Hi,
The issue has been discussed in a help-grub thread [1], re-posting it
here as it's a bug/regression in GRUB 2.12. Further analysis from Andrei
Borzenkov can be found @ [2].
I'm using grub-mkrescue in combination with the pgp --pubkey feature to
put grub into check_signatures=enforce mode, and to only have signed
data loaded and processed. Something like:
grub-mkrescue --modules='normal pgp' -o test.iso
boot/grub/grub.cfg=grub.cfg boot/grub/grub.cfg.sig=grub.cfg.sig --pubkey
testkey.pub
This used to work with GRUB 2.06 for both efi-x86_64 and pc-i386. With
GRUB 2.12 however, efi-x86_64 does no longer work.
I traced the problem by omitting the --pubkey argument to grub-mkrescue.
It seems that with GRUB 2.12 a special file is used to determine root,
e.g. '(hd0)/.disk/2024-03-07-18-32-41-00.uuid'. This can be seen in the
attached backtrace starting from grub_env_write_root where the correct
root is set in the check_signatures=no configuration.
The relevant information in the backtrace is the command used to find
and set root:
search --set=root --file /.disk/2024-03-07-17-16-00-00.uuid
This correctly sets root to (hd0), whereas with the --pubkey argument,
root remains at (hd0,gpt2) (i.e. fwdevice). The problem seems to be that
this file is not signed, so grub cannot open it. This results in the
following error:
error: no such device: /.disk/2024-03-07-19-09-45-00.uuid.
The file is visible via the grub console however, but 'ls' on it returns:
error: not a directory.
Kind regards
Reto Buerki
[1] - https://lists.gnu.org/archive/html/help-grub/2024-03/msg00004.html
[2] - https://lists.gnu.org/archive/html/help-grub/2024-03/msg00007.html
#0 grub_env_write_root (var=0x7be32e20, val=0x7feca590 "hd0") at
kern/main.c:104
#1 0x000000007e31af15 in grub_env_set (name=<optimized out>,
val=val@entry=0x7feca590 "hd0") at kern/env.c:93
#2 0x000000007be37adc in iterate_device (name=0x7feca590 "hd0",
data=0x7feca630) at commands/search.c:178
#3 0x000000007e316e53 in iterate_disk (disk_name=0x7feca590 "hd0",
data=0x7feca5e8) at kern/device.c:147
#4 0x000000007e3155ff in grub_efidisk_iterate (hook=0x7e316e2e <iterate_disk>,
hook_data=0x7feca5e8, pull=<optimized out>) at disk/efi/efidisk.c:414
#5 0x000000007e316f7a in grub_disk_dev_iterate (hook=0x7e316e2e
<iterate_disk>, hook_data=0x7feca5e8) at ../include/grub/disk.h:245
#6 grub_device_iterate (hook=hook@entry=0x7be37940 <iterate_device>,
hook_data=hook_data@entry=0x7feca630) at kern/device.c:193
#7 0x000000007be37cc9 in try (ctx=ctx@entry=0x7feca630) at
commands/search.c:280
#8 0x000000007be37df1 in grub_search_fs_file (key=0x7be324b9
"/.disk/2024-03-07-17-16-00-00.uuid", var=<optimized out>, flags=<optimized
out>, hints=<optimized out>, nhints=<optimized out>) at commands/search.c:303
#9 0x000000007be36555 in grub_cmd_search (ctxt=<optimized out>, argc=1,
args=0x7be32140) at commands/search_wrap.c:197
#10 0x000000007bef1038 in grub_extcmd_dispatcher (cmd=<optimized out>, argc=3,
args=0x7be32308, script=<optimized out>) at commands/extcmd.c:55
#11 0x000000007e31fa5a in grub_rescue_parse_line (line=line@entry=0x7be32ac0
"search --set=root --file /.disk/2024-03-07-17-16-00-00.uuid",
getline=getline@entry=0x7e31edd3 <grub_parser_execute_getline>,
getline_data=getline_data@entry=0x7feca7b8) at kern/rescue_parser.c:75
#12 0x000000007e31f42c in grub_parser_execute (source=<optimized out>) at
kern/parser.c:338
#13 0x000000007e31ca1a in grub_main () at kern/main.c:326
#14 0x000000007e315017 in start () at startup.S:34
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
