Merge pull request #42 from glevand/for-merge-arm64-verity

Add arm64 verity support

grub-core/loader/arm64/linux.c

@@ -32,6 +32,8 @@
 #include <grub/i18n.h>
 #include <grub/lib/cmdline.h>
 
+#include <grub/verity-hash.h>
+
 GRUB_MOD_LICENSE ("GPLv3+");
 
 static grub_dl_t my_mod;
@@ -297,7 +299,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 
   grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
 
-  cmdline_size = grub_loader_cmdline_size (argc, argv) + sizeof (LINUX_IMAGE);
+  cmdline_size = grub_loader_cmdline_size (argc, argv) + sizeof (LINUX_IMAGE)
+	+ VERITY_CMDLINE_LENGTH;
   linux_args = grub_malloc (cmdline_size);
   if (!linux_args)
     {
@@ -311,6 +314,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 
   if (grub_errno == GRUB_ERR_NONE)
     {
+      grub_pass_verity_hash (kernel_addr, linux_args, cmdline_size);
       grub_loader_set (grub_linux_boot, grub_linux_unload, 0);
       loaded = 1;
     }

grub-core/loader/i386/efi/linux.c

@@ -28,7 +28,7 @@
 #include <grub/efi/efi.h>
 #include <grub/tpm.h>
 
-#include "../verity-hash.h"
+#include <grub/verity-hash.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 

grub-core/loader/i386/linux.c

@@ -37,7 +37,8 @@
 #include <grub/linux.h>
 #include <grub/tpm.h>
 
-#include "verity-hash.h"
+#include <grub/verity-hash.h>
+
 GRUB_MOD_LICENSE ("GPLv3+");
 
 #ifdef GRUB_MACHINE_PCBIOS

grub-core/loader/i386/xen_file.c

@@ -20,7 +20,7 @@
 #include <grub/i386/linux.h>
 #include <grub/misc.h>
 
-#include "verity-hash.h"
+#include <grub/verity-hash.h>
 
 grub_elf_t
 grub_xen_file (grub_file_t file)

include/grub/verity-hash.h

@@ -1,13 +1,33 @@
+/* CoreOS verity hash */
+
 #define VERITY_ARG " verity.usrhash="
 #define VERITY_ARG_LENGTH (sizeof (VERITY_ARG) - 1)
-#define VERITY_HASH_OFFSET 0x40
 #define VERITY_HASH_LENGTH 64
+#define VERITY_CMDLINE_LENGTH ((VERITY_ARG_LENGTH)+(VERITY_HASH_LENGTH))
 
-static inline void grub_pass_verity_hash(struct linux_kernel_header *lh,
+#if defined(__aarch64__)
+# define VERITY_HASH_OFFSET 512
+#elif defined(__i386__)
+# define VERITY_HASH_OFFSET 0x40
+#else
+# error Unsupported arch
+#endif
+
+
+/**
+ * grub_pass_verity_hash - Reads the CoreOS verity hash value from a well known
+ * kernel image offset and adds a kernel command line argument for it.
+ *
+ * @pImage: Kernel image buffer.
+ * @cmdline: Kernel command line buffer.
+ * @cmdline_max_len: Kernel command line buffer length.
+ */
+
+static inline void grub_pass_verity_hash(const void *pImage,
 					 char *cmdline,
 					 grub_size_t cmdline_max_len)
 {
-  char *buf = (char *)lh;
+  const char *buf = pImage;
   grub_size_t cmdline_len;
   int i;
 
@@ -19,7 +39,7 @@ static inline void grub_pass_verity_hash(struct linux_kernel_header *lh,
     }
 
   cmdline_len = grub_strlen(cmdline);
-  if (cmdline_len + VERITY_ARG_LENGTH + VERITY_HASH_LENGTH > cmdline_max_len)
+  if (cmdline_len + VERITY_CMDLINE_LENGTH > cmdline_max_len)
     return;
 
   grub_memcpy (cmdline + cmdline_len, VERITY_ARG, VERITY_ARG_LENGTH);