On 21.01.2014 17:24, Andrey Borzenkov wrote:
> В Tue, 21 Jan 2014 00:28:08 +0100
> Lubomir Rintel <lkundrak@v3.sk> пишет:
> 
>>  
>>  module = {
>> +  name = linuxefi;
>> +  efi = loader/i386/efi/linux.c;
>> +  efi = lib/cmdline.c;
>> +  enable = i386_efi;
>> +  enable = x86_64_efi;
>> +};
>> +
> 
> Is it relevant for arm64-efi? 
> 
>> +static grub_err_t
>> +grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
>> +		int argc, char *argv[])
>> +{
>> +  grub_file_t file = 0;
>> +  struct linux_kernel_header lh;
>> +  grub_ssize_t len, start, filelen;
>> +  void *kernel;
>> +
>> +  grub_dl_ref (my_mod);
>> +
>> +  if (argc == 0)
>> +    {
>> +      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
>> +      goto fail;
>> +    }
>> +
>> +  file = grub_file_open (argv[0]);
>> +  if (! file)
>> +    goto fail;
>> +
>> +  filelen = grub_file_size (file);
>> +
>> +  kernel = grub_malloc(filelen);
>> +
>> +  if (!kernel)
>> +    {
>> +      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel buffer"));
>> +      goto fail;
>> +    }
>> +
>> +  if (grub_file_read (file, kernel, filelen) != filelen)
>> +    {
>> +      grub_error (GRUB_ERR_FILE_READ_ERROR, N_("Can't read kernel %s"), argv[0]);
>> +      goto fail;
>> +    }
>> +
>> +  if (! grub_linuxefi_secure_validate (kernel, filelen))
>> +    {
>> +      grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]);
>> +      grub_free (kernel);
>> +      goto fail;
>> +    }
>> +
>> +  grub_file_seek (file, 0);
>> +
>> +  grub_free(kernel);
>> +
> 
> This leaves possibility to modify file after it was verified. It
> should continue to use in-memory content. 
> 
This part is from RH "Secureboot" patch. Few things are right about that
patch. Whatever signature verifications would need to be integrated with
signatures framework (I have some scratch in phcoder/file_types)
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>