917bfa968STushar SugandhiFollowing device state changes will trigger IMA measurements: 9000d43995STushar Sugandhi 9117bfa968STushar Sugandhi 1. Table load 9217bfa968STushar Sugandhi #. Device resume 9317bfa968STushar Sugandhi #. Device remove 9417bfa968STushar Sugandhi #. Table clear 9517bfa968STushar Sugandhi #. Device rename 9617bfa968STushar Sugandhi 9717bfa968STushar Sugandhi1. Table load: 9800d43995STushar Sugandhi--------------- 9900d43995STushar SugandhiWhen a new table is loaded in a device's inactive table slot, 10000d43995STushar Sugandhithe device information and target specific details from the 10100d43995STushar Sugandhitargets in the table are measured. 10200d43995STushar Sugandhi 10317bfa968STushar SugandhiThe IMA measurement log has the following format for 'dm_table_load': 10417bfa968STushar Sugandhi 10517bfa968STushar Sugandhi:: 10617bfa968STushar Sugandhi 10717bfa968STushar Sugandhi EVENT_NAME := "dm_table_load" 10817bfa968STushar Sugandhi EVENT_DATA := <dm_version_str> ";" <device_metadata> ";" <table_load_data> 10917bfa968STushar Sugandhi 11017bfa968STushar Sugandhi dm_version_str := "dm_version=" <N> "." <N> "." <N> 11117bfa968STushar Sugandhi Same as Device Mapper driver version. 11217bfa968STushar Sugandhi device_metadata := <device_name> "," <device_uuid> "," <device_major> "," <device_minor> "," 11317bfa968STushar Sugandhi <minor_count> "," <num_device_targets> ";" 11417bfa968STushar Sugandhi 11517bfa968STushar Sugandhi device_name := "name=" <dm-device-name> 11617bfa968STushar Sugandhi device_uuid := "uuid=" <dm-device-uuid> 11717bfa968STushar Sugandhi device_major := "major=" <N> 11817bfa968STushar Sugandhi device_minor := "minor=" <N> 11917bfa968STushar Sugandhi minor_count := "minor_count=" <N> 12017bfa968STushar Sugandhi num_device_targets := "num_targets=" <N> 12117bfa968STushar Sugandhi dm-device-name := Name of the device. If it contains special characters like '\', ',', ';', 12217bfa968STushar Sugandhi they are prefixed with '\'. 12317bfa968STushar Sugandhi dm-device-uuid := UUID of the device. If it contains special characters like '\', ',', ';', 12417bfa968STushar Sugandhi they are prefixed with '\'. 12517bfa968STushar Sugandhi 12617bfa968STushar Sugandhi table_load_data := <target_data> 12717bfa968STushar Sugandhi Represents the data (as name=value pairs) from various targets in the table, 12817bfa968STushar Sugandhi which is being loaded into the DM device's inactive table slot. 12917bfa968STushar Sugandhi target_data := <target_data_row> | <target_data><target_data_row> 13017bfa968STushar Sugandhi 13117bfa968STushar Sugandhi target_data_row := <target_index> "," <target_begin> "," <target_len> "," <target_name> "," 13217bfa968STushar Sugandhi <target_version> "," <target_attributes> ";" 13317bfa968STushar Sugandhi target_index := "target_index=" <N> 13417bfa968STushar Sugandhi Represents nth target in the table (from 0 to N-1 targets specified in <num_device_targets>) 13517bfa968STushar Sugandhi If all the data for N targets doesn't fit in the given buffer - then the data that fits 13617bfa968STushar Sugandhi in the buffer (say from target 0 to x) is measured in a given IMA event. 13717bfa968STushar Sugandhi The remaining data from targets x+1 to N-1 is measured in the subsequent IMA events, 13817bfa968STushar Sugandhi with the same format as that of 'dm_table_load' 13917bfa968STushar Sugandhi i.e. <dm_version_str> ";" <device_metadata> ";" <table_load_data>. 14017bfa968STushar Sugandhi 14117bfa968STushar Sugandhi target_begin := "target_begin=" <N> 14217bfa968STushar Sugandhi target_len := "target_len=" <N> 14317bfa968STushar Sugandhi target_name := Name of the target. 'linear', 'crypt', 'integrity' etc. 14417bfa968STushar Sugandhi The targets that are supported for IMA measurements are documented below in the 14517bfa968STushar Sugandhi 'Supported targets' section. 14617bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 14717bfa968STushar Sugandhi target_attributes := Data containing comma separated list of name=value pairs of target specific attributes. 14817bfa968STushar Sugandhi 14900d43995STushar Sugandhi For instance, if a linear device is created with the following table entries, 15000d43995STushar Sugandhi # dmsetup create linear1 15100d43995STushar Sugandhi 0 2 linear /dev/loop0 512 15200d43995STushar Sugandhi 2 2 linear /dev/loop0 512 15300d43995STushar Sugandhi 4 2 linear /dev/loop0 512 15400d43995STushar Sugandhi 6 2 linear /dev/loop0 512 15500d43995STushar Sugandhi 15617bfa968STushar Sugandhi Then IMA ASCII measurement log will have the following entry: 15700d43995STushar Sugandhi (converted from ASCII to text for readability) 15817bfa968STushar Sugandhi 15900d43995STushar Sugandhi 10 a8c5ff755561c7a28146389d1514c318592af49a ima-buf sha256:4d73481ecce5eadba8ab084640d85bb9ca899af4d0a122989252a76efadc5b72 16017bfa968STushar Sugandhi dm_table_load 16117bfa968STushar Sugandhi dm_version=4.45.0; 16200d43995STushar Sugandhi name=linear1,uuid=,major=253,minor=0,minor_count=1,num_targets=4; 16300d43995STushar Sugandhi target_index=0,target_begin=0,target_len=2,target_name=linear,target_version=1.4.0,device_name=7:0,start=512; 16400d43995STushar Sugandhi target_index=1,target_begin=2,target_len=2,target_name=linear,target_version=1.4.0,device_name=7:0,start=512; 16500d43995STushar Sugandhi target_index=2,target_begin=4,target_len=2,target_name=linear,target_version=1.4.0,device_name=7:0,start=512; 16600d43995STushar Sugandhi target_index=3,target_begin=6,target_len=2,target_name=linear,target_version=1.4.0,device_name=7:0,start=512; 16700d43995STushar Sugandhi 16817bfa968STushar Sugandhi2. Device resume: 16900d43995STushar Sugandhi------------------ 17017bfa968STushar SugandhiWhen a suspended device is resumed, the device information and the hash of the 17100d43995STushar Sugandhidata from previous load of an active table are measured. 17200d43995STushar Sugandhi 17317bfa968STushar SugandhiThe IMA measurement log has the following format for 'dm_device_resume': 17417bfa968STushar Sugandhi 17517bfa968STushar Sugandhi:: 17617bfa968STushar Sugandhi 17717bfa968STushar Sugandhi EVENT_NAME := "dm_device_resume" 17817bfa968STushar Sugandhi EVENT_DATA := <dm_version_str> ";" <device_metadata> ";" <active_table_hash> ";" <current_device_capacity> ";" 17917bfa968STushar Sugandhi 18017bfa968STushar Sugandhi dm_version_str := As described in the 'Table load' section above. 18117bfa968STushar Sugandhi device_metadata := As described in the 'Table load' section above. 18217bfa968STushar Sugandhi active_table_hash := "active_table_hash=" <table_hash_alg> ":" <table_hash> 18317bfa968STushar Sugandhi Rerpresents the hash of the IMA data being measured for the 18417bfa968STushar Sugandhi active table for the device. 18517bfa968STushar Sugandhi table_hash_alg := Algorithm used to compute the hash. 18617bfa968STushar Sugandhi table_hash := Hash of the (<dm_version_str> ";" <device_metadata> ";" <table_load_data> ";") 18717bfa968STushar Sugandhi as described in the 'dm_table_load' above. 18817bfa968STushar Sugandhi Note: If the table_load data spans across multiple IMA 'dm_table_load' 18917bfa968STushar Sugandhi events for a given device, the hash is computed combining all the event data 19017bfa968STushar Sugandhi i.e. (<dm_version_str> ";" <device_metadata> ";" <table_load_data> ";") 19117bfa968STushar Sugandhi across all those events. 19217bfa968STushar Sugandhi current_device_capacity := "current_device_capacity=" <N> 19317bfa968STushar Sugandhi 19400d43995STushar Sugandhi For instance, if a linear device is resumed with the following command, 19500d43995STushar Sugandhi #dmsetup resume linear1 19600d43995STushar Sugandhi 19717bfa968STushar Sugandhi then IMA ASCII measurement log will have an entry with: 19800d43995STushar Sugandhi (converted from ASCII to text for readability) 19900d43995STushar Sugandhi 20017bfa968STushar Sugandhi 10 56c00cc062ffc24ccd9ac2d67d194af3282b934e ima-buf sha256:e7d12c03b958b4e0e53e7363a06376be88d98a1ac191fdbd3baf5e4b77f329b6 20117bfa968STushar Sugandhi dm_device_resume 20217bfa968STushar Sugandhi dm_version=4.45.0; 20317bfa968STushar Sugandhi name=linear1,uuid=,major=253,minor=0,minor_count=1,num_targets=4; 20417bfa968STushar Sugandhi active_table_hash=sha256:4d73481ecce5eadba8ab084640d85bb9ca899af4d0a122989252a76efadc5b72;current_device_capacity=8; 20517bfa968STushar Sugandhi 20617bfa968STushar Sugandhi3. Device remove: 20700d43995STushar Sugandhi------------------ 20800d43995STushar SugandhiWhen a device is removed, the device information and a sha256 hash of the 20900d43995STushar Sugandhidata from an active and inactive table are measured. 21000d43995STushar Sugandhi 21117bfa968STushar SugandhiThe IMA measurement log has the following format for 'dm_device_remove': 21217bfa968STushar Sugandhi 21317bfa968STushar Sugandhi:: 21417bfa968STushar Sugandhi 21517bfa968STushar Sugandhi EVENT_NAME := "dm_device_remove" 21617bfa968STushar Sugandhi EVENT_DATA := <dm_version_str> ";" <device_active_metadata> ";" <device_inactive_metadata> ";" 21717bfa968STushar Sugandhi <active_table_hash> "," <inactive_table_hash> "," <remove_all> ";" <current_device_capacity> ";" 21817bfa968STushar Sugandhi 21917bfa968STushar Sugandhi dm_version_str := As described in the 'Table load' section above. 22017bfa968STushar Sugandhi device_active_metadata := Device metadata that reflects the currently loaded active table. 22117bfa968STushar Sugandhi The format is same as 'device_metadata' described in the 'Table load' section above. 22217bfa968STushar Sugandhi device_inactive_metadata := Device metadata that reflects the inactive table. 22317bfa968STushar Sugandhi The format is same as 'device_metadata' described in the 'Table load' section above. 22417bfa968STushar Sugandhi active_table_hash := Hash of the currently loaded active table. 22517bfa968STushar Sugandhi The format is same as 'active_table_hash' described in the 'Device resume' section above. 22617bfa968STushar Sugandhi inactive_table_hash := Hash of the inactive table. 22717bfa968STushar Sugandhi The format is same as 'active_table_hash' described in the 'Device resume' section above. 22817bfa968STushar Sugandhi remove_all := "remove_all=" <yes_no> 22917bfa968STushar Sugandhi yes_no := "y" | "n" 23017bfa968STushar Sugandhi current_device_capacity := "current_device_capacity=" <N> 23117bfa968STushar Sugandhi 23200d43995STushar Sugandhi For instance, if a linear device is removed with the following command, 23317bfa968STushar Sugandhi #dmsetup remove l1 23400d43995STushar Sugandhi 23517bfa968STushar Sugandhi then IMA ASCII measurement log will have the following entry: 23600d43995STushar Sugandhi (converted from ASCII to text for readability) 23700d43995STushar Sugandhi 23817bfa968STushar Sugandhi 10 790e830a3a7a31590824ac0642b3b31c2d0e8b38 ima-buf sha256:ab9f3c959367a8f5d4403d6ce9c3627dadfa8f9f0e7ec7899299782388de3840 23917bfa968STushar Sugandhi dm_device_remove 24017bfa968STushar Sugandhi dm_version=4.45.0; 24117bfa968STushar Sugandhi device_active_metadata=name=l1,uuid=,major=253,minor=2,minor_count=1,num_targets=2; 24217bfa968STushar Sugandhi device_inactive_metadata=name=l1,uuid=,major=253,minor=2,minor_count=1,num_targets=1; 24317bfa968STushar Sugandhi active_table_hash=sha256:4a7e62efaebfc86af755831998b7db6f59b60d23c9534fb16a4455907957953a, 24417bfa968STushar Sugandhi inactive_table_hash=sha256:9d79c175bc2302d55a183e8f50ad4bafd60f7692fd6249e5fd213e2464384b86,remove_all=n; 24517bfa968STushar Sugandhi current_device_capacity=2048; 24600d43995STushar Sugandhi 24717bfa968STushar Sugandhi4. Table clear: 24800d43995STushar Sugandhi---------------- 24900d43995STushar SugandhiWhen an inactive table is cleared from the device, the device information and a sha256 hash of the 25000d43995STushar Sugandhidata from an inactive table are measured. 25100d43995STushar Sugandhi 25217bfa968STushar SugandhiThe IMA measurement log has the following format for 'dm_table_clear': 25300d43995STushar Sugandhi 25417bfa968STushar Sugandhi:: 25500d43995STushar Sugandhi 25617bfa968STushar Sugandhi EVENT_NAME := "dm_table_clear" 25717bfa968STushar Sugandhi EVENT_DATA := <dm_version_str> ";" <device_inactive_metadata> ";" <inactive_table_hash> ";" <current_device_capacity> ";" 25800d43995STushar Sugandhi 25917bfa968STushar Sugandhi dm_version_str := As described in the 'Table load' section above. 26017bfa968STushar Sugandhi device_inactive_metadata := Device metadata that was captured during the load time inactive table being cleared. 26117bfa968STushar Sugandhi The format is same as 'device_metadata' described in the 'Table load' section above. 26217bfa968STushar Sugandhi inactive_table_hash := Hash of the inactive table being cleared from the device. 26317bfa968STushar Sugandhi The format is same as 'active_table_hash' described in the 'Device resume' section above. 26417bfa968STushar Sugandhi current_device_capacity := "current_device_capacity=" <N> 26517bfa968STushar Sugandhi 26617bfa968STushar Sugandhi For instance, if a linear device's inactive table is cleared, 26717bfa968STushar Sugandhi #dmsetup clear l1 26817bfa968STushar Sugandhi 26917bfa968STushar Sugandhi then IMA ASCII measurement log will have an entry with: 27000d43995STushar Sugandhi (converted from ASCII to text for readability) 27100d43995STushar Sugandhi 27217bfa968STushar Sugandhi 10 77d347408f557f68f0041acb0072946bb2367fe5 ima-buf sha256:42f9ca22163fdfa548e6229dece2959bc5ce295c681644240035827ada0e1db5 27317bfa968STushar Sugandhi dm_table_clear 27417bfa968STushar Sugandhi dm_version=4.45.0; 27517bfa968STushar Sugandhi name=l1,uuid=,major=253,minor=2,minor_count=1,num_targets=1; 27617bfa968STushar Sugandhi inactive_table_hash=sha256:75c0dc347063bf474d28a9907037eba060bfe39d8847fc0646d75e149045d545;current_device_capacity=1024; 27700d43995STushar Sugandhi 27817bfa968STushar Sugandhi5. Device rename: 27900d43995STushar Sugandhi------------------ 28000d43995STushar SugandhiWhen an device's NAME or UUID is changed, the device information and the new NAME and UUID 28100d43995STushar Sugandhiare measured. 28200d43995STushar Sugandhi 28317bfa968STushar SugandhiThe IMA measurement log has the following format for 'dm_device_rename': 28400d43995STushar Sugandhi 28517bfa968STushar Sugandhi:: 28600d43995STushar Sugandhi 28717bfa968STushar Sugandhi EVENT_NAME := "dm_device_rename" 28817bfa968STushar Sugandhi EVENT_DATA := <dm_version_str> ";" <device_active_metadata> ";" <new_device_name> "," <new_device_uuid> ";" <current_device_capacity> ";" 28917bfa968STushar Sugandhi 29017bfa968STushar Sugandhi dm_version_str := As described in the 'Table load' section above. 29117bfa968STushar Sugandhi device_active_metadata := Device metadata that reflects the currently loaded active table. 29217bfa968STushar Sugandhi The format is same as 'device_metadata' described in the 'Table load' section above. 29317bfa968STushar Sugandhi new_device_name := "new_name=" <dm-device-name> 29417bfa968STushar Sugandhi dm-device-name := Same as <dm-device-name> described in 'Table load' section above 29517bfa968STushar Sugandhi new_device_uuid := "new_uuid=" <dm-device-uuid> 29617bfa968STushar Sugandhi dm-device-uuid := Same as <dm-device-uuid> described in 'Table load' section above 29717bfa968STushar Sugandhi current_device_capacity := "current_device_capacity=" <N> 29817bfa968STushar Sugandhi 29917bfa968STushar Sugandhi E.g 1: if a linear device's name is changed with the following command, 30000d43995STushar Sugandhi #dmsetup rename linear1 --setuuid 1234-5678 30100d43995STushar Sugandhi 30217bfa968STushar Sugandhi then IMA ASCII measurement log will have an entry with: 30300d43995STushar Sugandhi (converted from ASCII to text for readability) 30400d43995STushar Sugandhi 30517bfa968STushar Sugandhi 10 8b0423209b4c66ac1523f4c9848c9b51ee332f48 ima-buf sha256:6847b7258134189531db593e9230b257c84f04038b5a18fd2e1473860e0569ac 30617bfa968STushar Sugandhi dm_device_rename 30717bfa968STushar Sugandhi dm_version=4.45.0; 30817bfa968STushar Sugandhi name=linear1,uuid=,major=253,minor=2,minor_count=1,num_targets=1;new_name=linear1,new_uuid=1234-5678; 30917bfa968STushar Sugandhi current_device_capacity=1024; 31017bfa968STushar Sugandhi 31117bfa968STushar Sugandhi E.g 2: if a linear device's name is changed with the following command, 31200d43995STushar Sugandhi # dmsetup rename linear1 linear=2 31300d43995STushar Sugandhi 31417bfa968STushar Sugandhi then IMA ASCII measurement log will have an entry with: 31517bfa968STushar Sugandhi (converted from ASCII to text for readability) 31617bfa968STushar Sugandhi 31717bfa968STushar Sugandhi 10 bef70476b99c2bdf7136fae033aa8627da1bf76f ima-buf sha256:8c6f9f53b9ef9dc8f92a2f2cca8910e622543d0f0d37d484870cb16b95111402 31817bfa968STushar Sugandhi dm_device_rename 31917bfa968STushar Sugandhi dm_version=4.45.0; 32017bfa968STushar Sugandhi name=linear1,uuid=1234-5678,major=253,minor=2,minor_count=1,num_targets=1; 32117bfa968STushar Sugandhi new_name=linear\=2,new_uuid=1234-5678; 32217bfa968STushar Sugandhi current_device_capacity=1024; 32300d43995STushar Sugandhi 32400d43995STushar SugandhiSupported targets: 32500d43995STushar Sugandhi================== 32600d43995STushar Sugandhi 32717bfa968STushar SugandhiFollowing targets are supported to measure their data using IMA: 32800d43995STushar Sugandhi 32917bfa968STushar Sugandhi 1. cache 33017bfa968STushar Sugandhi #. crypt 33117bfa968STushar Sugandhi #. integrity 33217bfa968STushar Sugandhi #. linear 33317bfa968STushar Sugandhi #. mirror 33417bfa968STushar Sugandhi #. multipath 33517bfa968STushar Sugandhi #. raid 33617bfa968STushar Sugandhi #. snapshot 33717bfa968STushar Sugandhi #. striped 33817bfa968STushar Sugandhi #. verity 33917bfa968STushar Sugandhi 34017bfa968STushar Sugandhi1. cache 34100d43995STushar Sugandhi--------- 34217bfa968STushar SugandhiThe 'target_attributes' (described as part of EVENT_DATA in 'Table load' 34317bfa968STushar Sugandhisection above) has the following data format for 'cache' target. 34400d43995STushar Sugandhi 34517bfa968STushar Sugandhi:: 34600d43995STushar Sugandhi 34717bfa968STushar Sugandhi target_attributes := <target_name> "," <target_version> "," <metadata_mode> "," <cache_metadata_device> "," 34817bfa968STushar Sugandhi <cache_device> "," <cache_origin_device> "," <writethrough> "," <writeback> "," 34917bfa968STushar Sugandhi <passthrough> "," <no_discard_passdown> ";" 35017bfa968STushar Sugandhi 35117bfa968STushar Sugandhi target_name := "target_name=cache" 35217bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 35317bfa968STushar Sugandhi metadata_mode := "metadata_mode=" <cache_metadata_mode> 35417bfa968STushar Sugandhi cache_metadata_mode := "fail" | "ro" | "rw" 35517bfa968STushar Sugandhi cache_device := "cache_device=" <cache_device_name_string> 35617bfa968STushar Sugandhi cache_origin_device := "cache_origin_device=" <cache_origin_device_string> 35717bfa968STushar Sugandhi writethrough := "writethrough=" <yes_no> 35817bfa968STushar Sugandhi writeback := "writeback=" <yes_no> 35917bfa968STushar Sugandhi passthrough := "passthrough=" <yes_no> 36017bfa968STushar Sugandhi no_discard_passdown := "no_discard_passdown=" <yes_no> 36117bfa968STushar Sugandhi yes_no := "y" | "n" 36217bfa968STushar Sugandhi 36317bfa968STushar Sugandhi E.g. 36417bfa968STushar Sugandhi When a 'cache' target is loaded, then IMA ASCII measurement log will have an entry 36517bfa968STushar Sugandhi similar to the following, depicting what 'cache' attributes are measured in EVENT_DATA 36617bfa968STushar Sugandhi for 'dm_table_load' event. 36700d43995STushar Sugandhi (converted from ASCII to text for readability) 36817bfa968STushar Sugandhi 36917bfa968STushar Sugandhi dm_version=4.45.0;name=cache1,uuid=cache_uuid,major=253,minor=2,minor_count=1,num_targets=1; 37017bfa968STushar Sugandhi target_index=0,target_begin=0,target_len=28672,target_name=cache,target_version=2.2.0,metadata_mode=rw, 37117bfa968STushar Sugandhi cache_metadata_device=253:4,cache_device=253:3,cache_origin_device=253:5,writethrough=y,writeback=n, 37217bfa968STushar Sugandhi passthrough=n,metadata2=y,no_discard_passdown=n; 37317bfa968STushar Sugandhi 37417bfa968STushar Sugandhi 37517bfa968STushar Sugandhi2. crypt 37617bfa968STushar Sugandhi--------- 37717bfa968STushar SugandhiThe 'target_attributes' (described as part of EVENT_DATA in 'Table load' 37817bfa968STushar Sugandhisection above) has the following data format for 'crypt' target. 37917bfa968STushar Sugandhi 38017bfa968STushar Sugandhi:: 38117bfa968STushar Sugandhi 38217bfa968STushar Sugandhi target_attributes := <target_name> "," <target_version> "," <allow_discards> "," <same_cpu_crypt> "," 38317bfa968STushar Sugandhi <submit_from_crypt_cpus> "," <no_read_workqueue> "," <no_write_workqueue> "," 38417bfa968STushar Sugandhi <iv_large_sectors> "," <iv_large_sectors> "," [<integrity_tag_size> ","] [<cipher_auth> ","] 38517bfa968STushar Sugandhi [<sector_size> ","] [<cipher_string> ","] <key_size> "," <key_parts> "," 38617bfa968STushar Sugandhi <key_extra_size> "," <key_mac_size> ";" 38717bfa968STushar Sugandhi 38817bfa968STushar Sugandhi target_name := "target_name=crypt" 38917bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 39017bfa968STushar Sugandhi allow_discards := "allow_discards=" <yes_no> 39117bfa968STushar Sugandhi same_cpu_crypt := "same_cpu_crypt=" <yes_no> 39217bfa968STushar Sugandhi submit_from_crypt_cpus := "submit_from_crypt_cpus=" <yes_no> 39317bfa968STushar Sugandhi no_read_workqueue := "no_read_workqueue=" <yes_no> 39417bfa968STushar Sugandhi no_write_workqueue := "no_write_workqueue=" <yes_no> 39517bfa968STushar Sugandhi iv_large_sectors := "iv_large_sectors=" <yes_no> 39617bfa968STushar Sugandhi integrity_tag_size := "integrity_tag_size=" <N> 39717bfa968STushar Sugandhi cipher_auth := "cipher_auth=" <string> 39817bfa968STushar Sugandhi sector_size := "sector_size=" <N> 39917bfa968STushar Sugandhi cipher_string := "cipher_string=" 40017bfa968STushar Sugandhi key_size := "key_size=" <N> 40117bfa968STushar Sugandhi key_parts := "key_parts=" <N> 40217bfa968STushar Sugandhi key_extra_size := "key_extra_size=" <N> 40317bfa968STushar Sugandhi key_mac_size := "key_mac_size=" <N> 40417bfa968STushar Sugandhi yes_no := "y" | "n" 40517bfa968STushar Sugandhi 40617bfa968STushar Sugandhi E.g. 40717bfa968STushar Sugandhi When a 'crypt' target is loaded, then IMA ASCII measurement log will have an entry 40817bfa968STushar Sugandhi similar to the following, depicting what 'crypt' attributes are measured in EVENT_DATA 40917bfa968STushar Sugandhi for 'dm_table_load' event. 41017bfa968STushar Sugandhi (converted from ASCII to text for readability) 41117bfa968STushar Sugandhi 41217bfa968STushar Sugandhi dm_version=4.45.0; 41317bfa968STushar Sugandhi name=crypt1,uuid=crypt_uuid1,major=253,minor=0,minor_count=1,num_targets=1; 41400d43995STushar Sugandhi target_index=0,target_begin=0,target_len=1953125,target_name=crypt,target_version=1.23.0, 41500d43995STushar Sugandhi allow_discards=y,same_cpu=n,submit_from_crypt_cpus=n,no_read_workqueue=n,no_write_workqueue=n, 41600d43995STushar Sugandhi iv_large_sectors=n,cipher_string=aes-xts-plain64,key_size=32,key_parts=1,key_extra_size=0,key_mac_size=0; 41700d43995STushar Sugandhi 41817bfa968STushar Sugandhi3. integrity 41900d43995STushar Sugandhi------------- 42017bfa968STushar SugandhiThe 'target_attributes' (described as part of EVENT_DATA in 'Table load' 42117bfa968STushar Sugandhisection above) has the following data format for 'integrity' target. 42200d43995STushar Sugandhi 42317bfa968STushar Sugandhi:: 42400d43995STushar Sugandhi 42517bfa968STushar Sugandhi target_attributes := <target_name> "," <target_version> "," <dev_name> "," <start> 42617bfa968STushar Sugandhi <tag_size> "," <mode> "," [<meta_device> ","] [<block_size> ","] <recalculate> "," 42717bfa968STushar Sugandhi <allow_discards> "," <fix_padding> "," <fix_hmac> "," <legacy_recalculate> "," 42817bfa968STushar Sugandhi <journal_sectors> "," <interleave_sectors> "," <buffer_sectors> ";" 42900d43995STushar Sugandhi 43017bfa968STushar Sugandhi target_name := "target_name=integrity" 43117bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 43217bfa968STushar Sugandhi dev_name := "dev_name=" <device_name_str> 43317bfa968STushar Sugandhi start := "start=" <N> 43417bfa968STushar Sugandhi tag_size := "tag_size=" <N> 43517bfa968STushar Sugandhi mode := "mode=" <integrity_mode_str> 43617bfa968STushar Sugandhi integrity_mode_str := "J" | "B" | "D" | "R" 43717bfa968STushar Sugandhi meta_device := "meta_device=" <meta_device_str> 43817bfa968STushar Sugandhi block_size := "block_size=" <N> 43917bfa968STushar Sugandhi recalculate := "recalculate=" <yes_no> 44017bfa968STushar Sugandhi allow_discards := "allow_discards=" <yes_no> 44117bfa968STushar Sugandhi fix_padding := "fix_padding=" <yes_no> 44217bfa968STushar Sugandhi fix_hmac := "fix_hmac=" <yes_no> 44317bfa968STushar Sugandhi legacy_recalculate := "legacy_recalculate=" <yes_no> 44417bfa968STushar Sugandhi journal_sectors := "journal_sectors=" <N> 44517bfa968STushar Sugandhi interleave_sectors := "interleave_sectors=" <N> 44617bfa968STushar Sugandhi buffer_sectors := "buffer_sectors=" <N> 44717bfa968STushar Sugandhi yes_no := "y" | "n" 44817bfa968STushar Sugandhi 44917bfa968STushar Sugandhi E.g. 45017bfa968STushar Sugandhi When a 'integrity' target is loaded, then IMA ASCII measurement log will have an entry 45117bfa968STushar Sugandhi similar to the following, depicting what 'integrity' attributes are measured in EVENT_DATA 45217bfa968STushar Sugandhi for 'dm_table_load' event. 45300d43995STushar Sugandhi (converted from ASCII to text for readability) 45400d43995STushar Sugandhi 45517bfa968STushar Sugandhi dm_version=4.45.0; 45617bfa968STushar Sugandhi name=integrity1,uuid=,major=253,minor=1,minor_count=1,num_targets=1; 45717bfa968STushar Sugandhi target_index=0,target_begin=0,target_len=7856,target_name=integrity,target_version=1.10.0, 45817bfa968STushar Sugandhi dev_name=253:0,start=0,tag_size=32,mode=J,recalculate=n,allow_discards=n,fix_padding=n, 45917bfa968STushar Sugandhi fix_hmac=n,legacy_recalculate=n,journal_sectors=88,interleave_sectors=32768,buffer_sectors=128; 46017bfa968STushar Sugandhi 46117bfa968STushar Sugandhi 46217bfa968STushar Sugandhi4. linear 46300d43995STushar Sugandhi---------- 46417bfa968STushar SugandhiThe 'target_attributes' (described as part of EVENT_DATA in 'Table load' 46517bfa968STushar Sugandhisection above) has the following data format for 'linear' target. 46600d43995STushar Sugandhi 46717bfa968STushar Sugandhi:: 46817bfa968STushar Sugandhi 46917bfa968STushar Sugandhi target_attributes := <target_name> "," <target_version> "," <device_name> <,> <start> ";" 47017bfa968STushar Sugandhi 47117bfa968STushar Sugandhi target_name := "target_name=linear" 47217bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 47317bfa968STushar Sugandhi device_name := "device_name=" <linear_device_name_str> 47417bfa968STushar Sugandhi start := "start=" <N> 47517bfa968STushar Sugandhi 47617bfa968STushar Sugandhi E.g. 47717bfa968STushar Sugandhi When a 'linear' target is loaded, then IMA ASCII measurement log will have an entry 47817bfa968STushar Sugandhi similar to the following, depicting what 'linear' attributes are measured in EVENT_DATA 47917bfa968STushar Sugandhi for 'dm_table_load' event. 48000d43995STushar Sugandhi (converted from ASCII to text for readability) 48117bfa968STushar Sugandhi 48217bfa968STushar Sugandhi dm_version=4.45.0; 48317bfa968STushar Sugandhi name=linear1,uuid=linear_uuid1,major=253,minor=2,minor_count=1,num_targets=1; 48417bfa968STushar Sugandhi target_index=0,target_begin=0,target_len=28672,target_name=linear,target_version=1.4.0, 48517bfa968STushar Sugandhi device_name=253:1,start=2048; 48617bfa968STushar Sugandhi 48717bfa968STushar Sugandhi5. mirror 48817bfa968STushar Sugandhi---------- 48917bfa968STushar SugandhiThe 'target_attributes' (described as part of EVENT_DATA in 'Table load' 49017bfa968STushar Sugandhisection above) has the following data format for 'mirror' target. 49117bfa968STushar Sugandhi 49217bfa968STushar Sugandhi:: 49317bfa968STushar Sugandhi 49417bfa968STushar Sugandhi target_attributes := <target_name> "," <target_version> "," <nr_mirrors> "," 49517bfa968STushar Sugandhi <mirror_device_data> "," <handle_errors> "," <keep_log> "," <log_type_status> ";" 49617bfa968STushar Sugandhi 49717bfa968STushar Sugandhi target_name := "target_name=mirror" 49817bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 49917bfa968STushar Sugandhi nr_mirrors := "nr_mirrors=" <NR> 50017bfa968STushar Sugandhi mirror_device_data := <mirror_device_row> | <mirror_device_data><mirror_device_row> 50117bfa968STushar Sugandhi mirror_device_row is repeated <NR> times - for <NR> described in <nr_mirrors>. 50217bfa968STushar Sugandhi mirror_device_row := <mirror_device_name> "," <mirror_device_status> 50317bfa968STushar Sugandhi mirror_device_name := "mirror_device_" <X> "=" <mirror_device_name_str> 50417bfa968STushar Sugandhi where <X> ranges from 0 to (<NR> -1) - for <NR> described in <nr_mirrors>. 50517bfa968STushar Sugandhi mirror_device_status := "mirror_device_" <X> "_status=" <mirror_device_status_char> 50617bfa968STushar Sugandhi where <X> ranges from 0 to (<NR> -1) - for <NR> described in <nr_mirrors>. 50717bfa968STushar Sugandhi mirror_device_status_char := "A" | "F" | "D" | "S" | "R" | "U" 50817bfa968STushar Sugandhi handle_errors := "handle_errors=" <yes_no> 50917bfa968STushar Sugandhi keep_log := "keep_log=" <yes_no> 51017bfa968STushar Sugandhi log_type_status := "log_type_status=" <log_type_status_str> 51117bfa968STushar Sugandhi yes_no := "y" | "n" 51217bfa968STushar Sugandhi 51317bfa968STushar Sugandhi E.g. 51417bfa968STushar Sugandhi When a 'mirror' target is loaded, then IMA ASCII measurement log will have an entry 51517bfa968STushar Sugandhi similar to the following, depicting what 'mirror' attributes are measured in EVENT_DATA 51617bfa968STushar Sugandhi for 'dm_table_load' event. 51717bfa968STushar Sugandhi (converted from ASCII to text for readability) 51817bfa968STushar Sugandhi 51917bfa968STushar Sugandhi dm_version=4.45.0; 52017bfa968STushar Sugandhi name=mirror1,uuid=mirror_uuid1,major=253,minor=6,minor_count=1,num_targets=1; 52117bfa968STushar Sugandhi target_index=0,target_begin=0,target_len=2048,target_name=mirror,target_version=1.14.0,nr_mirrors=2, 52217bfa968STushar Sugandhi mirror_device_0=253:4,mirror_device_0_status=A, 52317bfa968STushar Sugandhi mirror_device_1=253:5,mirror_device_1_status=A, 52400d43995STushar Sugandhi handle_errors=y,keep_log=n,log_type_status=; 52500d43995STushar Sugandhi 52617bfa968STushar Sugandhi6. multipath 52700d43995STushar Sugandhi------------- 52817bfa968STushar SugandhiThe 'target_attributes' (described as part of EVENT_DATA in 'Table load' 52917bfa968STushar Sugandhisection above) has the following data format for 'multipath' target. 53000d43995STushar Sugandhi 53117bfa968STushar Sugandhi:: 53217bfa968STushar Sugandhi 53317bfa968STushar Sugandhi target_attributes := <target_name> "," <target_version> "," <nr_priority_groups> 53417bfa968STushar Sugandhi ["," <pg_state> "," <priority_groups> "," <priority_group_paths>] ";" 53517bfa968STushar Sugandhi 53617bfa968STushar Sugandhi target_name := "target_name=multipath" 53717bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 53817bfa968STushar Sugandhi nr_priority_groups := "nr_priority_groups=" <NPG> 53917bfa968STushar Sugandhi priority_groups := <priority_groups_row>|<priority_groups_row><priority_groups> 54017bfa968STushar Sugandhi priority_groups_row := "pg_state_" <X> "=" <pg_state_str> "," "nr_pgpaths_" <X> "=" <NPGP> "," 54117bfa968STushar Sugandhi "path_selector_name_" <X> "=" <string> "," <priority_group_paths> 54217bfa968STushar Sugandhi where <X> ranges from 0 to (<NPG> -1) - for <NPG> described in <nr_priority_groups>. 54317bfa968STushar Sugandhi pg_state_str := "E" | "A" | "D" 54417bfa968STushar Sugandhi <priority_group_paths> := <priority_group_paths_row> | <priority_group_paths_row><priority_group_paths> 54517bfa968STushar Sugandhi priority_group_paths_row := "path_name_" <X> "_" <Y> "=" <string> "," "is_active_" <X> "_" <Y> "=" <is_active_str> 54617bfa968STushar Sugandhi "fail_count_" <X> "_" <Y> "=" <N> "," "path_selector_status_" <X> "_" <Y> "=" <path_selector_status_str> 54717bfa968STushar Sugandhi where <X> ranges from 0 to (<NPG> -1) - for <NPG> described in <nr_priority_groups>, 54817bfa968STushar Sugandhi and <Y> ranges from 0 to (<NPGP> -1) - for <NPGP> described in <priority_groups_row>. 54917bfa968STushar Sugandhi is_active_str := "A" | "F" 55017bfa968STushar Sugandhi 55117bfa968STushar Sugandhi E.g. 55217bfa968STushar Sugandhi When a 'multipath' target is loaded, then IMA ASCII measurement log will have an entry 55317bfa968STushar Sugandhi similar to the following, depicting what 'multipath' attributes are measured in EVENT_DATA 55417bfa968STushar Sugandhi for 'dm_table_load' event. 55517bfa968STushar Sugandhi (converted from ASCII to text for readability) 55617bfa968STushar Sugandhi 55717bfa968STushar Sugandhi dm_version=4.45.0; 55817bfa968STushar Sugandhi name=mp,uuid=,major=253,minor=0,minor_count=1,num_targets=1; 55917bfa968STushar Sugandhi target_index=0,target_begin=0,target_len=2097152,target_name=multipath,target_version=1.14.0,nr_priority_groups=2, 56017bfa968STushar Sugandhi pg_state_0=E,nr_pgpaths_0=2,path_selector_name_0=queue-length, 56117bfa968STushar Sugandhi path_name_0_0=8:16,is_active_0_0=A,fail_count_0_0=0,path_selector_status_0_0=, 56217bfa968STushar Sugandhi path_name_0_1=8:32,is_active_0_1=A,fail_count_0_1=0,path_selector_status_0_1=, 56317bfa968STushar Sugandhi pg_state_1=E,nr_pgpaths_1=2,path_selector_name_1=queue-length, 56417bfa968STushar Sugandhi path_name_1_0=8:48,is_active_1_0=A,fail_count_1_0=0,path_selector_status_1_0=, 56517bfa968STushar Sugandhi path_name_1_1=8:64,is_active_1_1=A,fail_count_1_1=0,path_selector_status_1_1=; 56617bfa968STushar Sugandhi 56717bfa968STushar Sugandhi7. raid 56800d43995STushar Sugandhi-------- 56917bfa968STushar SugandhiThe 'target_attributes' (described as part of EVENT_DATA in 'Table load' 57017bfa968STushar Sugandhisection above) has the following data format for 'raid' target. 57100d43995STushar Sugandhi 57217bfa968STushar Sugandhi:: 57317bfa968STushar Sugandhi 57417bfa968STushar Sugandhi target_attributes := <target_name> "," <target_version> "," <raid_type> "," <raid_disks> "," <raid_state> 57517bfa968STushar Sugandhi <raid_device_status> ["," journal_dev_mode] ";" 57617bfa968STushar Sugandhi 57717bfa968STushar Sugandhi target_name := "target_name=raid" 57817bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 57917bfa968STushar Sugandhi raid_type := "raid_type=" <raid_type_str> 58017bfa968STushar Sugandhi raid_disks := "raid_disks=" <NRD> 58117bfa968STushar Sugandhi raid_state := "raid_state=" <raid_state_str> 58217bfa968STushar Sugandhi raid_state_str := "frozen" | "reshape" |"resync" | "check" | "repair" | "recover" | "idle" |"undef" 58317bfa968STushar Sugandhi raid_device_status := <raid_device_status_row> | <raid_device_status_row><raid_device_status> 58417bfa968STushar Sugandhi <raid_device_status_row> is repeated <NRD> times - for <NRD> described in <raid_disks>. 58517bfa968STushar Sugandhi raid_device_status_row := "raid_device_" <X> "_status=" <raid_device_status_str> 58617bfa968STushar Sugandhi where <X> ranges from 0 to (<NRD> -1) - for <NRD> described in <raid_disks>. 58717bfa968STushar Sugandhi raid_device_status_str := "A" | "D" | "a" | "-" 58817bfa968STushar Sugandhi journal_dev_mode := "journal_dev_mode=" <journal_dev_mode_str> 58917bfa968STushar Sugandhi journal_dev_mode_str := "writethrough" | "writeback" | "invalid" 59017bfa968STushar Sugandhi 59117bfa968STushar Sugandhi E.g. 59217bfa968STushar Sugandhi When a 'raid' target is loaded, then IMA ASCII measurement log will have an entry 59317bfa968STushar Sugandhi similar to the following, depicting what 'raid' attributes are measured in EVENT_DATA 59417bfa968STushar Sugandhi for 'dm_table_load' event. 59500d43995STushar Sugandhi (converted from ASCII to text for readability) 59600d43995STushar Sugandhi 59717bfa968STushar Sugandhi dm_version=4.45.0; 59817bfa968STushar Sugandhi name=raid_LV1,uuid=uuid_raid_LV1,major=253,minor=12,minor_count=1,num_targets=1; 59917bfa968STushar Sugandhi target_index=0,target_begin=0,target_len=2048,target_name=raid,target_version=1.15.1, 60017bfa968STushar Sugandhi raid_type=raid10,raid_disks=4,raid_state=idle, 60117bfa968STushar Sugandhi raid_device_0_status=A, 60217bfa968STushar Sugandhi raid_device_1_status=A, 60317bfa968STushar Sugandhi raid_device_2_status=A, 60417bfa968STushar Sugandhi raid_device_3_status=A; 60517bfa968STushar Sugandhi 60617bfa968STushar Sugandhi 60717bfa968STushar Sugandhi8. snapshot 60800d43995STushar Sugandhi------------ 60917bfa968STushar SugandhiThe 'target_attributes' (described as part of EVENT_DATA in 'Table load' 61017bfa968STushar Sugandhisection above) has the following data format for 'snapshot' target. 61100d43995STushar Sugandhi 61217bfa968STushar Sugandhi:: 61300d43995STushar Sugandhi 61417bfa968STushar Sugandhi target_attributes := <target_name> "," <target_version> "," <snap_origin_name> "," 61517bfa968STushar Sugandhi <snap_cow_name> "," <snap_valid> "," <snap_merge_failed> "," <snapshot_overflowed> ";" 61617bfa968STushar Sugandhi 61717bfa968STushar Sugandhi target_name := "target_name=snapshot" 61817bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 61917bfa968STushar Sugandhi snap_origin_name := "snap_origin_name=" <string> 62017bfa968STushar Sugandhi snap_cow_name := "snap_cow_name=" <string> 62117bfa968STushar Sugandhi snap_valid := "snap_valid=" <yes_no> 62217bfa968STushar Sugandhi snap_merge_failed := "snap_merge_failed=" <yes_no> 62317bfa968STushar Sugandhi snapshot_overflowed := "snapshot_overflowed=" <yes_no> 62417bfa968STushar Sugandhi yes_no := "y" | "n" 62517bfa968STushar Sugandhi 62617bfa968STushar Sugandhi E.g. 62717bfa968STushar Sugandhi When a 'snapshot' target is loaded, then IMA ASCII measurement log will have an entry 62817bfa968STushar Sugandhi similar to the following, depicting what 'snapshot' attributes are measured in EVENT_DATA 62917bfa968STushar Sugandhi for 'dm_table_load' event. 63000d43995STushar Sugandhi (converted from ASCII to text for readability) 63117bfa968STushar Sugandhi 63217bfa968STushar Sugandhi dm_version=4.45.0; 63317bfa968STushar Sugandhi name=snap1,uuid=snap_uuid1,major=253,minor=13,minor_count=1,num_targets=1; 63417bfa968STushar Sugandhi target_index=0,target_begin=0,target_len=4096,target_name=snapshot,target_version=1.16.0, 63517bfa968STushar Sugandhi snap_origin_name=253:11,snap_cow_name=253:12,snap_valid=y,snap_merge_failed=n,snapshot_overflowed=n; 63617bfa968STushar Sugandhi 63717bfa968STushar Sugandhi9. striped 63817bfa968STushar Sugandhi----------- 63917bfa968STushar SugandhiThe 'target_attributes' (described as part of EVENT_DATA in 'Table load' 64017bfa968STushar Sugandhisection above) has the following data format for 'striped' target. 64117bfa968STushar Sugandhi 64217bfa968STushar Sugandhi:: 64317bfa968STushar Sugandhi 64417bfa968STushar Sugandhi target_attributes := <target_name> "," <target_version> "," <stripes> "," <chunk_size> "," 64517bfa968STushar Sugandhi <stripe_data> ";" 64617bfa968STushar Sugandhi 64717bfa968STushar Sugandhi target_name := "target_name=striped" 64817bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 64917bfa968STushar Sugandhi stripes := "stripes=" <NS> 65017bfa968STushar Sugandhi chunk_size := "chunk_size=" <N> 65117bfa968STushar Sugandhi stripe_data := <stripe_data_row>|<stripe_data><stripe_data_row> 65217bfa968STushar Sugandhi stripe_data_row := <stripe_device_name> "," <stripe_physical_start> "," <stripe_status> 65317bfa968STushar Sugandhi stripe_device_name := "stripe_" <X> "_device_name=" <stripe_device_name_str> 65417bfa968STushar Sugandhi where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>. 65517bfa968STushar Sugandhi stripe_physical_start := "stripe_" <X> "_physical_start=" <N> 65617bfa968STushar Sugandhi where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>. 65717bfa968STushar Sugandhi stripe_status := "stripe_" <X> "_status=" <stripe_status_str> 65817bfa968STushar Sugandhi where <X> ranges from 0 to (<NS> -1) - for <NS> described in <stripes>. 65917bfa968STushar Sugandhi stripe_status_str := "D" | "A" 66017bfa968STushar Sugandhi 66117bfa968STushar Sugandhi E.g. 66217bfa968STushar Sugandhi When a 'striped' target is loaded, then IMA ASCII measurement log will have an entry 66317bfa968STushar Sugandhi similar to the following, depicting what 'striped' attributes are measured in EVENT_DATA 66417bfa968STushar Sugandhi for 'dm_table_load' event. 66517bfa968STushar Sugandhi (converted from ASCII to text for readability) 66617bfa968STushar Sugandhi 66717bfa968STushar Sugandhi dm_version=4.45.0; 66817bfa968STushar Sugandhi name=striped1,uuid=striped_uuid1,major=253,minor=5,minor_count=1,num_targets=1; 66917bfa968STushar Sugandhi target_index=0,target_begin=0,target_len=640,target_name=striped,target_version=1.6.0,stripes=2,chunk_size=64, 67017bfa968STushar Sugandhi stripe_0_device_name=253:0,stripe_0_physical_start=2048,stripe_0_status=A, 67117bfa968STushar Sugandhi stripe_1_device_name=253:3,stripe_1_physical_start=2048,stripe_1_status=A; 67200d43995STushar Sugandhi 67300d43995STushar Sugandhi10. verity 67400d43995STushar Sugandhi---------- 67517bfa968STushar SugandhiThe 'target_attributes' (described as part of EVENT_DATA in 'Table load' 67617bfa968STushar Sugandhisection above) has the following data format for 'verity' target. 67700d43995STushar Sugandhi 67817bfa968STushar Sugandhi:: 67917bfa968STushar Sugandhi 68017bfa968STushar Sugandhi target_attributes := <target_name> "," <target_version> "," <hash_failed> "," <verity_version> "," 68117bfa968STushar Sugandhi <data_device_name> "," <hash_device_name> "," <verity_algorithm> "," <root_digest> "," 68217bfa968STushar Sugandhi <salt> "," <ignore_zero_blocks> "," <check_at_most_once> ["," <root_hash_sig_key_desc>] 68317bfa968STushar Sugandhi ["," <verity_mode>] ";" 68417bfa968STushar Sugandhi 68517bfa968STushar Sugandhi target_name := "target_name=verity" 68617bfa968STushar Sugandhi target_version := "target_version=" <N> "." <N> "." <N> 68717bfa968STushar Sugandhi hash_failed := "hash_failed=" <hash_failed_str> 68817bfa968STushar Sugandhi hash_failed_str := "C" | "V" 68917bfa968STushar Sugandhi verity_version := "verity_version=" <verity_version_str> 69017bfa968STushar Sugandhi data_device_name := "data_device_name=" <data_device_name_str> 69117bfa968STushar Sugandhi hash_device_name := "hash_device_name=" <hash_device_name_str> 69217bfa968STushar Sugandhi verity_algorithm := "verity_algorithm=" <verity_algorithm_str> 69317bfa968STushar Sugandhi root_digest := "root_digest=" <root_digest_str> 69417bfa968STushar Sugandhi salt := "salt=" <salt_str> 69517bfa968STushar Sugandhi salt_str := "-" <verity_salt_str> 69617bfa968STushar Sugandhi ignore_zero_blocks := "ignore_zero_blocks=" <yes_no> 69717bfa968STushar Sugandhi check_at_most_once := "check_at_most_once=" <yes_no> 69817bfa968STushar Sugandhi root_hash_sig_key_desc := "root_hash_sig_key_desc=" 69917bfa968STushar Sugandhi verity_mode := "verity_mode=" <verity_mode_str> 70017bfa968STushar Sugandhi verity_mode_str := "ignore_corruption" | "restart_on_corruption" | "panic_on_corruption" | "invalid" 70117bfa968STushar Sugandhi yes_no := "y" | "n" 70217bfa968STushar Sugandhi 70317bfa968STushar Sugandhi E.g. 70417bfa968STushar Sugandhi When a 'verity' target is loaded, then IMA ASCII measurement log will have an entry 70517bfa968STushar Sugandhi similar to the following, depicting what 'verity' attributes are measured in EVENT_DATA 70617bfa968STushar Sugandhi for 'dm_table_load' event. 70700d43995STushar Sugandhi (converted from ASCII to text for readability) 70817bfa968STushar Sugandhi 70917bfa968STushar Sugandhi dm_version=4.45.0; 71000d43995STushar Sugandhi name=test-verity,uuid=,major=253,minor=2,minor_count=1,num_targets=1; 71100d43995STushar Sugandhi target_index=0,target_begin=0,target_len=1953120,target_name=verity,target_version=1.8.0,hash_failed=V, 71200d43995STushar Sugandhi verity_version=1,data_device_name=253:1,hash_device_name=253:0,verity_algorithm=sha256, 71300d43995STushar Sugandhi root_digest=29cb87e60ce7b12b443ba6008266f3e41e93e403d7f298f8e3f316b29ff89c5e, 71400d43995STushar Sugandhi salt=e48da609055204e89ae53b655ca2216dd983cf3cb829f34f63a297d106d53e2d, 71500d43995STushar Sugandhi ignore_zero_blocks=n,check_at_most_once=n; 716