Closed smoser closed 2 years ago
Could you...
serge@jerom:~/src/stubby$ git st
HEAD detached at FETCH_HEAD
Untracked files:
(use "git add
add test-cmdline to .gitignore? :)
OK, I think this is ready, but lets hold off for now. We haven't actually tested in EFI. Its nice that it gets tested in c-i, and as a result I'm pretty sure of the 'check_cmdline' function, but whether or not it does what I want in EFI, I'm not so sure.
Could you...
serge@jerom:~/src/stubby$ git st HEAD detached at FETCH_HEAD Untracked files: (use "git add ..." to include in what will be committed) test-cmdline
add test-cmdline to .gitignore? :)
done.
OK, I think this is ready, but lets hold off for now. We haven't actually tested in EFI. Its nice that it gets tested in c-i, and as a result I'm pretty sure of the 'check_cmdline' function, but whether or not it does what I want in EFI, I'm not so sure.
Sounds good. When you feel comfortable with it after testing let me know and I"ll merge.
OK, at this point I have done some basic testing and I'm happy with it.
I was able to boot a VM with a shim and invoke:
SHIM.EFI GRUBX64.EFI console=ttyS0 root=atomix
That booted, If I boot with other parameters, I get output like:
UEFI Interactive Shell v2.2
EDK II
UEFI v2.70 (EDK II, 0x00010000)
Mapping table
FS0: Alias(s):F1:;BLK1:
PciRoot(0x0)/Pci(0x4,0x0)
BLK0: Alias(s):
PciRoot(0x0)/Pci(0x1,0x1)/Ata(0x0)
Press ESC in 1 seconds to skip startup.nsh or any other key to continue.
Shell> echo ============
============
Shell> SHIM.EFI GRUBX64.EFI console=ttyS0 arg1 arg2
cmdline is len 0: (null)
Secure=true LoadOptionsSize=48 LoadOptions[0]=console=ttyS0 arg1 arg2
cmdline arg 1 not allowed: arg1
Custom kernel command line rejected
Failed to open \efi\boot\mmx64.efi - Not Found
Failed to load image \efi\boot\mmx64.efi: Not Found
start_image() returned Not Found
Shell> reset -s
The point of this PR is to add an "allowed list" to kernel command line processing. The changes implement the following and add some sort of unit test just to make things easier to develop.
If there is no built-in kernel command line, then check that the provided command line contains only allowed tokens.
If booted in secure mode and an invalid token is found, then the loader will exit failure. If booted in insecure mode, then the loader will print a warning and continue.
Token checks are against a static list of words (allowed). Words in the allowed list beginning with a '^' will be considered allowed if the input token begins with the word.
For example, '^console=t' will match:
But will not match:
The allowed word 'console=ttyS0' will only match the exact string, and will not match console=ttyS0,115200.