Re: [PATCH] Fix grub-mkconfig detecting .sig files as system images

Wed, 01 Nov 2017 12:28:20 -0700 

I'm re-sending this patch and i try to make it clearer this time.

When you install grub with grub-install --pubkey option and set 
"check_signatures" in grub.cfg,
you can sign and verify kernel images loaded by grub. Unfortunately 
grub-mkconfig detects
detached signatures with ".sig" extension as valid kernel images and adds them 
to menuentry
in grub.cfg.

It means for every signed kernel image grub adds two entries in menu and one of
them is obviously invalid. Below are two example files which will be detected 
as two kernel
images instead of one:

/boot/vmlinuz-4.9-x86_64
/boot/vmlinuz-4.9-x86_64.sig

My patch fixes this behavior by adding ".sig" filename extension to already 
exiting blacklist.

Jordan
------------------

grub-mkconfig detects detached RSA signatures for kernel images used for 
signature checking as valid images and adds them to grub.cfg
as separete menuentries. This patch adds .sig extension to common blacklist.

Signed-off-by: Jordan Glover <golden_mille...@protonmail.ch>
---
 util/grub-mkconfig_lib.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in
index 60b31ca..0f801ca 100644
--- a/util/grub-mkconfig_lib.in
+++ b/util/grub-mkconfig_lib.in
@@ -188,6 +188,7 @@ grub_file_is_not_garbage ()
       *.dpkg-*) return 1 ;; # debian dpkg
       *.rpmsave|*.rpmnew) return 1 ;;
       README*|*/README*)  return 1 ;; # documentation
+      *.sig) return 1 ;; # signatures
     esac
   else
     return 1
--
2.15.0
From cbb9d14dd5328d29decaa2b057cba1593742b6b2 Mon Sep 17 00:00:00 2001
From: Jordan Glover <golden_mille...@protonmail.ch>
Date: Wed, 1 Nov 2017 19:45:52 +0100
Subject: [PATCH] grub-mkconfig: add .sig files to garbage blacklist

grub-mkconfig detects detached RSA signatures for kernel images used for signature checking as valid images and adds them to grub.cfg
as separete menuentries. This patch adds .sig extension to common blacklist.

Signed-off-by: Jordan Glover <golden_mille...@protonmail.ch>
---
 util/grub-mkconfig_lib.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in
index 60b31ca..0f801ca 100644
--- a/util/grub-mkconfig_lib.in
+++ b/util/grub-mkconfig_lib.in
@@ -188,6 +188,7 @@ grub_file_is_not_garbage ()
       *.dpkg-*) return 1 ;; # debian dpkg
       *.rpmsave|*.rpmnew) return 1 ;;
       README*|*/README*)  return 1 ;; # documentation
+      *.sig) return 1 ;; # signatures
     esac
   else
     return 1
-- 
2.15.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to