jiazhang0/meta-secure-core

Grub embeded config does not always reflet the variable GRUB_SIGN_VERIFY_STRICT

hommeabeil opened this issue · 0 comments

The grub embeded configuration can lead to a cache contamination. Here is how we can reproduce this:

  1. Run a first build with GRUB_SIGN_VERIFY_STRICT=1, this lead a perfectly valid grub image which will fail to load if the .cfg.sig is not found.
  2. Run a second build, but change GRUB_SIGN_VERIFY_STRICT=0. This will produce an image which will still fail if the .cfg.sig is not found. More over, your SSTATE will contains the broken image since the hash is computed with the GRUB_SIGN_VERIFY_STRICT=0, but the resulting binary will try to load the signature file.