[SECURITY] GRUB should not auto-guess the root file system image drive without performing a signature/sum check on the image

The search command in grub embedded config file should not be used without validating checksums on loaded kernel and initramfs.

The search command loads the first device with parameters satisfying the query so an attacker can leverage a physical issue in the install media to load malicious kernel and initramfs from an hidden attached storage media with same public parameters (UUID, LABEL, files on the media) without altering the original device directly.

Either files signatures/sums for both the kernel and the initramfs are validated/checked before loading or, for user local builds, they need to reside on a non-tamperable (guaranteed when dm-integrity layer in luks2 support is added to GRUB) or non-easily tamperable (luks2) partition.

Related issues

• Actually solvable physical attack scenarios
• Producing (and distributing) encrypted ISOs
• The fact images on writable drives produce standard writable file system partitions is currently ignored