grub-mkrescue with pgp --pubkey might be broken in grub 2.12 on EFI

[Reto Buerki]

Hi,

The issue has been discussed in a help-grub thread [1], re-posting it 
here as it's a bug/regression in GRUB 2.12. Further analysis from Andrei 
Borzenkov can be found @ [2].

I'm using grub-mkrescue in combination with the pgp --pubkey feature to 
put grub into check_signatures=enforce mode, and to only have signed 
data loaded and processed. Something like:

grub-mkrescue --modules='normal pgp' -o test.iso 
boot/grub/grub.cfg=grub.cfg boot/grub/grub.cfg.sig=grub.cfg.sig --pubkey 
testkey.pub

This used to work with GRUB 2.06 for both efi-x86_64 and pc-i386. With 
GRUB 2.12 however, efi-x86_64 does no longer work.

I traced the problem by omitting the --pubkey argument to grub-mkrescue.

It seems that with GRUB 2.12 a special file is used to determine root, 
e.g. '(hd0)/.disk/2024-03-07-18-32-41-00.uuid'. This can be seen in the 
attached backtrace starting from grub_env_write_root where the correct 
root is set in the check_signatures=no configuration.

The relevant information in the backtrace is the command used to find 
and set root:

search --set=root --file /.disk/2024-03-07-17-16-00-00.uuid

This correctly sets root to (hd0), whereas with the --pubkey argument, 
root remains at (hd0,gpt2) (i.e. fwdevice). The problem seems to be that 
this file is not signed, so grub cannot open it. This results in the 
following error:

error: no such device: /.disk/2024-03-07-19-09-45-00.uuid.

The file is visible via the grub console however, but 'ls' on it returns:

error: not a directory.

Kind regards

Reto Buerki

[1] - https://lists.gnu.org/archive/html/help-grub/2024-03/msg00004.html
[2] - https://lists.gnu.org/archive/html/help-grub/2024-03/msg00007.html

backtrace
Description: Text document