Le Mon, Feb 6, 2017 à 11:11 PM, Matthew Garrett <mj...@srcf.ucam.org> a écrit :
> On Mon, Feb 06, 2017 at 07:58:37PM +0000, Vladimir 'phcoder' Serbinenko > wrote: > > On Mon, 6 Feb 2017, 17:44 Matthew Garrett <mj...@srcf.ucam.org> wrote: > > > > > On Sun, Feb 05, 2017 at 01:28:20PM +0000, Vladimir 'phcoder' Serbinenko > > > wrote: > > > > See verify.h for the interface. Obviously if you need changes in the > API, > > > > please say. > > > > > > I think that's a starting point, but it doesn't seem sufficient for > some > > > of the cases I care about. For instance, measuring boot state isn't > just > > > about the files that are read - we also need to measure the commands > > > that grub runs and the command line passed to the kernel, for instance. > > > > > Those can be added as separate non-file verification hooks if they are > > needed. > > Ok. In that case I think this can probably work. I'll try porting it > over. > I added string verification. Now it verifies kernel command line but can be extended to other stuff. > > > > Ideally we'd also have more context available in order to make a better > > > decision about which PCR to measure something into, but I can't think > of > > > a good way to do that simply by hooking open. That also seems to make > it > > > difficult to implement a handler that should only be verifying some > > > objects - for instance, a UEFI secure boot handler only wants to verify > > > the kernel (or something that's chainloaded) and ignore everything > else. > > > > > This branch adds additional parameter to open that indicates what's the > > file will be used for (kernel, initrd, ...). In which cases doesn't it > > provide enough context? > > Sorry, yes, I missed the previous commit. I think that's enough. > > -- > Matthew Garrett | mj...@srcf.ucam.org > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel