Grub embeded config does not always reflet the variable GRUB_SIGN_VERIFY_STRICT
hommeabeil opened this issue · 0 comments
hommeabeil commented
The grub embeded configuration can lead to a cache contamination. Here is how we can reproduce this:
- Run a first build with
GRUB_SIGN_VERIFY_STRICT=1
, this lead a perfectly valid grub image which will fail to load if the.cfg.sig
is not found. - Run a second build, but change
GRUB_SIGN_VERIFY_STRICT=0
. This will produce an image which will still fail if the.cfg.sig
is not found. More over, your SSTATE will contains the broken image since the hash is computed with theGRUB_SIGN_VERIFY_STRICT=0
, but the resulting binary will try to load the signature file.