packages/grub/0047-Revert-UBUNTU-Move-verifiers-after-decompressors.patch

From 95cafe6cf7dd2a02bd33ddee624bb9b7c3a931ae Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Tue, 13 Feb 2024 22:21:41 +0000
Subject: [PATCH] Revert "UBUNTU: Move verifiers after decompressors"

We use the PGP verifier to validate the signature of grub.cfg, and do
not want to expose the decompressors to untrusted input.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
 include/grub/file.h        | 4 ++--
 tests/file_filter/test.cfg | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/grub/file.h b/include/grub/file.h
index fa23688..96827a4 100644
--- a/include/grub/file.h
+++ b/include/grub/file.h
@@ -180,13 +180,13 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_progress_hook);
 /* Filters with lower ID are executed first.  */
 typedef enum grub_file_filter_id
   {
+    GRUB_FILE_FILTER_VERIFY,
     GRUB_FILE_FILTER_GZIO,
     GRUB_FILE_FILTER_XZIO,
     GRUB_FILE_FILTER_LZOPIO,
+    GRUB_FILE_FILTER_MAX,
     GRUB_FILE_FILTER_COMPRESSION_FIRST = GRUB_FILE_FILTER_GZIO,
     GRUB_FILE_FILTER_COMPRESSION_LAST = GRUB_FILE_FILTER_LZOPIO,
-    GRUB_FILE_FILTER_VERIFY,
-    GRUB_FILE_FILTER_MAX,
   } grub_file_filter_id_t;
 
 typedef grub_file_t (*grub_file_filter_t) (grub_file_t in, enum grub_file_type type);
diff --git a/tests/file_filter/test.cfg b/tests/file_filter/test.cfg
index 17dc4a8..4308aac 100644
--- a/tests/file_filter/test.cfg
+++ b/tests/file_filter/test.cfg
@@ -1,5 +1,5 @@
 trust /keys.pub
-set check_signatures=
+set check_signatures=enforce
 cat /file.gz
 cat /file.xz
 cat /file.lzop
-- 
2.43.0