Jean-Francois,
It's possible to write one's grub.cfg to save GRUB environment variables in
pre-existing GRUB environment variable files on an ext4 filesystem. What
types of sanity-checking are you looking to do? It may be possible to
achieve what you want with just these mechanisms.
-Jon
On
On Mon, Feb 6, 2017 at 2:04 PM, Matthew Garrett <mj...@srcf.ucam.org> wrote:
> On Mon, Feb 06, 2017 at 09:53:57AM -0800, Jon McCune wrote:
>
> > I'm not sure about measuring the commands that GRUB runs. GRUB's config
> > file is a shell-like language, and measuri
Matthew,
On Mon, Feb 6, 2017 at 8:43 AM, Matthew Garrett wrote:
> On Sun, Feb 05, 2017 at 01:28:20PM +, Vladimir 'phcoder' Serbinenko
> wrote:
> > See verify.h for the interface. Obviously if you need changes in the API,
> > please say.
>
> I think that's a starting
On Mon, Nov 21, 2016 at 6:45 AM, Daniel Kiper wrote:
> On Fri, Nov 18, 2016 at 12:00:08PM +, Ignat Korchagin wrote:
> > Reposting this, as requested by Daniel and rebasing on current tree.
> >
> > Currently GRUB2 verify logic searches PGP keyid only in unhashed
>
on
the contents of the file. This prevents a malicious environment block
file from overwriting the value of security-critical environment variables
such as check_signatures, while still allowing a properly constructed
configuration file to offer savedefault and one-shot functionality.
Signed-off-by: Jon
is done to make
this support usable: A {-k, --pubkey} option is added to
grub-install, and significant documentation is included. See the
individual patch descriptions for more specifics.
Jon McCune (5):
style: indent --no-tabs --gnu-style grub-core/commands/loadenv.c
load_env support
will be written. Thus, the actual contents of the file do not pose a
security risk.
Signed-off-by: Jon McCune jonmcc...@google.com
---
grub-core/commands/loadenv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/commands/loadenv.c b/grub-core/commands/loadenv.c
index 49e8004
documentation)
* Modifications to documentation for load_env, save_env, hashsum
Signed-off-by: Jon McCune jonmcc...@google.com
---
docs/grub.texi | 180 -
1 file changed, 178 insertions(+), 2 deletions(-)
diff --git a/docs/grub.texi b/docs
This simply passes along the public key to the grub-mkimage invocation
Signed-off-by: Jon McCune jonmcc...@google.com
---
util/grub-install.in | 13 +
util/grub-install_header | 6 ++
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/util/grub-install.in b/util
-by: Jon McCune jonmcc...@google.com
---
grub-core/commands/loadenv.c | 87 ++--
1 file changed, 44 insertions(+), 43 deletions(-)
diff --git a/grub-core/commands/loadenv.c b/grub-core/commands/loadenv.c
index c0a42c5..a431499 100644
--- a/grub-core/commands
Passes along one or more public keys to the grub-mkimage invocation
Signed-off-by: Jon McCune jonmcc...@google.com
---
util/grub-install.in | 19 +++
util/grub-install_header | 6 ++
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/util/grub-install.in b
This is an iteration of the code that was discussed in the v2 patch.
I have not yet updated the documentation to match these changes, since
I would prefer to conclude discussion of the suitability of these
changes first.
Jon McCune (3):
style: indent --no-tabs --gnu-style grub-core/commands
-by: Jon McCune jonmcc...@google.com
---
grub-core/commands/loadenv.c | 87 ++--
1 file changed, 44 insertions(+), 43 deletions(-)
diff --git a/grub-core/commands/loadenv.c b/grub-core/commands/loadenv.c
index c0a42c5..a431499 100644
--- a/grub-core/commands
,
boot_once, and similar.
This version of this patch drops all direct interaction with the logic in
verify.c. The author of grub.cfg must take care to disable and re-enable
check_signatures as appropriate.
Signed-off-by: Jon McCune jonmcc...@google.com
---
grub-core/commands/loadenv.c | 57
14 matches
Mail list logo