commit 6b94362fa35afb714330829f60967cb16f77367d
author Matthew Garrett <matthewgarrett@google.com> Wed Jul 05 14:19:56 2017 -0700
committer Edward Jee <edjee@google.com> Wed Mar 07 22:26:50 2018 +0000
tree e63f389bd000029286dc2e2e09811f9bcc102c85
parent 681ee6bed23e18f5cc7c4a597d5a9949950db0b6

grub-lakitu: FROMLIST: Verify commands executed by grub

Pass commands to the verification code. We want to be able to log these
in the TPM verification case.

(am from http://lists.gnu.org/archive/html/grub-devel/2017-07/msg00004.html)

BUG=b:69569602
TEST=TBD

Change-Id: I1efdb2b110b070408e4562b38c49456d8ff0e5ad
Reviewed-on: https://chromium-review.googlesource.com/945903
Reviewed-by: Edward Jee <edjee@google.com>
Commit-Queue: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Trybot-Ready: Edward Jee <edjee@google.com>

grub-lakitu/grub-core/script/execute.c

diff --git a/grub-lakitu/grub-core/script/execute.c b/grub-lakitu/grub-core/script/execute.c
index a8502d9..4575477 100644
--- a/grub-lakitu/grub-core/script/execute.c
+++ b/grub-lakitu/grub-core/script/execute.c
@@ -27,6 +27,7 @@
 #include <grub/normal.h>
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/verify.h>
 
 /* Max digits for a char is 3 (0xFF is 255), similarly for an int it
    is sizeof (int) * 3, and one extra for a possible -ve sign.  */
@@ -929,8 +930,9 @@
   grub_err_t ret = 0;
   grub_script_function_t func = 0;
   char errnobuf[18];
-  char *cmdname;
-  int argc;
+  char *cmdname, *cmdstring;
+  int argc, offset = 0, cmdlen = 0;
+  unsigned int i;
   char **args;
   int invert;
   struct grub_script_argv argv = { 0, 0, 0 };
@@ -939,6 +941,26 @@
   if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
     return grub_errno;
 
+  for (i = 0; i < argv.argc; i++)
+    {
+      cmdlen += grub_strlen (argv.args[i]) + 1;
+    }
+
+  cmdstring = grub_malloc (cmdlen);
+  if (!cmdstring)
+    {
+      return grub_error (GRUB_ERR_OUT_OF_MEMORY,
+                        N_("cannot allocate command buffer"));
+    }
+
+  for (i = 0; i < argv.argc; i++)
+    {
+      offset += grub_snprintf (cmdstring + offset, cmdlen - offset, "%s ",
+                              argv.args[i]);
+    }
+  cmdstring[cmdlen - 1] = '\0';
+  grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
+  grub_free (cmdstring);
   invert = 0;
   argc = argv.argc - 1;
   args = argv.args + 1;
@@ -1163,4 +1185,3 @@
 
   return grub_script_execute_cmd (script->cmd);
 }
-

grub-lakitu/include/grub/verify.h

diff --git a/grub-lakitu/include/grub/verify.h b/grub-lakitu/include/grub/verify.h
index acab4f4..517d386 100644
--- a/grub-lakitu/include/grub/verify.h
+++ b/grub-lakitu/include/grub/verify.h
@@ -11,6 +11,7 @@
   {
     GRUB_VERIFY_KERNEL_CMDLINE,
     GRUB_VERIFY_MODULE_CMDLINE,
+    GRUB_VERIFY_COMMAND,
   };
 
 struct grub_file_verifier