Le Mon, Feb 6, 2017 à 11:11 PM, Matthew Garrett <address@hidden
> a écrit :
On Mon, Feb 06, 2017 at 07:58:37PM +0000, Vladimir 'phcoder' Serbinenko wrote:
> On Mon, 6 Feb 2017, 17:44 Matthew Garrett <address@hidden> wrote:
> > On Sun, Feb 05, 2017 at 01:28:20PM +0000, Vladimir 'phcoder' Serbinenko
> > wrote:
> > > See verify.h for the interface. Obviously if you need changes in the API,
> > > please say.
> > I think that's a starting point, but it doesn't seem sufficient for some
> > of the cases I care about. For instance, measuring boot state isn't just
> > about the files that are read - we also need to measure the commands
> > that grub runs and the command line passed to the kernel, for instance.
> Those can be added as separate non-file verification hooks if they are
Ok. In that case I think this can probably work. I'll try porting it
I added string verification. Now it verifies kernel command line but can be extended to other stuff.
> > Ideally we'd also have more context available in order to make a better
> > decision about which PCR to measure something into, but I can't think of
> > a good way to do that simply by hooking open. That also seems to make it
> > difficult to implement a handler that should only be verifying some
> > objects - for instance, a UEFI secure boot handler only wants to verify
> > the kernel (or something that's chainloaded) and ignore everything else.
> This branch adds additional parameter to open that indicates what's the
> file will be used for (kernel, initrd, ...). In which cases doesn't it
> provide enough context?
Sorry, yes, I missed the previous commit. I think that's enough.
Matthew Garrett | address@hidden
Grub-devel mailing list