[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI
|
From: |
Reto Buerki |
|
Subject: |
grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI |
|
Date: |
Thu, 7 Mar 2024 20:40:08 +0100 |
|
User-agent: |
Mozilla Thunderbird |
Hi,
I'm using grub-mkrescue in combination with the pgp --pubkey feature to
put grub into check_signatures=enforce mode, and to only have signed
data loaded and processed. Something like:
grub-mkrescue --modules='normal pgp' -o test.iso
boot/grub/grub.cfg=grub.cfg boot/grub/grub.cfg.sig=grub.cfg.sig --pubkey
testkey.pub
This used to work with GRUB 2.06 for both efi-x86_64 and pc-i386. With
GRUB 2.12 however, efi-x86_64 does no longer work.
I traced the problem by omitting the --pubkey argument to grub-mkrescue.
It seems that with GRUB 2.12 a special file is used to determine root,
e.g. '(hd0)/.disk/2024-03-07-18-32-41-00.uuid'. This can be seen in the
attached backtrace starting from grub_env_write_root where the correct
root is set in the check_signatures=no configuration.
The relevant information in the backtrace is the command used to find
and set root:
search --set=root --file /.disk/2024-03-07-17-16-00-00.uuid
This correctly sets root to (hd0), whereas with the --pubkey argument,
root remains at (hd0,gpt2) (i.e. fwdevice). The problem seems to be that
this file is not signed, so grub cannot open it. This results in the
following error:
error: no such device: /.disk/2024-03-07-19-09-45-00.uuid.
The file is visible via the grub console however, but 'ls' on it returns:
error: not a directory.
Is this a bug/regression?
Thanks!
Kind regards
- reto
backtrace
Description: Text document
- grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI,
Reto Buerki <=