Blame SOURCES/0132-Measure-commands.patch

d9d99f
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
d9d99f
From: Matthew Garrett <mjg59@srcf.ucam.org>
d9d99f
Date: Mon, 10 Aug 2015 15:27:12 -0700
d9d99f
Subject: [PATCH] Measure commands
d9d99f
d9d99f
Measure each command executed by grub, which includes script execution.
d9d99f
---
d9d99f
 grub-core/script/execute.c | 25 +++++++++++++++++++++++--
d9d99f
 include/grub/tpm.h         |  1 +
d9d99f
 2 files changed, 24 insertions(+), 2 deletions(-)
d9d99f
d9d99f
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
b71686
index cf6cd6601..9ae04a051 100644
d9d99f
--- a/grub-core/script/execute.c
d9d99f
+++ b/grub-core/script/execute.c
d9d99f
@@ -30,6 +30,7 @@
d9d99f
 #ifdef GRUB_MACHINE_IEEE1275
d9d99f
 #include <grub/ieee1275/ieee1275.h>
d9d99f
 #endif
d9d99f
+#include <grub/tpm.h>
d9d99f
 
d9d99f
 /* Max digits for a char is 3 (0xFF is 255), similarly for an int it
d9d99f
    is sizeof (int) * 3, and one extra for a possible -ve sign.  */
d9d99f
@@ -967,8 +968,9 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
d9d99f
   grub_err_t ret = 0;
d9d99f
   grub_script_function_t func = 0;
d9d99f
   char errnobuf[18];
d9d99f
-  char *cmdname;
d9d99f
-  int argc;
d9d99f
+  char *cmdname, *cmdstring;
d9d99f
+  int argc, offset = 0, cmdlen = 0;
d9d99f
+  unsigned int i;
d9d99f
   char **args;
d9d99f
   int invert;
d9d99f
   struct grub_script_argv argv = { 0, 0, 0 };
d9d99f
@@ -977,6 +979,25 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
d9d99f
   if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
d9d99f
     return grub_errno;
d9d99f
 
d9d99f
+  for (i = 0; i < argv.argc; i++) {
d9d99f
+	  cmdlen += grub_strlen (argv.args[i]) + 1;
d9d99f
+  }
d9d99f
+
d9d99f
+  cmdstring = grub_malloc (cmdlen);
d9d99f
+  if (!cmdstring)
d9d99f
+  {
d9d99f
+	  return grub_error (GRUB_ERR_OUT_OF_MEMORY,
d9d99f
+			     N_("cannot allocate command buffer"));
d9d99f
+  }
d9d99f
+
d9d99f
+  for (i = 0; i < argv.argc; i++) {
d9d99f
+	  offset += grub_snprintf (cmdstring + offset, cmdlen - offset, "%s ",
d9d99f
+				   argv.args[i]);
d9d99f
+  }
d9d99f
+  cmdstring[cmdlen-1]= '\0';
d9d99f
+  grub_tpm_measure ((unsigned char *)cmdstring, cmdlen, GRUB_COMMAND_PCR,
d9d99f
+		    cmdstring);
d9d99f
+  grub_free(cmdstring);
d9d99f
   invert = 0;
d9d99f
   argc = argv.argc - 1;
d9d99f
   args = argv.args + 1;
d9d99f
diff --git a/include/grub/tpm.h b/include/grub/tpm.h
b71686
index 40d3cf65b..7fc9d77d2 100644
d9d99f
--- a/include/grub/tpm.h
d9d99f
+++ b/include/grub/tpm.h
d9d99f
@@ -30,6 +30,7 @@
d9d99f
 #define GRUB_KERNEL_PCR 10
d9d99f
 #define GRUB_INITRD_PCR 11
d9d99f
 #define GRUB_CMDLINE_PCR 12
d9d99f
+#define GRUB_COMMAND_PCR 13
d9d99f
 
d9d99f
 #define TPM_TAG_RQU_COMMAND 0x00C1
d9d99f
 #define TPM_ORD_Extend 0x14