Re: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI

help-grub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI

From:	Andrei Borzenkov
Subject:	Re: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI
Date:	Wed, 20 Mar 2024 08:24:05 +0300
User-agent:	Mozilla Thunderbird

On 07.03.2024 22:40, Reto Buerki wrote:

Hi,

I'm using grub-mkrescue in combination with the pgp --pubkey feature to
put grub into check_signatures=enforce mode, and to only have signed
data loaded and processed. Something like:

grub-mkrescue --modules='normal pgp' -o test.iso
boot/grub/grub.cfg=grub.cfg boot/grub/grub.cfg.sig=grub.cfg.sig --pubkey
testkey.pub

This used to work with GRUB 2.06 for both efi-x86_64 and pc-i386. With
GRUB 2.12 however, efi-x86_64 does no longer work.

I traced the problem by omitting the --pubkey argument to grub-mkrescue.

It seems that with GRUB 2.12 a special file is used to determine root,
e.g. '(hd0)/.disk/2024-03-07-18-32-41-00.uuid'. This can be seen in the
attached backtrace starting from grub_env_write_root where the correct
root is set in the check_signatures=no configuration.

The relevant information in the backtrace is the command used to find
and set root:

search --set=root --file /.disk/2024-03-07-17-16-00-00.uuid

This correctly sets root to (hd0), whereas with the --pubkey argument,
root remains at (hd0,gpt2) (i.e. fwdevice). The problem seems to be that
this file is not signed, so grub cannot open it. This results in the
following error:

error: no such device: /.disk/2024-03-07-19-09-45-00.uuid.

The file is visible via the grub console however, but 'ls' on it returns:

error: not a directory.

Is this a bug/regression?

Both. It is regression because the same configuration worked in tehearlier version and it is a bug which was revealed by the code change in2.12.

The 2.06 used search by UUID to find its boot device. 2.12 was changedto search for a token file under some platforms:


Author: Pete Batard <pete@akeo.ie>
Date:   Fri Nov 25 17:22:17 2022 +0000

util/grub-mkrescue: Search by file UUID rather than partition UUIDfor EFI boot

but the code that verifies signatures was only adjusted for Secure Bootverifier:


grub-core/commands/search.c:iterate_device()
...
      file = grub_file_open (buf, GRUB_FILE_TYPE_FS_SEARCH
                             | GRUB_FILE_TYPE_NO_DECOMPRESS);
...


grub-core/kern/efi/sb.c:shim_lock_verifier_init()
...
  switch (type & GRUB_FILE_TYPE_MASK)
    {
...
    case GRUB_FILE_TYPE_FS_SEARCH:
...
      *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
      return GRUB_ERR_NONE;



But PGP verifier does not have any special handling for different filetypes.

Arguably, at least in this case the check should be in the verifierframework itself and not pushed down into individual verifier.

[Prev in Thread]

Current Thread

[Next in Thread]

grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI, Reto Buerki, 2024/03/07
- Re: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI, Andrei Borzenkov <=
  - Re: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI, Reto Buerki, 2024/03/20
    - Re: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI, Andrei Borzenkov, 2024/03/20
    - Re: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI, Reto Buerki, 2024/03/20

Prev by Date: Re: GRUB install issue
Next by Date: Re: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI
Previous by thread: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI
Next by thread: Re: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI
Index(es):
- Date
- Thread