Le Mon, Feb 6, 2017 à 11:11 PM, Matthew Garrett <mj...@srcf.ucam.org> a
écrit :

> On Mon, Feb 06, 2017 at 07:58:37PM +0000, Vladimir 'phcoder' Serbinenko
> wrote:
> > On Mon, 6 Feb 2017, 17:44 Matthew Garrett <mj...@srcf.ucam.org> wrote:
> >
> > > On Sun, Feb 05, 2017 at 01:28:20PM +0000, Vladimir 'phcoder' Serbinenko
> > > wrote:
> > > > See verify.h for the interface. Obviously if you need changes in the
> API,
> > > > please say.
> > >
> > > I think that's a starting point, but it doesn't seem sufficient for
> some
> > > of the cases I care about. For instance, measuring boot state isn't
> just
> > > about the files that are read - we also need to measure the commands
> > > that grub runs and the command line passed to the kernel, for instance.
> > >
> > Those can be added as separate non-file verification hooks if they are
> > needed.
>
> Ok. In that case I think this can probably work. I'll try porting it
> over.
>
I added string verification. Now it verifies kernel command line but can be
extended to other stuff.

>
> > > Ideally we'd also have more context available in order to make a better
> > > decision about which PCR to measure something into, but I can't think
> of
> > > a good way to do that simply by hooking open. That also seems to make
> it
> > > difficult to implement a handler that should only be verifying some
> > > objects - for instance, a UEFI secure boot handler only wants to verify
> > > the kernel (or something that's chainloaded) and ignore everything
> else.
> > >
> > This branch adds additional parameter to open that indicates what's the
> > file will be used for (kernel, initrd, ...). In which cases doesn't it
> > provide enough context?
>
> Sorry, yes, I missed the previous commit. I think that's enough.
>
> --
> Matthew Garrett | mj...@srcf.ucam.org
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to