-
Notifications
You must be signed in to change notification settings - Fork 492
/
0047-Revert-UBUNTU-Move-verifiers-after-decompressors.patch
48 lines (43 loc) · 1.55 KB
/
0047-Revert-UBUNTU-Move-verifiers-after-decompressors.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
From 95cafe6cf7dd2a02bd33ddee624bb9b7c3a931ae Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Tue, 13 Feb 2024 22:21:41 +0000
Subject: [PATCH] Revert "UBUNTU: Move verifiers after decompressors"
We use the PGP verifier to validate the signature of grub.cfg, and do
not want to expose the decompressors to untrusted input.
Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
include/grub/file.h | 4 ++--
tests/file_filter/test.cfg | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/grub/file.h b/include/grub/file.h
index fa23688..96827a4 100644
--- a/include/grub/file.h
+++ b/include/grub/file.h
@@ -180,13 +180,13 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_progress_hook);
/* Filters with lower ID are executed first. */
typedef enum grub_file_filter_id
{
+ GRUB_FILE_FILTER_VERIFY,
GRUB_FILE_FILTER_GZIO,
GRUB_FILE_FILTER_XZIO,
GRUB_FILE_FILTER_LZOPIO,
+ GRUB_FILE_FILTER_MAX,
GRUB_FILE_FILTER_COMPRESSION_FIRST = GRUB_FILE_FILTER_GZIO,
GRUB_FILE_FILTER_COMPRESSION_LAST = GRUB_FILE_FILTER_LZOPIO,
- GRUB_FILE_FILTER_VERIFY,
- GRUB_FILE_FILTER_MAX,
} grub_file_filter_id_t;
typedef grub_file_t (*grub_file_filter_t) (grub_file_t in, enum grub_file_type type);
diff --git a/tests/file_filter/test.cfg b/tests/file_filter/test.cfg
index 17dc4a8..4308aac 100644
--- a/tests/file_filter/test.cfg
+++ b/tests/file_filter/test.cfg
@@ -1,5 +1,5 @@
trust /keys.pub
-set check_signatures=
+set check_signatures=enforce
cat /file.gz
cat /file.xz
cat /file.lzop
--
2.43.0