On Fri, Aug 12, 2022 at 12:52:58PM +0930, Brendan Trotter wrote:
> Hi,
>
> On Fri, Aug 12, 2022 at 3:55 AM Matthew Garrett wrote:
> > On Thu, Aug 11, 2022 at 07:25:58PM +0930, Brendan Trotter wrote:
> > > On Thu, Aug 11, 2022 at 3:16 AM Matthew Garrett
> > >
On Thu, Aug 11, 2022 at 07:25:58PM +0930, Brendan Trotter wrote:
> Hi,
>
> On Thu, Aug 11, 2022 at 3:16 AM Matthew Garrett wrote:
> > The kernel has no way to know this - *any* code you've run before
> > performing a measurement could tamper with the kernel such that
On Wed, Aug 10, 2022 at 06:37:18PM +0930, Brendan Trotter wrote:
> [1] doesn't provide any useful information. How does a kernel know
> that the callback provided by boot loader actually measures what it's
> supposed to measure, or even does anything at all?
The kernel has no way to know this - *
On Fri, Jul 08, 2022 at 01:06:19PM +0930, Brendan Trotter wrote:
> This leaves me wondering what your true motivation is. Are you trying
> to benefit GRUB/Trenchboot (at the expense of security, end-user
> convenience, distro installer hassle, etc); or trying to manufacture
> scope for future man-
On Wed, Jul 06, 2022 at 09:33:23AM +0930, Brendan Trotter wrote:
> The only correct approach is "efi-stub -> head_64.S -> kernel's own
> secure init"; where (on UEFI systems) neither GRUB nor Trenchboot has
> a valid reason to exist and should never be installed.
Surely the entire point of DRTM i
On Wed, Mar 30, 2022 at 09:23:17AM +0200, Ard Biesheuvel wrote:
> On Wed, 30 Mar 2022 at 09:19, Matthew Garrett wrote:
> > From a conceptual perspective we've thought of the EFI stub as being
> > logically part of the bootloader rather than the early kernel, and the
>
On Wed, Mar 30, 2022 at 09:12:19AM +0200, Ard Biesheuvel wrote:
> On Wed, 30 Mar 2022 at 09:11, Matthew Garrett wrote:
> > The EFI stub carries out a bunch of actions that have meaningful
> > security impact, and that's material that should be measured. Having the
> > se
On Wed, Mar 30, 2022 at 09:02:18AM +0200, Ard Biesheuvel wrote:
> Wouldn't it be better for the secure launch kernel to boot the EFI
> entrypoint directly? As it happens, I just completed a PoC last week
> for a minimal implementation of EFI (in Rust) that only carries the
> pieces that the EFI st
We're still trying to come to a conclusion about the most maintainable
approach to getting DRTM implementations like Intel TXT working on UEFI
platforms under Linux. I'm going to try to summarise the situation here
- I'm not an expert, so details may be inaccurate, but I think this is
the rough
On Wed, May 6, 2020 at 6:33 AM Daniel Kiper wrote:
>
> On Tue, May 05, 2020 at 10:29:05AM -0700, Matthew Garrett wrote:
> > On Mon, May 4, 2020 at 4:25 PM Daniel Kiper wrote:
> > >
> > > Otherwise the kernel does not know its state and cannot enable various
> &
On Mon, May 4, 2020 at 4:25 PM Daniel Kiper wrote:
>
> Otherwise the kernel does not know its state and cannot enable various
> security features depending on UEFI Secure Boot.
I think this needs more context. If the kernel is loaded via the EFI
boot stub, the kernel is aware of the UEFI secure b
On Tue, Jan 15, 2019 at 3:58 AM Daniel Kiper wrote:
>
> On Mon, Jan 14, 2019 at 11:42:21AM -0800, Matthew Garrett wrote:
> > On Mon, Jan 14, 2019 at 6:09 AM 'Max Tottenham' via mjg59
> > wrote:
> >
> > > I went ahead and did some debugging. Below is
On Mon, Jan 14, 2019 at 6:09 AM 'Max Tottenham' via mjg59
wrote:
> I went ahead and did some debugging. Below is a patch that seems to fix
> my problem. Although those calls to grub_efi_open_protocol() in the tpm
> module should probably check their return value and do something sane if
> 0x0 is
On Thu, Jan 10, 2019 at 12:59 AM Alexander Graf wrote:
> So really dumb question here: What if we didn't use the MS key? What if
> instead, we just provide a SUSE/openSUSE key and give customers the ability
> to sign their own grub+Linux binaries?
Then you end up blocking install of any Linux d
On Wed, Dec 12, 2018 at 6:31 AM Daniel Kiper wrote:
>
> On Mon, Dec 03, 2018 at 03:48:17PM +0100, Daniel Kiper wrote:
> > On Thu, Nov 29, 2018 at 11:28:10AM -0800, Matthew Garrett wrote:
> > > Describe the behaviour of grub when the TPM module is in use.
> > >
> &
Describe the behaviour of grub when the TPM module is in use.
Signed-off-by: Matthew Garrett
---
docs/grub.texi | 38 ++
1 file changed, 38 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 471d97c95..6bd3783a4 100644
--- a/docs/grub.texi
From: Matthew Garrett
Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI. In future we might
want to have some sort of mechanism for choosing which events get logged
to which PCRs, but this seems like a good default policy
From: Matthew Garrett
Pass all commands executed by grub to the verifiers layer. Most
verifiers will ignore this, but some (such as the TPM verifier) want to
be able to measure and log each command executed in order to ensure that
the boot state is as expected.
Signed-off-by: Matthew Garrett
On Tue, Nov 27, 2018 at 8:37 AM Daniel Kiper wrote:
>
> On Mon, Nov 26, 2018 at 05:00:03PM +1100, Matthew Garrett wrote:
> > The implementation here should work fine with TPM 1.2, so the only
>
> Hmmm... IIRC UEFI interface only supports TPM 2.0. However, there is
> a cha
On Mon, Nov 26, 2018 at 4:47 PM Daniel Kiper wrote:
> I have a feeling that both UEFI and TIS TPM implementations can coexists
> together even on UEFI platform. Of course, AIUI, UEFI TPM should be default
> if we play with TPM 2.0. TIS implementation should be used with TPM 1.2
> or if UEFI is bu
On Tue, Nov 20, 2018 at 10:59 AM Matthew Garrett wrote:
>
> On Mon, Nov 19, 2018 at 1:13 AM Daniel P. Smith wrote:
> >
> > It would be great if the TPM commands that are using EFI protocol and
> > exposed to TPM command module be name spaced under efi, e.g.
> > gr
On Mon, Nov 19, 2018 at 1:13 AM Daniel P. Smith wrote:
>
> It would be great if the TPM commands that are using EFI protocol and
> exposed to TPM command module be name spaced under efi, e.g.
> grub_efi_tpm_log_event. As I lay in a TIS implementation, I can mimic a
> similar set of tis name spaced
From: Matthew Garrett
Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI. In future we might
want to have some sort of mechanism for choosing which events get logged
to which PCRs, but this seems like a good default policy
Describe the behaviour of grub when the TPM module is in use.
Signed-off-by: Matthew Garrett
---
docs/grub.texi | 38 ++
1 file changed, 38 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 471d97c95..6bd3783a4 100644
--- a/docs/grub.texi
From: Matthew Garrett
Pass all commands executed by grub to the verifiers layer. Most
verifiers will ignore this, but some (such as the TPM verifier) want to
be able to measure and log each command executed in order to ensure that
the boot state is as expected.
Signed-off-by: Matthew Garrett
On Thu, Nov 15, 2018 at 6:39 AM Daniel Kiper wrote:
> Could you be more C-ish? E.g. s/Major/major/, s/Minor/minor/, etc.
These are the spec-defined member names, so I've a mild preference for
keeping them that way - it makes it easier to compare with the spec
and update stuff with later spec rev
On Thu, Nov 15, 2018 at 5:45 AM Daniel Kiper wrote:
> Except lack of SOB patch LGTM. May I add your SOB before pushing this
> patch. Or you can repost it with
Feel free to add my SOB.
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org
Describe the behaviour of grub when the TPM module is in use.
---
docs/grub.texi | 38 ++
1 file changed, 38 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 471d97c95..6bd3783a4 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5545,6 +5545,
From: Matthew Garrett
Pass all commands executed by grub to the verifiers layer. Most
verifiers will ignore this, but some (such as the TPM verifier) want to
be able to measure and log each command executed in order to ensure that
the boot state is as expected.
---
grub-core/script/execute.c
From: Matthew Garrett
Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI. In future we might
want to have some sort of mechanism for choosing which events get logged
to which PCRs, but this seems like a good default policy
From: Matthew Garrett
Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI. In future we might
want to have some sort of mechanism for choosing which events get logged
to which PCRs, but this seems like a good default policy
Describe the behaviour of grub when the TPM module is in use.
---
docs/grub.texi | 38 ++
1 file changed, 38 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 471d97c95..6bd3783a4 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5545,6 +5545,
From: Matthew Garrett
Pass all commands executed by grub to the verifiers layer. Most
verifiers will ignore this, but some (such as the TPM verifier) want to
be able to measure and log each command executed in order to ensure that
the boot state is as expected.
---
grub-core/script/execute.c
Device tree (DTB) lengths are being padded to a multiple of 4 bytes
rather than the target-specific pointer size. This causes objects
following OBJ_TYPE_DTB objects to be incorrectly parsed during GRUB
execution on arm64.
Fix by using ALIGN_ADDR, not ALIGN_UP.
Signed-by-off: Matthew Daley
On Fri, Aug 03, 2018 at 03:39:54PM +0200, Daniel Kiper wrote:
> +++ b/grub-core/commands/i386/nthibr.c
Should this be a separate patch? It seems to be unrelated new
functionality.
--
Matthew Garrett | mj...@srcf.ucam.org
___
Grub-devel mailing l
loading order somehow. However, this
> can be difficult and not reliable.
Yeah, I think standalone images are going to be the right solution for
most users here.
--
Matthew Garrett | mj...@srcf.ucam.org
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
On Mon, Jul 16, 2018 at 12:33:42PM -0400, Daniel P. Smith wrote:
> On 07/16/2018 08:06 AM, Daniel Kiper wrote:
> > In general I am not against reorganization you are mentioning above.
> > Though I think that then you should rearange Matthew code and repost
> > it. Of cours
On Tue, Jan 23, 2018 at 12:45:14PM +0100, Daniel Kiper wrote:
> Sadly yes. Sorry about that. However, this is still on my radar. I hope that
> I come back to work on this in a few weeks.
Hi Daniel,
Any news on this front? Thanks!
--
Matthew Garrett | mj...@srcf.uc
Gentoo bug:
https://bugs.gentoo.org/645088
Signed-off-by: Robin H. Johnson
Signed-off-by: Matthew S. Turnbull
---
docs/grub.texi | 19 +++
util/grub-mkconfig.in | 8
util/grub.d/10_linux.in | 33 +++--
3 files changed, 54 insertions
Thanks, fixed those up.
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
On Fri, Jul 21, 2017 at 7:39 AM, Vladimir 'phcoder' Serbinenko
wrote:
> This omits all separators. So it considers e.g. ab and a b to be the same.
> Can we have a better array serialization? I.a. following 3 need to be
> distinguished:
> ab
> a b
> "a b"
It inserts a space after each argv, so I t
On Wed, Jul 05, 2017 at 02:19:55PM -0700, Matthew Garrett wrote:
> This patchset extends the verifier framework to support verifying commands
> executed by Grub, and makes use of this to add support for measuring files
> and commands executed by grub into the TPM on UEFI-based syst
Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI.
---
grub-core/Makefile.core.def| 7 +
grub-core/commands/efi/tpm.c | 282 +
grub-core/commands/tpm.c | 87 +
Pass commands to the verification code. We want to be able to log these
in the TPM verification case.
---
grub-core/script/execute.c | 27 ---
include/grub/verify.h | 1 +
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/grub-core/script/execute.c b/gru
This patchset extends the verifier framework to support verifying commands
executed by Grub, and makes use of this to add support for measuring files
and commands executed by grub into the TPM on UEFI-based systems.
___
Grub-devel mailing list
Grub-deve
rea Start Address (LASA) and Log Area Minimum Length (LAML). So
> that would
> be similar to the TPM1.2 TCPA ACPI table. I guess Linux should need support
> for both?
I really hope that there are no implementations where there's a
difference between the information in ACPI and any other
Pass commands to the verification code. We want to be able to log these
in the TPM verification case.
---
grub-core/script/execute.c | 27 ---
include/grub/verify.h | 1 +
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/grub-core/script/execute.c b/gru
We want to be able to measure stuff right from the very beginning of
grub execution, so it makes sense for the core verifiers code to be
present in-kernel rather than having it as an external module.
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def
Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI.
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def| 2 +
grub-core/kern/efi/tpm.c | 282 +
grub-core/
Port the TPM code to use the verifiers framework. I'm only including UEFI
support since it's still unclear what the copyright situation is over the
BIOS code, and demand for BIOS support for this has somewhat tailed off
anyway.
___
Grub-devel mailing li
On Thu, Jun 15, 2017 at 01:52:14AM +, Vladimir 'phcoder' Serbinenko wrote:
> On Thu, Jun 15, 2017, 03:49 Matthew Garrett wrote:
> > if you're making the ordering significant,
> > it's far too easy for someone to mess up and end up with an insecure
> &
ul as an external module, so they need to be built into
the core image in any case (otherwise an attacker just replaces the
verifier module…). And if you're making the ordering significant,
it's far too easy for someone to mess up and end up with an insecure
system as a result.
--
Mat
Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI.
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def| 2 +
grub-core/kern/efi/tpm.c | 282 +
grub-core/
We want to be able to measure stuff right from the very beginning of
grub execution, so it makes sense for the core verifiers code to be
present in-kernel rather than having it as an external module.
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def
This patchset reworks my earlier TPM support to use the verifiers framework.
It only includes UEFI support right now due to the unclear copyright situation
on the BIOS code from trusted-grub.
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.
Pass commands to the verification code. We want to be able to log these
in the TPM verification case.
---
grub-core/script/execute.c | 27 ---
include/grub/verify.h | 1 +
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/grub-core/script/execute.c b/gru
On Mon, Feb 06, 2017 at 07:58:37PM +, Vladimir 'phcoder' Serbinenko wrote:
> On Mon, 6 Feb 2017, 17:44 Matthew Garrett wrote:
>
> > On Sun, Feb 05, 2017 at 01:28:20PM +, Vladimir 'phcoder' Serbinenko
> > wrote:
> > > See verify.h for the
g each command before it's executed gives us some
further assurance in that respect. Calculating the expected values is
still pretty easy, and if they're logged then you can have a regex-based
engine for remote validation.
--
Matthew Garrett | mj...@srcf.ucam.org
___
#x27;s chainloaded) and ignore everything else.
--
Matthew Garrett | mj...@srcf.ucam.org
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
On Fri, Jan 27, 2017 at 09:08:33PM +, Vladimir 'phcoder' Serbinenko wrote:
> I must have accidentally deleted it on the server. I'll reupload it when
> I'll have access to the laptop in question on Monday
Hi,
Did you have any luck digging this up?
--
Matthew Gar
On Wed, Jan 25, 2017 at 9:30 AM, Andrei Borzenkov wrote:
> 24.01.2017 23:50, Matthew Garrett пишет:
>> The DHCP server will return a string in the boot_file field. If you
>> want to indicate that this file should be obtained over http, the
>> easiest way to handle this is t
On Wed, Jan 25, 2017 at 12:35 AM, Michael Chang wrote:
> On Tue, Jan 24, 2017 at 10:21:22PM -0800, Matthew Garrett wrote:
>> We're passing the bootfile to grub in order to obtain further
>> configuration, so the firmware isn't relevant here.
>
> I mean that firmw
On Tue, Jan 24, 2017 at 11:37 PM, Andrei Borzenkov wrote:
> On Wed, Jan 25, 2017 at 10:16 AM, Matthew Garrett wrote:
>> My experience is that configfile (http,example.com)grub/config works
>> as you'd expect it to, and that set
>> endpoint=$net_efinet0_dhcp_boot_file;
On Tue, Jan 24, 2017 at 10:56 PM, Andrei Borzenkov wrote:
> On Wed, Jan 25, 2017 at 7:25 AM, Matthew Garrett wrote:
>> If prefix isn't set then won't bootfile be interpreted as the device plus
>> file?
>>
>
> No. That would mean "parsing URI" that
On Tue, Jan 24, 2017 at 10:18 PM, Michael Chang wrote:
> On Tue, Jan 24, 2017 at 12:50:37PM -0800, Matthew Garrett wrote:
>> The DHCP server will return a string in the boot_file field. If you
>> want to indicate that this file should be obtained over http, the
>> easiest way
On Tue, Jan 24, 2017 at 8:15 PM, Andrei Borzenkov wrote:
> 25.01.2017 07:06, Matthew Garrett пишет:
>> I don't understand - grub_net_open_real() already handles this case:
>
> Because bootfile from DHCP packet is not used to set device part of
> $prefix. Setting bootfile
On Tue, Jan 24, 2017 at 7:48 PM, Andrei Borzenkov wrote:
> 24.01.2017 23:50, Matthew Garrett пишет:
>> On Mon, Jan 23, 2017 at 8:02 PM, Andrei Borzenkov
>> wrote:
>>> 24.01.2017 03:36, Matthew Garrett пишет:
>>>> Some DHCP servers (such as dnsmasq) tok
On Mon, Jan 23, 2017 at 7:55 PM, Andrei Borzenkov wrote:
> This was noted previously by Josef, we discussed it and my position is
> that resolver code requires redesign to correctly merge multiple answers
> and prioritize A vs requests.
>
> Do you get actual errors with current master? If yes
On Mon, Jan 23, 2017 at 8:02 PM, Andrei Borzenkov wrote:
> 24.01.2017 03:36, Matthew Garrett пишет:
>> Some DHCP servers (such as dnsmasq) tokenise parameters with commas, making
>> it impossible to pass boot files with commas in them. Allow using a
>
> grub_net_open() ope
The current logic in the DNS resolution code allocates an address buffer
based on the number of addresses in the response packet. If we receive
multiple response packets in response to a single query packet, this means
that we will reallocate a new buffer large enough for only the addresses in
that
It's helpful to determine that a request was sent by grub in order to permit
the server to provide different information at different stages of the boot
process. Send GRUB2 as a type 77 DHCP option when sending bootp packets in
order to make this possible and tag the request as a DHCP discover to
c
Add a command to read values from the qemu fwcfg store. This allows data
to be passed from the qemu command line to grub.
Example use:
echo '(hd0,1)' >rootdev
qemu -fw_cfg opt/rootdev,file=rootdev
fwconfig opt/rootdev root
---
docs/grub.texi| 6 +++
grub-core/Makefile.core.def
Measure the kernel commandline to ensure that it hasn't been modified
---
grub-core/lib/cmdline.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c
index d5e10ee..055b7aa 100644
--- a/grub-core/lib/cmdline.c
+++ b/grub-core/l
---
grub-core/loader/i386/multiboot_mbi.c | 4
grub-core/loader/multiboot.c | 3 +++
grub-core/loader/multiboot_mbi2.c | 4
3 files changed, 11 insertions(+)
diff --git a/grub-core/loader/i386/multiboot_mbi.c
b/grub-core/loader/i386/multiboot_mbi.c
index fd7b41b..42372bf 1
Measure the kernel and initrd at load time
---
grub-core/loader/i386/linux.c| 6 ++
grub-core/loader/i386/pc/linux.c | 4
grub-core/loader/linux.c | 3 +++
3 files changed, 13 insertions(+)
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index 5e54e
This patchset adds support for measuring grub components and commands into
TPMs on UEFI systems. It supports both the original TPM and the new TPM 2.0
protocols. Grub will measure each module it loads, along with any Linux
kernels and initrds, multiboot images, the command line passed to Linux and
We want a single buffer that contains the entire kernel image in order to
perform a TPM measurement. Allocate one and copy the entire kernel int it
before pulling out the individual blocks later on.
---
grub-core/loader/i386/pc/linux.c | 34 +-
1 file changed, 21 in
Some DHCP servers (such as dnsmasq) tokenise parameters with commas, making
it impossible to pass boot files with commas in them. Allow using a
semicolon to separate the protocol from host if a comma wasn't found.
---
grub-core/net/net.c | 4
1 file changed, 4 insertions(+)
diff --git a/grub
Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI and BIOS systems, but
will measure all modules as they're loaded.
---
grub-core/Makefile.am| 1 +
grub-core/Makefile.core.def | 3 +
grub-core/kern/dl.c
Add support for passing ports in HTTP requests. This takes the form of:
(http,serverip:portnum)/file
---
grub-core/net/http.c | 8 ++--
grub-core/net/net.c | 10 +-
include/grub/net.h | 1 +
3 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/grub-core/net/http.c b/gru
From: Matthew Garrett
Measure each command executed by grub, which includes script execution.
---
grub-core/script/execute.c | 25 +++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index a8502d9
Add a command to obtain the contents of EFI firmware variables.
---
docs/grub.texi | 7 ++
grub-core/Makefile.core.def | 7 ++
grub-core/commands/efi/getenv.c | 153
3 files changed, 167 insertions(+)
create mode 100644 grub-core/c
We want a single buffer that contains the entire kernel image in order to
perform a TPM measurement. Allocate one and copy the entire kernel into it
before pulling out the individual blocks later on.
---
grub-core/loader/i386/linux.c | 34 +-
1 file changed, 21 inse
On Mon, Jan 23, 2017 at 6:03 PM, Vladimir 'phcoder' Serbinenko
wrote:
> Ok. Good. Still, can we use verifiers framework ? We can adjust it if
> needed. Also it's still post-release material
Where's the branch? I wasn't able to find it on Savannah.
___
On Mon, Jan 23, 2017 at 5:29 PM, Vladimir 'phcoder' Serbinenko
wrote:
> For policy reasons we can't put any TPM code into GNU project. Can we use
> verifiers framework for this rather than custom hooks? This would allow your
> code to be a single module that can be put into a separate repo rather
From: Matthew Garrett
Measure each command executed by grub, which includes script execution.
---
grub-core/script/execute.c | 25 +++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index a8502d9
Measure the kernel commandline to ensure that it hasn't been modified
---
grub-core/lib/cmdline.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c
index d5e10ee..055b7aa 100644
--- a/grub-core/lib/cmdline.c
+++ b/grub-core/l
We want a single buffer that contains the entire kernel image in order to
perform a TPM measurement. Allocate one and copy the entire kernel int it
before pulling out the individual blocks later on.
---
grub-core/loader/i386/pc/linux.c | 34 +-
1 file changed, 21 in
Measure the kernel and initrd at load time
---
grub-core/loader/i386/linux.c| 6 ++
grub-core/loader/i386/pc/linux.c | 4
grub-core/loader/linux.c | 3 +++
3 files changed, 13 insertions(+)
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index 5e54e
---
grub-core/loader/i386/multiboot_mbi.c | 4
grub-core/loader/multiboot.c | 3 +++
grub-core/loader/multiboot_mbi2.c | 4
3 files changed, 11 insertions(+)
diff --git a/grub-core/loader/i386/multiboot_mbi.c
b/grub-core/loader/i386/multiboot_mbi.c
index fd7b41b..42372bf 1
We want a single buffer that contains the entire kernel image in order to
perform a TPM measurement. Allocate one and copy the entire kernel into it
before pulling out the individual blocks later on.
---
grub-core/loader/i386/linux.c | 34 +-
1 file changed, 21 inse
Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI and BIOS systems, but
will measure all modules as they're loaded.
---
grub-core/Makefile.am| 1 +
grub-core/Makefile.core.def | 3 +
grub-core/kern/dl.c
This patchset adds support for measuring components of grub and what it's
loading into the TPM. It supports both TPM 1.2 and 2.0 devices via the
standard UEFI protocols.
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listin
The current logic in the DNS resolution code allocates an address buffer
based on the number of addresses in the response packet. If we receive
multiple response packets in response to a single query packet, this means
that we will reallocate a new buffer large enough for only the addresses in
that
It's helpful to determine that a request was sent by grub in order to permit
the server to provide different information at different stages of the boot
process. Send GRUB2 as a type 77 DHCP option when sending bootp packets in
order to make this possible and tag the request as a DHCP discover to
c
Some DHCP servers (such as dnsmasq) tokenise parameters with commas, making
it impossible to pass boot files with commas in them. Allow using a
semicolon to separate the protocol from host if a comma wasn't found.
---
grub-core/net/net.c | 4
1 file changed, 4 insertions(+)
diff --git a/grub
Add support for passing ports in HTTP requests. This takes the form of:
(http,serverip:portnum)/file
---
grub-core/net/http.c | 8 ++--
grub-core/net/net.c | 10 +-
include/grub/net.h | 1 +
3 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/grub-core/net/http.c b/gru
Various patches that we're using to support network boot in our setup. Only
number 3 is a bugfix.
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Add a command to read values from the qemu fwcfg store. This allows data
to be passed from the qemu command line to grub.
Example use:
echo '(hd0,1)' >rootdev
qemu -fw_cfg opt/rootdev,file=rootdev
fwconfig opt/rootdev root
---
docs/grub.texi| 6 +++
grub-core/Makefile.core.def
Add a command to obtain the contents of EFI firmware variables.
---
docs/grub.texi | 7 ++
grub-core/Makefile.core.def | 7 ++
grub-core/commands/efi/getenv.c | 153
3 files changed, 167 insertions(+)
create mode 100644 grub-core/c
1 - 100 of 130 matches
Mail list logo