|
| From: | Reto Buerki |
| Subject: | Re: grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI |
| Date: | Wed, 20 Mar 2024 10:16:08 +0100 |
| User-agent: | Mozilla Thunderbird |
On 3/20/24 06:24, Andrei Borzenkov wrote:
On 07.03.2024 22:40, Reto Buerki wrote:Hi, I'm using grub-mkrescue in combination with the pgp --pubkey feature to put grub into check_signatures=enforce mode, and to only have signed data loaded and processed. Something like: grub-mkrescue --modules='normal pgp' -o test.iso boot/grub/grub.cfg=grub.cfg boot/grub/grub.cfg.sig=grub.cfg.sig --pubkey testkey.pub This used to work with GRUB 2.06 for both efi-x86_64 and pc-i386. With GRUB 2.12 however, efi-x86_64 does no longer work. I traced the problem by omitting the --pubkey argument to grub-mkrescue. It seems that with GRUB 2.12 a special file is used to determine root, e.g. '(hd0)/.disk/2024-03-07-18-32-41-00.uuid'. This can be seen in the attached backtrace starting from grub_env_write_root where the correct root is set in the check_signatures=no configuration. The relevant information in the backtrace is the command used to find and set root: search --set=root --file /.disk/2024-03-07-17-16-00-00.uuid This correctly sets root to (hd0), whereas with the --pubkey argument, root remains at (hd0,gpt2) (i.e. fwdevice). The problem seems to be that this file is not signed, so grub cannot open it. This results in the following error: error: no such device: /.disk/2024-03-07-19-09-45-00.uuid. The file is visible via the grub console however, but 'ls' on it returns: error: not a directory. Is this a bug/regression?Both. It is regression because the same configuration worked in teh earlier version and it is a bug which was revealed by the code change in 2.12.
Thanks for the confirmation. I already forwarded my mail to bug-grub, but I'm not sure it worked correctly (no bug # assigned yet).
The 2.06 used search by UUID to find its boot device. 2.12 was changed to search for a token file under some platforms:Author: Pete Batard <pete@akeo.ie> Date: Fri Nov 25 17:22:17 2022 +0000util/grub-mkrescue: Search by file UUID rather than partition UUID for EFI bootbut the code that verifies signatures was only adjusted for Secure Boot verifier:grub-core/commands/search.c:iterate_device() ... file = grub_file_open (buf, GRUB_FILE_TYPE_FS_SEARCH | GRUB_FILE_TYPE_NO_DECOMPRESS); ... grub-core/kern/efi/sb.c:shim_lock_verifier_init() ... switch (type & GRUB_FILE_TYPE_MASK) { ... case GRUB_FILE_TYPE_FS_SEARCH: ... *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; return GRUB_ERR_NONE;But PGP verifier does not have any special handling for different filetypes.Arguably, at least in this case the check should be in the verifier framework itself and not pushed down into individual verifier.
Thanks for the detailed explanation of the issue! Reverting commit b7ec14c88645 serves as a workaround in our use case, until the issue is fixed. Thanks!
- reto
| [Prev in Thread] | Current Thread | [Next in Thread] |