grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH V3 1/3] verifiers: Verify commands executed by grub


From: Matthew Garrett
Subject: [PATCH V3 1/3] verifiers: Verify commands executed by grub
Date: Thu, 29 Nov 2018 11:28:08 -0800

From: Matthew Garrett <address@hidden>

Pass all commands executed by grub to the verifiers layer. Most
verifiers will ignore this, but some (such as the TPM verifier) want to
be able to measure and log each command executed in order to ensure that
the boot state is as expected.

Signed-off-by: Matthew Garrett <address@hidden>
---
 grub-core/script/execute.c | 27 ++++++++++++++++++++++++---
 include/grub/verify.h      |  1 +
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index a8502d907..ee299fd0e 100644
--- a/grub-core/script/execute.c
+++ b/grub-core/script/execute.c
@@ -27,6 +27,7 @@
 #include <grub/normal.h>
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/verify.h>
 
 /* Max digits for a char is 3 (0xFF is 255), similarly for an int it
    is sizeof (int) * 3, and one extra for a possible -ve sign.  */
@@ -929,8 +930,9 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
   grub_err_t ret = 0;
   grub_script_function_t func = 0;
   char errnobuf[18];
-  char *cmdname;
-  int argc;
+  char *cmdname, *cmdstring;
+  int argc, offset = 0, cmdlen = 0;
+  unsigned int i;
   char **args;
   int invert;
   struct grub_script_argv argv = { 0, 0, 0 };
@@ -939,6 +941,26 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
   if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
     return grub_errno;
 
+  for (i = 0; i < argv.argc; i++)
+    {
+      cmdlen += grub_strlen (argv.args[i]) + 1;
+    }
+
+  cmdstring = grub_malloc (cmdlen);
+  if (!cmdstring)
+    {
+      return grub_error (GRUB_ERR_OUT_OF_MEMORY,
+                        N_("cannot allocate command buffer"));
+    }
+
+  for (i = 0; i < argv.argc; i++)
+    {
+      offset += grub_snprintf (cmdstring + offset, cmdlen - offset, "%s ",
+                              argv.args[i]);
+    }
+  cmdstring[cmdlen - 1] = '\0';
+  grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
+  grub_free (cmdstring);
   invert = 0;
   argc = argv.argc - 1;
   args = argv.args + 1;
@@ -1163,4 +1185,3 @@ grub_script_execute (struct grub_script *script)
 
   return grub_script_execute_cmd (script->cmd);
 }
-
diff --git a/include/grub/verify.h b/include/grub/verify.h
index 79022b422..460f2e20a 100644
--- a/include/grub/verify.h
+++ b/include/grub/verify.h
@@ -31,6 +31,7 @@ enum grub_verify_string_type
   {
     GRUB_VERIFY_KERNEL_CMDLINE,
     GRUB_VERIFY_MODULE_CMDLINE,
+    GRUB_VERIFY_COMMAND,
   };
 
 struct grub_file_verifier
-- 
2.20.0.rc0.387.gc7a69e6b6c-goog




reply via email to

[Prev in Thread] Current Thread [Next in Thread]