Add dm-verity parser from kernel command line #217
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We will use this message to parse the command line passed from the bootloader.
This supports reading the kernel cmdline from all of the GRUB commands.
DmVerityState will contain the attested dm-verity hash algorithms, root digests, and salts required for validating a dm-verity mounted device (e.g., root fs).
This uses much of what the kernel does for a cmdline string, except it does not actually parse the args into kernel_param structs. Rather, parseArgs returns a map of param strings to val strings. parseArg uses nextArg, which should copy the exact behavior of the kernel in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/lib/cmdline.c.
The server package now supports reading the kernel command line and parsing it, using the same parsing logic as the kernel. This functionality currently only supports parsing a single root hash; multiple dm entries will cause undefined behavior.
alexmwu
commented
Jul 6, 2022
| // nextArgs must receive a null-terminated string. | ||
| if len(commandline) == 0 || commandline[len(commandline)-1] != 0 { | ||
| args = make([]byte, len(commandline)+1) | ||
| args[len(args)-1] = 0 |
There was a problem hiding this comment.
from @jkl73:
Can directly append() a 0 at the end? args = append(args, byte(0))
| seen = true | ||
| cmdline = command[suffixAt:] | ||
|
|
||
| verity, err = tryGetDmVerityStateFromCmdline(parseArgs(cmdBytes)) |
There was a problem hiding this comment.
kernel.commandline, err = getKernelCMDFromGRUB...
kernel.verity, err = getDmVerityFromGRUB...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
digests, and salts required for validating a dm-verity mounted device
(e.g., root fs).
This is currently limited to the syntax of the ChromeOS, non-upstreamed fork of dm-verity. It can currently only parse out one dm-verity hash.