Add verity hash passthrough

Read the verity hash from the kernel binary and pass it to the running system via the kernel command line
flatcar-hub · Mar 30, 2018 · 03b547c · 03b547c
1 parent 250af43
commit 03b547c
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
@@ -27,6 +27,8 @@
 #include <grub/lib/cmdline.h>
 #include <grub/efi/efi.h>
 
+#include "../verity-hash.h"
+
 GRUB_MOD_LICENSE ("GPLv3+");
 
 static grub_dl_t my_mod;
@@ -288,6 +290,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
                               linux_cmdline + sizeof (LINUX_IMAGE) - 1,
 			      lh.cmdline_size - (sizeof (LINUX_IMAGE) - 1));
 
+  grub_pass_verity_hash(&lh, linux_cmdline);
   lh.cmd_line_ptr = (grub_uint32_t)(grub_uint64_t)linux_cmdline;
 
   handover_offset = lh.handover_offset;

diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
@@ -36,6 +36,7 @@
 #include <grub/lib/cmdline.h>
 #include <grub/linux.h>
 
+#include "verity-hash.h"
 GRUB_MOD_LICENSE ("GPLv3+");
 
 #ifdef GRUB_MACHINE_PCBIOS
@@ -1018,6 +1019,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 			      maximal_cmdline_size
 			      - (sizeof (LINUX_IMAGE) - 1));
 
+  grub_pass_verity_hash(&lh, linux_cmdline);
   len = prot_file_size;
   if (grub_file_read (file, prot_mode_mem, len) != len && !grub_errno)
     grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),

diff --git a/grub-core/loader/i386/verity-hash.h b/grub-core/loader/i386/verity-hash.h
@@ -0,0 +1,25 @@
+#define VERITY_ARG " verity.usrhash="
+#define VERITY_HASH_OFFSET 0x40
+#define VERITY_HASH_LENGTH 64
+
+static inline void grub_pass_verity_hash(struct linux_kernel_header *lh,
+					 char *cmdline)
+{
+  char *buf = (char *)lh;
+  grub_size_t cmdline_len;
+  int i;
+
+  for (i=VERITY_HASH_OFFSET; i<VERITY_HASH_OFFSET + VERITY_HASH_LENGTH; i++)
+    {
+      if (buf[i] < '0' || buf[i] > '9') // Not a number
+	if (buf[i] < 'a' || buf[i] > 'f') // Not a hex letter
+	  return;
+    }
+
+  grub_memcpy (cmdline + grub_strlen(cmdline), VERITY_ARG,
+	       sizeof (VERITY_ARG));
+  cmdline_len = grub_strlen(cmdline);
+  grub_memcpy (cmdline + cmdline_len, buf + VERITY_HASH_OFFSET,
+	       VERITY_HASH_LENGTH);
+  cmdline[cmdline_len + VERITY_HASH_LENGTH] = '\0';
+}