代码拉取完成,页面将自动刷新
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Wed, 26 Sep 2018 13:17:52 +0200
Subject: [PATCH] verifiers: Add possibility to defer verification to other
verifiers
This way if a verifier requires verification of a given file it can defer task
to another verifier (another authority) if it is not able to do it itself. E.g.
shim_lock verifier, posted as a subsequent patch, is able to verify only PE
files. This means that it is not able to verify any of GRUB2 modules which have
to be trusted on UEFI systems with secure boot enabled. So, it can defer
verification to other verifier, e.g. PGP one.
I silently assume that other verifiers are trusted and will do good job for us.
Or at least they will not do any harm.
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
---
grub-core/commands/verifiers.c | 23 ++++++++++++++++++++---
include/grub/verify.h | 4 +++-
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/grub-core/commands/verifiers.c b/grub-core/commands/verifiers.c
index 59ea418a2..c638d5f43 100644
--- a/grub-core/commands/verifiers.c
+++ b/grub-core/commands/verifiers.c
@@ -83,6 +83,7 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
void *context;
grub_file_t ret = 0;
grub_err_t err;
+ int defer = 0;
grub_dprintf ("verify", "file: %s type: %d\n", io->name, type);
@@ -102,13 +103,27 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
err = ver->init (io, type, &context, &flags);
if (err)
goto fail_noclose;
+ if (flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
+ {
+ defer = 1;
+ continue;
+ }
if (!(flags & GRUB_VERIFY_FLAGS_SKIP_VERIFICATION))
break;
}
if (!ver)
- /* No verifiers wanted to verify. Just return underlying file. */
- return io;
+ {
+ if (defer)
+ {
+ grub_error (GRUB_ERR_ACCESS_DENIED,
+ N_("verification requested but nobody cares: %s"), io->name);
+ goto fail_noclose;
+ }
+
+ /* No verifiers wanted to verify. Just return underlying file. */
+ return io;
+ }
ret = grub_malloc (sizeof (*ret));
if (!ret)
@@ -160,7 +175,9 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
err = ver->init (io, type, &context, &flags);
if (err)
goto fail_noclose;
- if (flags & GRUB_VERIFY_FLAGS_SKIP_VERIFICATION)
+ if (flags & GRUB_VERIFY_FLAGS_SKIP_VERIFICATION ||
+ /* Verification done earlier. So, we are happy here. */
+ flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
continue;
err = ver->write (context, verified->buf, ret->size);
if (err)
diff --git a/include/grub/verify.h b/include/grub/verify.h
index 9f892d8fe..79022b422 100644
--- a/include/grub/verify.h
+++ b/include/grub/verify.h
@@ -22,7 +22,9 @@
enum grub_verify_flags
{
GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1,
- GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2
+ GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2,
+ /* Defer verification to another authority. */
+ GRUB_VERIFY_FLAGS_DEFER_AUTH = 4
};
enum grub_verify_string_type
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。