The 2020/03/17 13:15, Stefan Berger wrote: > I trying to add (v)TPM support for the ieee1275/powerpc64 platform to grub. > The issue I have been running into is that the verifier runs out of memory. > At that point it has loaded the (~ 32MB) Linux kernel and now the verifier > is invoked to load the file. Unfortunately it cannot load the file since it > doesn't have enough memory to grub_malloc. I have played with increasing > heap size(es) but it still doesn't work. The kernel and initramfs files on > ppc64 can be rather big, thus we do not a lot of memory. The rescue > initramfs here is for example 78MB, a regular initramfs from Fedora 31 is > ~34MB. The kernel sizes on my system are 32MB, though a colleague was using > an unstripped kernel of 127MB, so lots of (unfragmented) memory needs to be > available to run verifiers.
The verifiers framework has a flag, GRUB_VERIFY_FLAGS_SINGLE_CHUNK, that is used by the platform-independent TPM module. This could be deferred to the platform-specific TPM file (see point 3 below). With this flag unset for your platform, you could verify the files in small chunks. This requires three further elements: 1. You will need to implement the chunk-by-chunk behaviour in verifiers.c, it doesn't exist yet. 2. You will need to add functionality to calculate a hash from chunks, or require that the crypto module is built into the core. 3. The firmware interface needs to support HashLogExtend with a user supplied hash instead of a memory buffer. For example the PC Conventional BIOS API has this, but the UEFI API does not. _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
