verifiers: Verify commands executed by grub
Pass all commands executed by GRUB to the verifiers layer. Most verifiers will ignore this, but some (such as the TPM verifier) want to be able to measure and log each command executed in order to ensure that the boot state is as expected. Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Matthew Garrett
Daniel Kiper
parent
d789e70e26
commit
d3a5e812c5
2 changed files with 25 additions and 3 deletions
|
|
@ -27,6 +27,7 @@
|
||||||
#include <grub/normal.h>
|
#include <grub/normal.h>
|
||||||
#include <grub/extcmd.h>
|
#include <grub/extcmd.h>
|
||||||
#include <grub/i18n.h>
|
#include <grub/i18n.h>
|
||||||
|
#include <grub/verify.h>
|
||||||
|
|
||||||
/* Max digits for a char is 3 (0xFF is 255), similarly for an int it
|
/* Max digits for a char is 3 (0xFF is 255), similarly for an int it
|
||||||
is sizeof (int) * 3, and one extra for a possible -ve sign. */
|
is sizeof (int) * 3, and one extra for a possible -ve sign. */
|
||||||
|
|
@ -929,8 +930,9 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
|
||||||
grub_err_t ret = 0;
|
grub_err_t ret = 0;
|
||||||
grub_script_function_t func = 0;
|
grub_script_function_t func = 0;
|
||||||
char errnobuf[18];
|
char errnobuf[18];
|
||||||
char *cmdname;
|
char *cmdname, *cmdstring;
|
||||||
int argc;
|
int argc, offset = 0, cmdlen = 0;
|
||||||
|
unsigned int i;
|
||||||
char **args;
|
char **args;
|
||||||
int invert;
|
int invert;
|
||||||
struct grub_script_argv argv = { 0, 0, 0 };
|
struct grub_script_argv argv = { 0, 0, 0 };
|
||||||
|
|
@ -939,6 +941,26 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
|
||||||
if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
|
if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
|
||||||
return grub_errno;
|
return grub_errno;
|
||||||
|
|
||||||
|
for (i = 0; i < argv.argc; i++)
|
||||||
|
{
|
||||||
|
cmdlen += grub_strlen (argv.args[i]) + 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
cmdstring = grub_malloc (cmdlen);
|
||||||
|
if (!cmdstring)
|
||||||
|
{
|
||||||
|
return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
|
N_("cannot allocate command buffer"));
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < argv.argc; i++)
|
||||||
|
{
|
||||||
|
offset += grub_snprintf (cmdstring + offset, cmdlen - offset, "%s ",
|
||||||
|
argv.args[i]);
|
||||||
|
}
|
||||||
|
cmdstring[cmdlen - 1] = '\0';
|
||||||
|
grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
|
||||||
|
grub_free (cmdstring);
|
||||||
invert = 0;
|
invert = 0;
|
||||||
argc = argv.argc - 1;
|
argc = argv.argc - 1;
|
||||||
args = argv.args + 1;
|
args = argv.args + 1;
|
||||||
|
|
@ -1163,4 +1185,3 @@ grub_script_execute (struct grub_script *script)
|
||||||
|
|
||||||
return grub_script_execute_cmd (script->cmd);
|
return grub_script_execute_cmd (script->cmd);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,7 @@ enum grub_verify_string_type
|
||||||
{
|
{
|
||||||
GRUB_VERIFY_KERNEL_CMDLINE,
|
GRUB_VERIFY_KERNEL_CMDLINE,
|
||||||
GRUB_VERIFY_MODULE_CMDLINE,
|
GRUB_VERIFY_MODULE_CMDLINE,
|
||||||
|
GRUB_VERIFY_COMMAND,
|
||||||
};
|
};
|
||||||
|
|
||||||
struct grub_file_verifier
|
struct grub_file_verifier
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue