Re: [SECURITY PATCH 4/8] commands/search: Add the diskfilter support

Fri, 09 May 2025 06:31:25 -0700 

Le jeu. 8 mai 2025, 20:04, Daniel Kiper via Grub-devel <grub-devel@gnu.org>
a écrit :

> From: Maxim Suhanov <dfirb...@gmail.com>
>
> When the --cryptodisk-only argument is given, also check the target
> device using the "cryptocheck" command, if available.
>
> This extends the checks to common layouts like LVM-on-LUKS, so the
> --cryptodisk-only argument transparently handles such setups.
>
> Signed-off-by: Maxim Suhanov <dfirb...@gmail.com>
> Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
> ---
>  grub-core/commands/search.c | 32 +++++++++++++++++++++++++++++++-
>  1 file changed, 31 insertions(+), 1 deletion(-)
>
> diff --git a/grub-core/commands/search.c b/grub-core/commands/search.c
> index f6bfef958..185c1e70f 100644
> --- a/grub-core/commands/search.c
> +++ b/grub-core/commands/search.c
> @@ -54,6 +54,36 @@ struct search_ctx
>    int is_cache;
>  };
>
> +static bool
> +is_unencrypted_disk (grub_disk_t disk)
> +{
> +  grub_command_t cmd;
> +  char *disk_str;
> +  int disk_str_len;
> +  int res;
> +
> +  if (disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID)
> +    return false; /* This is (crypto) disk. */
> +
> +  if (disk->dev->id == GRUB_DISK_DEVICE_DISKFILTER_ID)
> +    {
> +      cmd = grub_command_find ("cryptocheck");
>
I would prefer not to go through command parser but instead define a
function for crypto check.

+        return true;
> +
> +      disk_str_len = grub_strlen (disk->name) + 2 + 1;
> +      disk_str = grub_malloc (disk_str_len);
> +      if (disk_str == NULL) /* Something is wrong, better report as
> unencrypted. */
>
You need to properly handle the error. Either reset grub_errno or to return
an error to upper layer (preferred).

> +        return true;
> +
> +      grub_snprintf (disk_str, disk_str_len, "(%s)", disk->name);
> +      res = cmd->func (cmd, 1, &disk_str);
> +      grub_free (disk_str);
> +      return (res != GRUB_ERR_NONE) ? true : false; /* GRUB_ERR_NONE for
> encrypted. */
> +    }
> +  return true;
> +}
> +
>  /* Helper for FUNC_NAME.  */
>  static int
>  iterate_device (const char *name, void *data)
> @@ -97,7 +127,7 @@ iterate_device (const char *name, void *data)
>           grub_errno = GRUB_ERR_NONE;
>           return 0;
>         }
> -      if (dev->disk == NULL || dev->disk->dev->id !=
> GRUB_DISK_DEVICE_CRYPTODISK_ID)
> +      if (dev->disk == NULL || is_unencrypted_disk (dev->disk) == true)
>         {
>           grub_device_close (dev);
>           grub_errno = GRUB_ERR_NONE;
> --
> 2.11.0
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to