From 57fca7d1a38e33e67d79e8e2857125d186f4469a Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Wed, 25 Jan 2017 14:54:46 -0800 Subject: [PATCH 1/3] loader: Move verity-hash.h to include Signed-off-by: Geoff Levand --- grub-core/loader/i386/efi/linux.c | 2 +- grub-core/loader/i386/linux.c | 3 ++- grub-core/loader/i386/xen_file.c | 2 +- {grub-core/loader/i386 => include/grub}/verity-hash.h | 0 4 files changed, 4 insertions(+), 3 deletions(-) rename {grub-core/loader/i386 => include/grub}/verity-hash.h (100%) diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c index d195c59bf..22a3618d8 100644 --- a/grub-core/loader/i386/efi/linux.c +++ b/grub-core/loader/i386/efi/linux.c @@ -28,7 +28,7 @@ #include #include -#include "../verity-hash.h" +#include GRUB_MOD_LICENSE ("GPLv3+"); diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index d4ac836db..2e3539ac3 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c @@ -37,7 +37,8 @@ #include #include -#include "verity-hash.h" +#include + GRUB_MOD_LICENSE ("GPLv3+"); #ifdef GRUB_MACHINE_PCBIOS diff --git a/grub-core/loader/i386/xen_file.c b/grub-core/loader/i386/xen_file.c index f1faf6ff0..64b6db108 100644 --- a/grub-core/loader/i386/xen_file.c +++ b/grub-core/loader/i386/xen_file.c @@ -20,7 +20,7 @@ #include #include -#include "verity-hash.h" +#include grub_elf_t grub_xen_file (grub_file_t file) diff --git a/grub-core/loader/i386/verity-hash.h b/include/grub/verity-hash.h similarity index 100% rename from grub-core/loader/i386/verity-hash.h rename to include/grub/verity-hash.h From c9bd29e124aedc91e623095c5794f545cb8b84a9 Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Wed, 25 Jan 2017 14:54:46 -0800 Subject: [PATCH 2/3] loader: verity-hash.h fixups o Add some comments. o Change image buffer type to (const void *). o Add new macro VERITY_CMDLINE_LENGTH. Signed-off-by: Geoff Levand --- include/grub/verity-hash.h | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/include/grub/verity-hash.h b/include/grub/verity-hash.h index afbfd14d6..7222d5b87 100644 --- a/include/grub/verity-hash.h +++ b/include/grub/verity-hash.h @@ -1,13 +1,26 @@ +/* CoreOS verity hash */ + #define VERITY_ARG " verity.usrhash=" #define VERITY_ARG_LENGTH (sizeof (VERITY_ARG) - 1) -#define VERITY_HASH_OFFSET 0x40 #define VERITY_HASH_LENGTH 64 +#define VERITY_CMDLINE_LENGTH ((VERITY_ARG_LENGTH)+(VERITY_HASH_LENGTH)) +#define VERITY_HASH_OFFSET 0x40 -static inline void grub_pass_verity_hash(struct linux_kernel_header *lh, + +/** + * grub_pass_verity_hash - Reads the CoreOS verity hash value from a well known + * kernel image offset and adds a kernel command line argument for it. + * + * @pImage: Kernel image buffer. + * @cmdline: Kernel command line buffer. + * @cmdline_max_len: Kernel command line buffer length. + */ + +static inline void grub_pass_verity_hash(const void *pImage, char *cmdline, grub_size_t cmdline_max_len) { - char *buf = (char *)lh; + const char *buf = pImage; grub_size_t cmdline_len; int i; @@ -19,7 +32,7 @@ static inline void grub_pass_verity_hash(struct linux_kernel_header *lh, } cmdline_len = grub_strlen(cmdline); - if (cmdline_len + VERITY_ARG_LENGTH + VERITY_HASH_LENGTH > cmdline_max_len) + if (cmdline_len + VERITY_CMDLINE_LENGTH > cmdline_max_len) return; grub_memcpy (cmdline + cmdline_len, VERITY_ARG, VERITY_ARG_LENGTH); From dc2eaa5855ecff4bd13ebf7b1cc998397adced93 Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Wed, 25 Jan 2017 14:54:46 -0800 Subject: [PATCH 3/3] loader: Add arm64 verity Signed-off-by: Geoff Levand --- grub-core/loader/arm64/linux.c | 6 +++++- include/grub/verity-hash.h | 9 ++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c index 9519d2e4d..432f5c073 100644 --- a/grub-core/loader/arm64/linux.c +++ b/grub-core/loader/arm64/linux.c @@ -32,6 +32,8 @@ #include #include +#include + GRUB_MOD_LICENSE ("GPLv3+"); static grub_dl_t my_mod; @@ -297,7 +299,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), grub_dprintf ("linux", "kernel @ %p\n", kernel_addr); - cmdline_size = grub_loader_cmdline_size (argc, argv) + sizeof (LINUX_IMAGE); + cmdline_size = grub_loader_cmdline_size (argc, argv) + sizeof (LINUX_IMAGE) + + VERITY_CMDLINE_LENGTH; linux_args = grub_malloc (cmdline_size); if (!linux_args) { @@ -311,6 +314,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), if (grub_errno == GRUB_ERR_NONE) { + grub_pass_verity_hash (kernel_addr, linux_args, cmdline_size); grub_loader_set (grub_linux_boot, grub_linux_unload, 0); loaded = 1; } diff --git a/include/grub/verity-hash.h b/include/grub/verity-hash.h index 7222d5b87..f79bb5d4c 100644 --- a/include/grub/verity-hash.h +++ b/include/grub/verity-hash.h @@ -4,7 +4,14 @@ #define VERITY_ARG_LENGTH (sizeof (VERITY_ARG) - 1) #define VERITY_HASH_LENGTH 64 #define VERITY_CMDLINE_LENGTH ((VERITY_ARG_LENGTH)+(VERITY_HASH_LENGTH)) -#define VERITY_HASH_OFFSET 0x40 + +#if defined(__aarch64__) +# define VERITY_HASH_OFFSET 512 +#elif defined(__i386__) +# define VERITY_HASH_OFFSET 0x40 +#else +# error Unsupported arch +#endif /**