Microsoft's IMA-Based Measurements For Device Mapper Slated For Linux 5.15

The latest Linux kernel feature proposed by Microsoft that is now working its way to the mainline kernel is IMA-based target measurements for the Device Mapper (DM) subsystem for enhanced security.

Microsoft has been working on Device Mapper target measurements using the IMA infrastructure. The focus is on ensuring the current run-time state of the kernel / relevant subsystems before trusting them with business-critical data or workloads. With Device Mapper being responsible for mapping of block devices and LVM, dm-crypt, software RAID, and other functionality, it's important to ensure its state can be trusted and that the storage configuration is not compromised.

These measurements around DM are useful for ensuring the desired block device state and configuration when initially setting up the system and on subsequent block device changes. This goes along with the rest of Linux's Integrity Measurement Architecture (IMA) work.

Microsoft engineers spearheaded this DM IMA integration with more of the technical details for those interested via this patch series and the documentation.

These DM IMA patches have been queued into Device Mapper's dm-5.15 Git branch as material for the Linux 5.15 cycle starting in September. So unless any major issues come about in the weeks ahead or objections from Linus Torvalds, this integrity feature will make it into the next major kernel cycle.