Joe,
Version two of the patch:
Signed-off-by: Charles Fisher <charles.fis...@gdc4s.com>
diff -up tboot-1.7.0/tb_polgen/param.c.orig
tboot-1.7.0/tb_polgen/param.c
--- tboot-1.7.0/tb_polgen/param.c.orig 2012-04-26 08:33:58.631208000
-0700
+++ tboot-1.7.0/tb_polgen/param.c 2012-04-26 10:10:49.931844000 -0700
@@ -184,6 +184,7 @@ void print_params(param_data_t *params)
info_msg("\t pcr = %d\n", params->pcr);
info_msg("\t hash_type = %d\n", params->hash_type);
info_msg("\t pos = %d\n", params->pos);
+ info_msg("\t cmdline length = %lu\n", strlen(params->cmdline));
info_msg("\t cmdline = %s\n", params->cmdline);
info_msg("\t image_file = %s\n", params->image_file);
info_msg("\t elt_file = %s\n", params->elt_file);
@@ -407,6 +408,12 @@ bool parse_input_params(int argc, char *
error_msg("Misssing string for --cmdline
option\n");
return false;
}
+ if (strlen(optarg) > sizeof(params->cmdline) - 1) {
+ error_msg("Command line length of %lu exceeds %d
character maximum\n",
+ strlen(optarg),
TBOOT_KERNEL_CMDLINE_SIZE-1);
+ return false;
+ }
+
strncpy(params->cmdline, optarg,
sizeof(params->cmdline));
params->cmdline[sizeof(params->cmdline)-1] = '\0';
break;
diff -up tboot-1.7.0/tb_polgen/tb_polgen.h.orig
tboot-1.7.0/tb_polgen/tb_polgen.h
--- tboot-1.7.0/tb_polgen/tb_polgen.h.orig 2012-04-24
09:22:09.549172000 -0700
+++ tboot-1.7.0/tb_polgen/tb_polgen.h 2012-04-26 09:53:52.874845000
-0700
@@ -56,7 +56,7 @@ typedef struct {
int pcr;
int hash_type;
int pos;
- char cmdline[256];
+ char cmdline[TBOOT_KERNEL_CMDLINE_SIZE];
char image_file[FILENAME_MAX];
char elt_file[FILENAME_MAX];
char policy_file[FILENAME_MAX];
From: Fisher, Charles-p99463
Sent: Thursday, April 26, 2012 8:17 AM
To: 'Cihula, Joseph'; Wei, Gang; tboot-devel@lists.sourceforge.net
Subject: RE: Problem with tb_polgen
Joe,
Please put this patch on hold. I am going to make the change suggested
earlier and use a common definition for both tboot, and tb_polgen, as
well as add a check in tb_polgen for the cmdline length being larger
than the buffer so, and put out an error message to that effect so that
the condition will be flagged.
Charles
From: Cihula, Joseph [mailto:joseph.cih...@intel.com]
Sent: Wednesday, April 25, 2012 5:29 PM
To: Wei, Gang; Fisher, Charles-p99463; tboot-devel@lists.sourceforge.net
Subject: RE: Problem with tb_polgen
Please provide a Signed-off-by: for your patch, so that we may apply it.
Joe
From: Wei, Gang [mailto:gang....@intel.com]
Sent: Wednesday, April 25, 2012 5:12 PM
To: charles.fis...@gdc4s.com; tboot-devel@lists.sourceforge.net
Subject: Re: [tboot-devel] Problem with tb_polgen
Thanks for the finding and patch.
Jimmy
From: charles.fis...@gdc4s.com [mailto:charles.fis...@gdc4s.com]
Sent: Wednesday, April 25, 2012 3:24 AM
To: tboot-devel@lists.sourceforge.net
Subject: [tboot-devel] Problem with tb_polgen
All,
There is a problem with tb_polgen. When it is parsing the kernel
cmdline, it uses the first 256 characters of the cmdline, and discards
the rest. Tboot itself, uses the first 1024 characters of the command
line received from grub2. This means that the hash generated by
tb_polgen will NOT match the hash generated by tboot/policy.c and
verification will fail.
The following patch needs to be applied.
Signed-off-by: <Charles.Fisher@...>
diff -up tboot-1.7.0/tb_polgen/tb_polgen.h.orig
tboot-1.7.0/tb_polgen/tb_polgen.h
--- tboot-1.7.0/tb_polgen/tb_polgen.h.orig 2012-04-24
09:22:09.549172000 -0700
+++ tboot-1.7.0/tb_polgen/tb_polgen.h 2012-04-24 09:22:29.716011000
-0700
@@ -56,7 +56,7 @@ typedef struct {
int pcr;
int hash_type;
int pos;
- char cmdline[256];
+ char cmdline[1024];
char image_file[FILENAME_MAX];
char elt_file[FILENAME_MAX];
char policy_file[FILENAME_MAX];
I suppose that actually, the cmdline size should be defined in
include/config.h, and the same value used by tb_polgen and tboot, but
this worked on our system with a 284 character kernel cmdline.
Charles
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
