On Mon, 6 Feb 2017, 17:44 Matthew Garrett <mj...@srcf.ucam.org> wrote:
> On Sun, Feb 05, 2017 at 01:28:20PM +0000, Vladimir 'phcoder' Serbinenko > wrote: > > See verify.h for the interface. Obviously if you need changes in the API, > > please say. > > I think that's a starting point, but it doesn't seem sufficient for some > of the cases I care about. For instance, measuring boot state isn't just > about the files that are read - we also need to measure the commands > that grub runs and the command line passed to the kernel, for instance. > Those can be added as separate non-file verification hooks if they are needed. > Ideally we'd also have more context available in order to make a better > decision about which PCR to measure something into, but I can't think of > a good way to do that simply by hooking open. That also seems to make it > difficult to implement a handler that should only be verifying some > objects - for instance, a UEFI secure boot handler only wants to verify > the kernel (or something that's chainloaded) and ignore everything else. > This branch adds additional parameter to open that indicates what's the file will be used for (kernel, initrd, ...). In which cases doesn't it provide enough context? > > -- > Matthew Garrett | mj...@srcf.ucam.org > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
