Re: Verifier running out of memory on ieee1275/powerpc64

[Simon Hardy <simon.hardy@itdev.co.uk>]

The 2020/03/17 13:15, Stefan Berger wrote:
>  I trying to add (v)TPM support for the ieee1275/powerpc64 platform to grub.
> The issue I have been running into is that the verifier runs out of memory.
> At that point it has loaded the (~ 32MB) Linux kernel and now the verifier
> is invoked to load the file. Unfortunately it cannot load the file since it
> doesn't have enough memory to grub_malloc. I have played with increasing
> heap size(es) but it still doesn't work. The kernel and initramfs files on
> ppc64 can be rather big, thus we do not a lot of memory. The rescue
> initramfs here is for example 78MB, a regular initramfs from Fedora 31 is
> ~34MB. The kernel sizes on my system are 32MB, though a colleague was using
> an unstripped kernel of 127MB, so lots of (unfragmented) memory needs to be
> available to run verifiers.

The verifiers framework has a flag, GRUB_VERIFY_FLAGS_SINGLE_CHUNK, that is
used by the platform-independent TPM module. This could be deferred to the
platform-specific TPM file (see point 3 below). With this flag unset for your
platform, you could verify the files in small chunks. This requires three
further elements: 

1. You will need to implement the chunk-by-chunk behaviour in
verifiers.c, it doesn't exist yet.

2. You will need to add functionality to calculate a hash from chunks, or
require that the crypto module is built into the core.

3. The firmware interface needs to support HashLogExtend with a user supplied
hash instead of a memory buffer. For example the PC Conventional BIOS API has
this, but the UEFI API does not.