Bug#923593: grub-common: update-grub creates menu entries for gpg detached signatures of kernels
Matt Patey
mdpf0j+dbugs at patey.me
Sat Mar 2 16:32:20 GMT 2019
Package: grub-common
Version: 2.02+dfsg1-12
Severity: normal
Tags: patch
Dear Maintainer,
When `check_signatures` is set to enforce, grub looks for and verifies detached
GPG signatures for the kernels before loading them. These signatures have the
extension .sig.
When detached signatures are present `update-grub` mistakenly identifies them
as kernels and creates invalid menu entries for them.
Expected behaviour:
admin at lpad:~$ sudo update-grub
Generating grub configuration file ...
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-4.19.0-2-amd64
Found initrd image: /boot/initrd.img-4.19.0-2-amd64
Found linux image: /boot/vmlinuz-4.19.0-1-amd64
Found initrd image: /boot/initrd.img-4.19.0-1-amd64
done
Observed behaviour:
admin at lpad:~$ sudo update-grub
Generating grub configuration file ...
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-4.19.0-2-amd64.sig
Found initrd image: /boot/initrd.img-4.19.0-2-amd64.sig
Found linux image: /boot/vmlinuz-4.19.0-2-amd64
Found initrd image: /boot/initrd.img-4.19.0-2-amd64
Found linux image: /boot/vmlinuz-4.19.0-1-amd64.sig
Found initrd image: /boot/initrd.img-4.19.0-1-amd64.sig
Found linux image: /boot/vmlinuz-4.19.0-1-amd64
Found initrd image: /boot/initrd.img-4.19.0-1-amd64
done
I've attached a patch to /usr/share/grub-mkconfig_lib that fixes this.
-- Package-specific info:
*********************** BEGIN /proc/mounts
/dev/mapper/matrix-rootvol / ext4 rw,relatime,errors=remount-ro 0 0
/dev/mapper/matrix-homevol /home ext4 rw,relatime 0 0
/dev/sda2 /boot ext4 rw,relatime 0 0
/dev/mapper/matrix-optvol /opt ext4 rw,relatime 0 0
*********************** END /proc/mounts
*********************** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
set have_grubenv=true
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_msdos
insmod ext2
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168
else
search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168
fi
font="/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_GB
insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
set timeout=30
else
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
insmod part_msdos
insmod ext2
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168
else
search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168
fi
insmod png
if background_image /grub/.background_cache.png; then
set color_normal=white/black
set color_highlight=black/white
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###
### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-02a861cb-d2c1-4358-8132-8dedd88fb6d0' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168
else
search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168
fi
echo 'Loading Linux 4.19.0-2-amd64 ...'
linux /vmlinuz-4.19.0-2-amd64 root=/dev/mapper/matrix-rootvol ro intremap=off quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-4.19.0-2-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-02a861cb-d2c1-4358-8132-8dedd88fb6d0' {
menuentry 'Debian GNU/Linux, with Linux 4.19.0-2-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-2-amd64-advanced-02a861cb-d2c1-4358-8132-8dedd88fb6d0' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168
else
search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168
fi
echo 'Loading Linux 4.19.0-2-amd64 ...'
linux /vmlinuz-4.19.0-2-amd64 root=/dev/mapper/matrix-rootvol ro intremap=off quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-4.19.0-2-amd64
}
menuentry 'Debian GNU/Linux, with Linux 4.19.0-2-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-2-amd64-recovery-02a861cb-d2c1-4358-8132-8dedd88fb6d0' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168
else
search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168
fi
echo 'Loading Linux 4.19.0-2-amd64 ...'
linux /vmlinuz-4.19.0-2-amd64 root=/dev/mapper/matrix-rootvol ro single
echo 'Loading initial ramdisk ...'
initrd /initrd.img-4.19.0-2-amd64
}
menuentry 'Debian GNU/Linux, with Linux 4.19.0-1-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-1-amd64-advanced-02a861cb-d2c1-4358-8132-8dedd88fb6d0' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168
else
search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168
fi
echo 'Loading Linux 4.19.0-1-amd64 ...'
linux /vmlinuz-4.19.0-1-amd64 root=/dev/mapper/matrix-rootvol ro intremap=off quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-4.19.0-1-amd64
}
menuentry 'Debian GNU/Linux, with Linux 4.19.0-1-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-1-amd64-recovery-02a861cb-d2c1-4358-8132-8dedd88fb6d0' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168
else
search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168
fi
echo 'Loading Linux 4.19.0-1-amd64 ...'
linux /vmlinuz-4.19.0-1-amd64 root=/dev/mapper/matrix-rootvol ro single
echo 'Loading initial ramdisk ...'
initrd /initrd.img-4.19.0-1-amd64
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/30_uefi-firmware ###
### END /etc/grub.d/30_uefi-firmware ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
*********************** END /boot/grub/grub.cfg
*********************** BEGIN /proc/mdstat
Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10]
unused devices: <none>
*********************** END /proc/mdstat
*********************** BEGIN /dev/disk/by-id
total 0
lrwxrwxrwx 1 root root 9 Mar 2 14:13 ata-Samsung_SSD_850_EVO_500GB_S2RBNB0HC08863E -> ../../sda
lrwxrwxrwx 1 root root 10 Mar 2 14:13 ata-Samsung_SSD_850_EVO_500GB_S2RBNB0HC08863E-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Mar 2 14:13 ata-Samsung_SSD_850_EVO_500GB_S2RBNB0HC08863E-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-name-matrix-homevol -> ../../dm-2
lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-name-matrix-optvol -> ../../dm-3
lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-name-matrix-rootvol -> ../../dm-1
lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-name-matrix-swapvol -> ../../dm-4
lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-name-sda1_crypt -> ../../dm-0
lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-uuid-CRYPT-LUKS1-c2c4c07b56ed4e3297994be23f4c71a6-sda1_crypt -> ../../dm-0
lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-uuid-LVM-axmwTJ96KHBjRB73lZHfddPlKkI3Of6s4Kjo0jjmqO87VTCfeBfFBAD5TfXiNYeG -> ../../dm-4
lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-uuid-LVM-axmwTJ96KHBjRB73lZHfddPlKkI3Of6sUT5SUy8vnvltqRSi8GmnP9xAfXIWadec -> ../../dm-2
lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-uuid-LVM-axmwTJ96KHBjRB73lZHfddPlKkI3Of6sqziiBIv7dBQJrBH7Efj497lNXJTdDg50 -> ../../dm-3
lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-uuid-LVM-axmwTJ96KHBjRB73lZHfddPlKkI3Of6swpcQiCNBJeCJIXnsg0pNUcv1GKZ2nIUX -> ../../dm-1
lrwxrwxrwx 1 root root 10 Mar 2 14:13 lvm-pv-uuid-IAC7T9-7NPV-1I5g-3oBU-6oiB-Xlyx-Y14ac6 -> ../../dm-0
lrwxrwxrwx 1 root root 9 Mar 2 14:13 wwn-0x5002538d419b8c86 -> ../../sda
lrwxrwxrwx 1 root root 10 Mar 2 14:13 wwn-0x5002538d419b8c86-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Mar 2 14:13 wwn-0x5002538d419b8c86-part2 -> ../../sda2
*********************** END /dev/disk/by-id
*********************** BEGIN /dev/disk/by-uuid
total 0
lrwxrwxrwx 1 root root 10 Mar 2 14:13 02a861cb-d2c1-4358-8132-8dedd88fb6d0 -> ../../dm-1
lrwxrwxrwx 1 root root 10 Mar 2 14:13 4cb8080f-d5d7-41b5-838d-7eba041bd63a -> ../../dm-3
lrwxrwxrwx 1 root root 10 Mar 2 14:13 c25115c2-53f1-4eba-a73e-48c932fa7168 -> ../../sda2
lrwxrwxrwx 1 root root 10 Mar 2 14:13 c2c4c07b-56ed-4e32-9799-4be23f4c71a6 -> ../../sda1
lrwxrwxrwx 1 root root 10 Mar 2 14:13 d8ced9c0-e5fc-4c00-be3e-a02e3839f98f -> ../../dm-2
lrwxrwxrwx 1 root root 10 Mar 2 14:13 e1ac5127-9a30-4e51-8ea1-4e78b1d0fce6 -> ../../dm-4
*********************** END /dev/disk/by-uuid
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (10, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages grub-common depends on:
ii gettext-base 0.19.8.1-9
ii libc6 2.28-7
ii libdevmapper1.02.1 2:1.02.155-2
ii libfreetype6 2.9.1-3
ii libfuse2 2.9.9-1
ii liblzma5 5.2.4-1
Versions of packages grub-common recommends:
ii os-prober 1.77
Versions of packages grub-common suggests:
ii console-setup 1.188
ii desktop-base 10.0.0
pn grub-emu <none>
pn multiboot-doc <none>
pn xorriso <none>
-- no debconf information
-------------- next part --------------
--- grub-mkconfig_lib.orig 2019-03-01 12:34:45.000000000 +0000
+++ grub-mkconfig_lib 2019-03-02 16:04:26.870791616 +0000
@@ -212,6 +212,7 @@
*.dpkg-*) return 1 ;; # debian dpkg
*.rpmsave|*.rpmnew) return 1 ;;
README*|*/README*) return 1 ;; # documentation
+ *.sig) return 1 ;; # GPG detached signature
esac
else
return 1
More information about the Pkg-grub-devel
mailing list