Re: [PATCH 1/3] Move verifiers to the kernel

[Vladimir 'phcoder' Serbinenko]

On Jun 15, 2017 2:43 AM, "Matthew Garrett" <address@hidden> wrote:

We want to be able to measure stuff right from the very beginning of
grub execution, so it makes sense for the core verifiers code to be
present in-kernel rather than having it as an external module.

This bid at odds with the need to keep kernel small. Why not just put verifiers as the first module to load? Presumably you need to verify the whole core in either case.

---
 grub-core/Makefile.am                              |  1 +
 grub-core/Makefile.core.def                        |  6 +---
 grub-core/kern/main.c                              |  3 ++
 .../{commands/verify_helper.c => kern/verifiers.c} | 35 +++++++++++++++++-----
 include/grub/verify.h                              | 16 +++-------
 5 files changed, 36 insertions(+), 25 deletions(-)
 rename grub-core/{commands/verify_helper.c => kern/verifiers.c} (78%)

diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index 104513847..ef2b66e0f 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -93,6 +93,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h

 if COND_i386_pc
 KERNEL_HEADER_FILES += $(top_builddir)/include/grub/machine/kernel.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 16c4d0ea5..ab0f29960 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -129,6 +129,7 @@ kernel = {
   common = kern/rescue_parser.c;
   common = kern/rescue_reader.c;
   common = kern/term.c;
+  common = kern/verifiers.c;

   noemu = kern/compiler-rt.c;
   noemu = kern/mm.c;
@@ -899,11 +900,6 @@ module = {
   cppflags = '-I$(srcdir)/lib/posix_wrap';
 };

-module = {
-  name = verify_helper;
-  common = commands/verify_helper.c;
-};
-
 module = {
   name = hdparm;
   common = commands/hdparm.c;
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index 9cad0c448..b5a43c155 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -29,6 +29,7 @@
 #include <grub/command.h>
 #include <grub/reader.h>
 #include <grub/parser.h>
+#include <grub/verify.h>

 #ifdef GRUB_MACHINE_PCBIOS
 #include <grub/machine/memory.h>
@@ -274,6 +275,8 @@ grub_main (void)
   grub_printf ("Welcome to GRUB!\n\n");
   grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);

+  grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verify_helper_open);
+
   grub_load_config ();

   grub_boot_time ("Before loading embedded modules.");
diff --git a/grub-core/commands/verify_helper.c b/grub-core/kern/verifiers.c
similarity index 78%
rename from grub-core/commands/verify_helper.c
rename to grub-core/kern/verifiers.c
index 5a55927e3..f8e47b009 100644
--- a/grub-core/commands/verify_helper.c
+++ b/grub-core/kern/verifiers.c
@@ -1,8 +1,25 @@
+/* verifiers.c - core verifiers support code */
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2009  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 #include <grub/file.h>
 #include <grub/verify.h>
-#include <grub/dl.h>
-
-GRUB_MOD_LICENSE ("GPLv3+");
+#include <grub/misc.h>

 struct grub_file_verifier *grub_file_verifiers;

@@ -55,7 +72,7 @@ struct grub_fs verified_fs =
   .close = verified_close
 };

-static grub_file_t
+grub_file_t
 grub_verify_helper_open (grub_file_t io, enum grub_file_type type)
 {
   grub_verified_t verified = 0;
@@ -175,12 +192,14 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
   return GRUB_ERR_NONE;
 }

-GRUB_MOD_INIT(verify_helper)
+void
+grub_verifier_register (struct grub_file_verifier *ver)
 {
-  grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verify_helper_open);
+  grub_list_push (GRUB_AS_LIST_P (&grub_file_verifiers), GRUB_AS_LIST (ver));
 }

-GRUB_MOD_FINI(verify_helper)
+void
+grub_verifier_unregister (struct grub_file_verifier *ver)
 {
-  grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
+  grub_list_remove (GRUB_AS_LIST (ver));
 }
diff --git a/include/grub/verify.h b/include/grub/verify.h
index acab4f437..891036eb4 100644
--- a/include/grub/verify.h
+++ b/include/grub/verify.h
@@ -37,17 +37,9 @@ struct grub_file_verifier

 extern struct grub_file_verifier *grub_file_verifiers;

-static inline void
-grub_verifier_register (struct grub_file_verifier *ver)
-{
-  grub_list_push (GRUB_AS_LIST_P (&grub_file_verifiers), GRUB_AS_LIST (ver));
-}
-
-static inline void
-grub_verifier_unregister (struct grub_file_verifier *ver)
-{
-  grub_list_remove (GRUB_AS_LIST (ver));
-}
+grub_file_t grub_verify_helper_open(grub_file_t io, enum grub_file_type type);

+void EXPORT_FUNC(grub_verifier_register) (struct grub_file_verifier *ver);
+void EXPORT_FUNC(grub_verifier_unregister) (struct grub_file_verifier *ver);
 grub_err_t
-grub_verify_string (char *str, enum grub_verify_string_type type);
+EXPORT_FUNC(grub_verify_string) (char *str, enum grub_verify_string_type type);
--
2.13.1.518.g3df882009-goog


_______________________________________________
Grub-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/grub-devel