Next: Lockdown framework, Previous: Graphical Menu Software Design, Up: Top [Contents][Index]
To register your own verifier call ‘grub_verifier_register’ with a structure pointing to your functions.
The interface is inspired by the hash interface with ‘init’/‘write’/‘fini’.
There are essentially 2 ways of using it, hashing and whole-file verification.
With the hashing approach: During ‘init’ you decide whether you want to check the given file and init context. In ‘write’ you update your hashing state. In ‘fini’ you check that the hash matches the expected value/passes some check/...
With whole-file verification: During ‘init’ you decide whether you want to check the given file and init context. In ‘write’ you verify the file and return an error if it fails. You don’t have ‘fini’.
Additional ‘verify_string’ receives various strings like kernel parameters to verify. Returning no error means successful verification and an error stops the current action.
Detailed description of the API:
Every time a file is opened your ‘init’ function is called with file descriptor and file type. Your function can have the following outcomes:
In the third case your ‘write’ will be called with chunks of the file. If you need the whole file in a single chunk then during ‘init’ set the bit ‘GRUB_VERIFY_FLAGS_SINGLE_CHUNK’ in ‘*flags’. During ‘init’ you may set ‘*context’ if you need additional context. At every iteration you may return an error and the file will be considered as having failed the verification. If you return no error then verification continues.
Optionally at the end of the file ‘fini’, if it exists, is called with just the context. If you return no error during any of ‘init’, ‘write’ and ‘fini’ then the file is considered as having succeded verification.
Next: Lockdown framework, Previous: Graphical Menu Software Design, Up: Top [Contents][Index]