verifiers: Verify commands executed by grub
Pass all commands executed by GRUB to the verifiers layer. Most verifiers will ignore this, but some (such as the TPM verifier) want to be able to measure and log each command executed in order to ensure that the boot state is as expected. Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Matthew Garrett
Vincent Batts
parent
90bb89f280
commit
8d6447d496
2 changed files with 18 additions and 14 deletions
|
|
@ -28,6 +28,7 @@
|
||||||
#include <grub/extcmd.h>
|
#include <grub/extcmd.h>
|
||||||
#include <grub/i18n.h>
|
#include <grub/i18n.h>
|
||||||
#include <grub/tpm.h>
|
#include <grub/tpm.h>
|
||||||
|
#include <grub/verify.h>
|
||||||
|
|
||||||
/* Max digits for a char is 3 (0xFF is 255), similarly for an int it
|
/* Max digits for a char is 3 (0xFF is 255), similarly for an int it
|
||||||
is sizeof (int) * 3, and one extra for a possible -ve sign. */
|
is sizeof (int) * 3, and one extra for a possible -ve sign. */
|
||||||
|
|
@ -941,26 +942,29 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
|
||||||
if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
|
if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
|
||||||
return grub_errno;
|
return grub_errno;
|
||||||
|
|
||||||
for (i = 0; i < argv.argc; i++) {
|
for (i = 0; i < argv.argc; i++)
|
||||||
cmdlen += grub_strlen (argv.args[i]) + 1;
|
{
|
||||||
}
|
cmdlen += grub_strlen (argv.args[i]) + 1;
|
||||||
|
}
|
||||||
|
|
||||||
cmdstring = grub_malloc (cmdlen);
|
cmdstring = grub_malloc (cmdlen);
|
||||||
if (!cmdstring)
|
if (!cmdstring)
|
||||||
{
|
{
|
||||||
return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
N_("cannot allocate command buffer"));
|
N_("cannot allocate command buffer"));
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < argv.argc; i++) {
|
for (i = 0; i < argv.argc; i++)
|
||||||
offset += grub_snprintf (cmdstring + offset, cmdlen - offset, "%s ",
|
{
|
||||||
argv.args[i]);
|
offset += grub_snprintf (cmdstring + offset, cmdlen - offset, "%s ",
|
||||||
}
|
argv.args[i]);
|
||||||
cmdstring[cmdlen-1]= '\0';
|
}
|
||||||
|
cmdstring[cmdlen - 1] = '\0';
|
||||||
grub_tpm_measure ((unsigned char *)cmdstring, cmdlen, GRUB_ASCII_PCR,
|
grub_tpm_measure ((unsigned char *)cmdstring, cmdlen, GRUB_ASCII_PCR,
|
||||||
"grub_cmd", cmdstring);
|
"grub_cmd", cmdstring);
|
||||||
grub_print_error();
|
grub_print_error();
|
||||||
grub_free(cmdstring);
|
grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
|
||||||
|
grub_free (cmdstring);
|
||||||
invert = 0;
|
invert = 0;
|
||||||
argc = argv.argc - 1;
|
argc = argv.argc - 1;
|
||||||
args = argv.args + 1;
|
args = argv.args + 1;
|
||||||
|
|
@ -1185,4 +1189,3 @@ grub_script_execute (struct grub_script *script)
|
||||||
|
|
||||||
return grub_script_execute_cmd (script->cmd);
|
return grub_script_execute_cmd (script->cmd);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,7 @@ enum grub_verify_string_type
|
||||||
{
|
{
|
||||||
GRUB_VERIFY_KERNEL_CMDLINE,
|
GRUB_VERIFY_KERNEL_CMDLINE,
|
||||||
GRUB_VERIFY_MODULE_CMDLINE,
|
GRUB_VERIFY_MODULE_CMDLINE,
|
||||||
|
GRUB_VERIFY_COMMAND,
|
||||||
};
|
};
|
||||||
|
|
||||||
struct grub_file_verifier
|
struct grub_file_verifier
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue