Linux /boot signing script

[itay-grudev]

I think it is about time that we solve the really annoying problem of initrd mismatch after updates.

We can create a linux package called heads-sign that adds an apt hook and prompts to sign your /boot after an update that involved a kernel or initrd. We can add a grub hook as well.

Right now, if I update my computer, forget that I updated it and reboot I won't know if the initrd (or more rarely kernel) was changed by apt or an adversary.

Also given that PureOS is running on top of the Debian Buster repository initrd updates are quite common and this issue is really annoying me.

I tried creating the script once, but I messed it up. Unfortunately I don't think I'm not the most qualified person to create a PR for this.

[kylerankin]

When I first started working on integrating Heads into Librem laptops I also ran into this problem. At first I worked to implement just what you describe--an interactive apt trigger that would launch a GUI and walk you through re-signing files in /boot. The problem, though, is that most distributions are moving away from interactive package installation and into things like Packagekit, which reboot, apply system updates in a restricted, safer environment, and then reboot back into the updated system.

Packagekit is explicitly against any interaction when updating packages--it's supposed to be completely non-interactive. This is tricky to address. The approach I've come up with so far and have worked to get into PureOS is an apt hook that non-interactively creates a special log file in /boot that Heads can refer to. This log file simply makes a note of what files apt has updated (similar to the APT history log file that already exists on the system).

Note that Heads does not trust this file. Just that if it exists, it will show information from that file to the user when it detects a change in /boot files, so the user can make an informed decision about whether they think the change is because of those updates.

[itay-grudev]

That's a bummer and definitely less secure. In fact a classy attack would include a realistically looking log file and a changed initrd. Right now it will say RED - don't do it. Don't give you password and with that Hey, your initrd was changed due to system updates, so it's probably OK.

Do you plan to adopt Packagekit in PureOS? Because if not or not for now we - a hook would do a really nice job.

[kylerankin]

PureOS desktop already uses Packagekit when you get update notifications via the GUI.

With respect to your critique on the security of the approach, handling the lifecycle of signing files in /boot on a system that gets periodic kernel updates (or package updates that update initrd, which are many) is a challenging security problem. In the case of any notification sent to the user, whether within Heads or within your desktop, an attacker with root access could spoof a notification. On the desktop for instance, they could trick you into signing things during a large package update that didn't include initrd changes by triggering the script anyway (or adding their own hook that adds their rootkit while initrd is being generated but before you sign from the desktop). One can think of a lot of plausible-but-complicated-to-execute scenarios like this.

At least in the case of handling the notification within Heads, you are in a more trusted environment, and only displaying some information from a package log. The attacker who modified the files in /boot (including the package log) still cannot control the contents of the message that Heads displays, they can only control that it could list some plausible-looking packages that might be the cause of the change. The skeptical user would still get the alert and may opt not to re-sign files. It's a better approach than what preceded it, which was to just post a scary warning to the Heads user with no context, for what is more likely than not a false positive triggered by a package update.

[itay-grudev]

How about the following alternative. We can introduce the following concept:

1. User signed boot (maximum trust)
2. System signed boot (medium trust)

Here is my line of thinking. The updater is already trusted. Right now we trust the generated initrd images and the kernel. So if we store a key somewhere on the machine that only root has access to, the updater can self-sign the modified files (system signed boot).

The attack vector is gaining root access and stealing the key. But if you can do that, you can also compromise the updater, which in turn can compromise the initrd and the kernel. So essentially the security of my proposal is in the worst case equivalent and in the best case superior.

[kylerankin]

I understand your line of thinking, but I'm not convinced that you get any extra security by having a root-owned key with no passphrase that would sign files in /boot. Any attacker who could set up a root kit could also use this key to sign it. The value of having the user sign these files is that it's something an attacker with root can't do as the attacker doesn't have access to the OpenPGP smart card or the user's PIN.

The more I think about it, the more I prefer having these situations handled within the more trusted environment of Heads, instead of within a user's OS. A user who goes through the more common Packagekit-based non-interactive workflow would reboot to update system packages in a very limited single-user environment, immediately reboot, and immediately see the Heads warning and feel comfortable re-signing. Any other instance where they would see that warning would be outside of package updates and rightly make them suspicious.

Your use case of using the command line to update packages is certainly a valid way to do it but it's a method that requires more manual work and expertise. In your case it requires you to reboot immediately whenever you see that the initrd was updated by APT. It also requires OS-specific hooks we'd need to port everywhere. The method I used for PureOS to create a log file in /boot falls back gracefully to a more generic warning in case those hooks aren't in place and the log doesn't exist.

[itay-grudev]

@kylerankin

An attacker with a root kit can just modify update-initramfs to embed a shady binary inside. And you don't check or sign the integrity of the updater. You trust it implicitly. That is why I believe the security of my approach is equivalent.

On the other hand my approach mitigates the attack where a attacker without root kit fakes a valid update and tricks the user into signing their otherwise compromised /boot.

And keep in mind that I don't want to remove the user signed /boot. I just want to complement it. I really like the idea of signing the /boot with an external device with a secure element and that gives you the maximum security. I just want to add the ability for the system to sign the files instead of just logging that they were changed.

Heads could still warn the user that the files was changed in yellow (instead of red) when the system modified the files. And red when both the system and the user don't match.

[tlaurion]

@itay-grudev : I love the idea.

[jtmoree-github-com]

If I understand the conflict between the two proposals it centers around automation including PackageKit. What if we give ourselves the ability to manually update the signatures for now? For those of us not trapped in Packagekit we would apply updates then manually run the sigs update.

Your use case of using the command line to update packages is certainly a valid way to do it but it's a method that requires more manual work and expertise. In your case it requires you to reboot immediately whenever you see that the initrd was updated by APT

Do you not reboot after kernel updates? I reboot immediately after any update that affects sigs because later I won't remember that an update happened. For example, I rebuilt my system last summer though likely I wasn't compromised. I couldn't remember the last time I updated and didn't want to take any chances.

[tlaurion]

One of the approach suggested over Qubes was that the OS signs the kernel, xen and initrd. That unfortunately would not prevent grub config to be lessen, changing xen or kernel command line options between two signed boot options.

The ideal there, for Heads at least, would be that the binaries are detached signed by the distribution and included in the packages being deployed so those detached signatures land on /boot and Heads can verify those.

Heads creates kexec_default.* for selected default boot options. Heads could be improved to show differences between what would be signed next and what was signed prior of permitting a resign there.

Other then that, Qubes is also working on UX notifications. It is a problem for everyone: core system upgrades touching kernel initrd and Xen requires an imminent reboot to stay up to date. The solution there might be as simple as reminding to the user that he needs to reboot.

Under booted OS, it is possible to reuse trusted installer, keys deployed and repository information to validate one last time prior of reboot to make sure that the integrity of those files match what was deployed. For Qubes being Fedora based for the moment, the integrity validation could be done by calling rpm -V on core system packages to notify the user of authenticity and integrity of the updated core packages prior of a reboot.

Quick PoC: sudo find /boot|while read entree; do sudo rpm -q --whatprovides "$entree"; done| grep -v "not owned by any package"|sort|uniq | while read package; do sudo rpm -V $package; done| grep -v ".M......."| grep -v ".......T." Returns no tampered file managed by packages.

Details:

[user@dom0 ~]$ sudo find /boot|while read entree; do sudo rpm -q --whatprovides "$entree"; done| grep -v "not owned by any package"|sort|uniq | while read package; do sudo rpm -V $package; done
.M.......  c /boot/grub2/grub.cfg
.M.......  g /boot/initramfs-5.10.104-3.fc32.qubes.x86_64.img
.......T.    /lib/modules/5.10.104-3.fc32.qubes.x86_64/modules.builtin.alias.bin
.......T.    /lib/modules/5.10.104-3.fc32.qubes.x86_64/modules.builtin.bin
.......T.    /lib/modules/5.10.104-3.fc32.qubes.x86_64/modules.devname
.......T.    /lib/modules/5.10.104-3.fc32.qubes.x86_64/modules.softdep
.M.......  g /boot/initramfs-5.10.109-1.fc32.qubes.x86_64.img
.......T.    /lib/modules/5.10.109-1.fc32.qubes.x86_64/modules.builtin.alias.bin
.......T.    /lib/modules/5.10.109-1.fc32.qubes.x86_64/modules.builtin.bin
.......T.    /lib/modules/5.10.109-1.fc32.qubes.x86_64/modules.devname
.......T.    /lib/modules/5.10.109-1.fc32.qubes.x86_64/modules.softdep
.M.......  g /boot/initramfs-5.10.112-1.fc32.qubes.x86_64.img
.......T.    /lib/modules/5.10.112-1.fc32.qubes.x86_64/modules.builtin.alias.bin
.......T.    /lib/modules/5.10.112-1.fc32.qubes.x86_64/modules.builtin.bin
.......T.    /lib/modules/5.10.112-1.fc32.qubes.x86_64/modules.devname
.......T.    /lib/modules/5.10.112-1.fc32.qubes.x86_64/modules.softdep

Shows files who had minor deployment changes vs what was in packages (Time/Group differences, but no file integrity problems)

[user@dom0 ~]$ sudo find /boot|while read entree; do sudo rpm -q --whatprovides "$entree"; done| grep -v "not owned by any package"|sort|uniq
filesystem-3.14-2.fc32.x86_64
grub2-common-2.04-2.fc32.noarch
grub2-pc-2.04-2.fc32.x86_64
grub2-qubes-theme-5.14.4-2.fc32.x86_64
kernel-5.10.104-3.fc32.qubes.x86_64
kernel-5.10.109-1.fc32.qubes.x86_64
kernel-5.10.112-1.fc32.qubes.x86_64
xen-hypervisor-4.14.4-4.fc32.x86_64

Shows list of packages managing important dom0 core updates files

To synthesise: I think the best approach would be to implement a better UX under OSes to generally inform, and remind, the user that core system packages have been deployed. Deploying addition hooks there to validate integrity prior of rebooting would fix the issue at stake. The point here is that the package manager is the best placed, being already trusted, to validate both integrity and authenticity of deployed package binaries.

Otherwise, documentation here again could fix the issue as well, but is less intuitive. Heads could suggest an unsafe boot for the user to go back in the OS and run those checks manually prior of signing. Where non-intrusive OS notification reminding a reboot is required when core OS components have been upgraded seems the best avenue to me.

@kylerankin ?

[tlaurion]

As a compliment to above, here are the files under /boot which are not managed by any packages

[user@dom0 ~]$ sudo find /boot|while read entree; do sudo rpm -q --whatprovides "$entree"; done| grep "not owned by any package"|sort|uniq
file /boot/.auditing-0 is not owned by any package
file /boot/efi/EFI is not owned by any package
file /boot/efi/EFI/qubes/initramfs-5.10.90-1.fc32.qubes.x86_64.img is not owned by any package
file /boot/efi/EFI/qubes/xen.efi is not owned by any package
file /boot/efi is not owned by any package
file /boot/grub2/device.map is not owned by any package
file /boot/grub2/fonts is not owned by any package
file /boot/grub2/fonts/unicode.pf2 is not owned by any package
file /boot/grub2/grubenv is not owned by any package
file /boot/grub2/i386-pc/acpi.mod is not owned by any package
file /boot/grub2/i386-pc/adler32.mod is not owned by any package
file /boot/grub2/i386-pc/affs.mod is not owned by any package
file /boot/grub2/i386-pc/afs.mod is not owned by any package
file /boot/grub2/i386-pc/ahci.mod is not owned by any package
file /boot/grub2/i386-pc/all_video.mod is not owned by any package
file /boot/grub2/i386-pc/aout.mod is not owned by any package
file /boot/grub2/i386-pc/archelp.mod is not owned by any package
file /boot/grub2/i386-pc/ata.mod is not owned by any package
file /boot/grub2/i386-pc/at_keyboard.mod is not owned by any package
file /boot/grub2/i386-pc/backtrace.mod is not owned by any package
file /boot/grub2/i386-pc/bfs.mod is not owned by any package
file /boot/grub2/i386-pc/biosdisk.mod is not owned by any package
file /boot/grub2/i386-pc/bitmap.mod is not owned by any package
file /boot/grub2/i386-pc/bitmap_scale.mod is not owned by any package
file /boot/grub2/i386-pc/blocklist.mod is not owned by any package
file /boot/grub2/i386-pc/boot.img is not owned by any package
file /boot/grub2/i386-pc/boot.mod is not owned by any package
file /boot/grub2/i386-pc/bsd.mod is not owned by any package
file /boot/grub2/i386-pc/bswap_test.mod is not owned by any package
file /boot/grub2/i386-pc/btrfs.mod is not owned by any package
file /boot/grub2/i386-pc/bufio.mod is not owned by any package
file /boot/grub2/i386-pc/cat.mod is not owned by any package
file /boot/grub2/i386-pc/cbfs.mod is not owned by any package
file /boot/grub2/i386-pc/cbls.mod is not owned by any package
file /boot/grub2/i386-pc/cbmemc.mod is not owned by any package
file /boot/grub2/i386-pc/cbtable.mod is not owned by any package
file /boot/grub2/i386-pc/cbtime.mod is not owned by any package
file /boot/grub2/i386-pc/chain.mod is not owned by any package
file /boot/grub2/i386-pc/cmdline_cat_test.mod is not owned by any package
file /boot/grub2/i386-pc/cmosdump.mod is not owned by any package
file /boot/grub2/i386-pc/cmostest.mod is not owned by any package
file /boot/grub2/i386-pc/cmp.mod is not owned by any package
file /boot/grub2/i386-pc/cmp_test.mod is not owned by any package
file /boot/grub2/i386-pc/command.lst is not owned by any package
file /boot/grub2/i386-pc/configfile.mod is not owned by any package
file /boot/grub2/i386-pc/core.img is not owned by any package
file /boot/grub2/i386-pc/cpio_be.mod is not owned by any package
file /boot/grub2/i386-pc/cpio.mod is not owned by any package
file /boot/grub2/i386-pc/cpuid.mod is not owned by any package
file /boot/grub2/i386-pc/crc64.mod is not owned by any package
file /boot/grub2/i386-pc/cryptodisk.mod is not owned by any package
file /boot/grub2/i386-pc/crypto.lst is not owned by any package
file /boot/grub2/i386-pc/crypto.mod is not owned by any package
file /boot/grub2/i386-pc/cs5536.mod is not owned by any package
file /boot/grub2/i386-pc/ctz_test.mod is not owned by any package
file /boot/grub2/i386-pc/datehook.mod is not owned by any package
file /boot/grub2/i386-pc/date.mod is not owned by any package
file /boot/grub2/i386-pc/datetime.mod is not owned by any package
file /boot/grub2/i386-pc/diskfilter.mod is not owned by any package
file /boot/grub2/i386-pc/disk.mod is not owned by any package
file /boot/grub2/i386-pc/div.mod is not owned by any package
file /boot/grub2/i386-pc/div_test.mod is not owned by any package
file /boot/grub2/i386-pc/dm_nv.mod is not owned by any package
file /boot/grub2/i386-pc/drivemap.mod is not owned by any package
file /boot/grub2/i386-pc/echo.mod is not owned by any package
file /boot/grub2/i386-pc/efiemu.mod is not owned by any package
file /boot/grub2/i386-pc/ehci.mod is not owned by any package
file /boot/grub2/i386-pc/elf.mod is not owned by any package
file /boot/grub2/i386-pc/eval.mod is not owned by any package
file /boot/grub2/i386-pc/exfat.mod is not owned by any package
file /boot/grub2/i386-pc/exfctest.mod is not owned by any package
file /boot/grub2/i386-pc/ext2.mod is not owned by any package
file /boot/grub2/i386-pc/extcmd.mod is not owned by any package
file /boot/grub2/i386-pc/f2fs.mod is not owned by any package
file /boot/grub2/i386-pc/fat.mod is not owned by any package
file /boot/grub2/i386-pc/file.mod is not owned by any package
file /boot/grub2/i386-pc/font.mod is not owned by any package
file /boot/grub2/i386-pc/freedos.mod is not owned by any package
file /boot/grub2/i386-pc/fshelp.mod is not owned by any package
file /boot/grub2/i386-pc/fs.lst is not owned by any package
file /boot/grub2/i386-pc/functional_test.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_arcfour.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_blowfish.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_camellia.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_cast5.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_crc.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_des.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_dsa.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_idea.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_md4.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_md5.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_rfc2268.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_rijndael.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_rmd160.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_rsa.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_seed.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_serpent.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_sha1.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_sha256.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_sha512.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_tiger.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_twofish.mod is not owned by any package
file /boot/grub2/i386-pc/gcry_whirlpool.mod is not owned by any package
file /boot/grub2/i386-pc/gdb.mod is not owned by any package
file /boot/grub2/i386-pc/geli.mod is not owned by any package
file /boot/grub2/i386-pc/gettext.mod is not owned by any package
file /boot/grub2/i386-pc/gfxmenu.mod is not owned by any package
file /boot/grub2/i386-pc/gfxterm_background.mod is not owned by any package
file /boot/grub2/i386-pc/gfxterm_menu.mod is not owned by any package
file /boot/grub2/i386-pc/gfxterm.mod is not owned by any package
file /boot/grub2/i386-pc/gptsync.mod is not owned by any package
file /boot/grub2/i386-pc/gzio.mod is not owned by any package
file /boot/grub2/i386-pc/halt.mod is not owned by any package
file /boot/grub2/i386-pc/hashsum.mod is not owned by any package
file /boot/grub2/i386-pc/hdparm.mod is not owned by any package
file /boot/grub2/i386-pc/hello.mod is not owned by any package
file /boot/grub2/i386-pc/help.mod is not owned by any package
file /boot/grub2/i386-pc/hexdump.mod is not owned by any package
file /boot/grub2/i386-pc/hfs.mod is not owned by any package
file /boot/grub2/i386-pc/hfspluscomp.mod is not owned by any package
file /boot/grub2/i386-pc/hfsplus.mod is not owned by any package
file /boot/grub2/i386-pc/http.mod is not owned by any package
file /boot/grub2/i386-pc/increment.mod is not owned by any package
file /boot/grub2/i386-pc/iorw.mod is not owned by any package
file /boot/grub2/i386-pc is not owned by any package
file /boot/grub2/i386-pc/iso9660.mod is not owned by any package
file /boot/grub2/i386-pc/jfs.mod is not owned by any package
file /boot/grub2/i386-pc/jpeg.mod is not owned by any package
file /boot/grub2/i386-pc/keylayouts.mod is not owned by any package
file /boot/grub2/i386-pc/keystatus.mod is not owned by any package
file /boot/grub2/i386-pc/ldm.mod is not owned by any package
file /boot/grub2/i386-pc/legacycfg.mod is not owned by any package
file /boot/grub2/i386-pc/legacy_password_test.mod is not owned by any package
file /boot/grub2/i386-pc/linux16.mod is not owned by any package
file /boot/grub2/i386-pc/linux.mod is not owned by any package
file /boot/grub2/i386-pc/loadenv.mod is not owned by any package
file /boot/grub2/i386-pc/loopback.mod is not owned by any package
file /boot/grub2/i386-pc/lsacpi.mod is not owned by any package
file /boot/grub2/i386-pc/lsapm.mod is not owned by any package
file /boot/grub2/i386-pc/lsmmap.mod is not owned by any package
file /boot/grub2/i386-pc/ls.mod is not owned by any package
file /boot/grub2/i386-pc/lspci.mod is not owned by any package
file /boot/grub2/i386-pc/luks.mod is not owned by any package
file /boot/grub2/i386-pc/lvm.mod is not owned by any package
file /boot/grub2/i386-pc/lzopio.mod is not owned by any package
file /boot/grub2/i386-pc/macbless.mod is not owned by any package
file /boot/grub2/i386-pc/macho.mod is not owned by any package
file /boot/grub2/i386-pc/mda_text.mod is not owned by any package
file /boot/grub2/i386-pc/mdraid09_be.mod is not owned by any package
file /boot/grub2/i386-pc/mdraid09.mod is not owned by any package
file /boot/grub2/i386-pc/mdraid1x.mod is not owned by any package
file /boot/grub2/i386-pc/memdisk.mod is not owned by any package
file /boot/grub2/i386-pc/memrw.mod is not owned by any package
file /boot/grub2/i386-pc/minicmd.mod is not owned by any package
file /boot/grub2/i386-pc/minix2_be.mod is not owned by any package
file /boot/grub2/i386-pc/minix2.mod is not owned by any package
file /boot/grub2/i386-pc/minix3_be.mod is not owned by any package
file /boot/grub2/i386-pc/minix3.mod is not owned by any package
file /boot/grub2/i386-pc/minix_be.mod is not owned by any package
file /boot/grub2/i386-pc/minix.mod is not owned by any package
file /boot/grub2/i386-pc/mmap.mod is not owned by any package
file /boot/grub2/i386-pc/moddep.lst is not owned by any package
file /boot/grub2/i386-pc/modinfo.sh is not owned by any package
file /boot/grub2/i386-pc/morse.mod is not owned by any package
file /boot/grub2/i386-pc/mpi.mod is not owned by any package
file /boot/grub2/i386-pc/msdospart.mod is not owned by any package
file /boot/grub2/i386-pc/mul_test.mod is not owned by any package
file /boot/grub2/i386-pc/multiboot2.mod is not owned by any package
file /boot/grub2/i386-pc/multiboot.mod is not owned by any package
file /boot/grub2/i386-pc/nativedisk.mod is not owned by any package
file /boot/grub2/i386-pc/net.mod is not owned by any package
file /boot/grub2/i386-pc/newc.mod is not owned by any package
file /boot/grub2/i386-pc/nilfs2.mod is not owned by any package
file /boot/grub2/i386-pc/normal.mod is not owned by any package
file /boot/grub2/i386-pc/ntfscomp.mod is not owned by any package
file /boot/grub2/i386-pc/ntfs.mod is not owned by any package
file /boot/grub2/i386-pc/ntldr.mod is not owned by any package
file /boot/grub2/i386-pc/odc.mod is not owned by any package
file /boot/grub2/i386-pc/offsetio.mod is not owned by any package
file /boot/grub2/i386-pc/ohci.mod is not owned by any package
file /boot/grub2/i386-pc/part_acorn.mod is not owned by any package
file /boot/grub2/i386-pc/part_amiga.mod is not owned by any package
file /boot/grub2/i386-pc/part_apple.mod is not owned by any package
file /boot/grub2/i386-pc/part_bsd.mod is not owned by any package
file /boot/grub2/i386-pc/part_dfly.mod is not owned by any package
file /boot/grub2/i386-pc/part_dvh.mod is not owned by any package
file /boot/grub2/i386-pc/part_gpt.mod is not owned by any package
file /boot/grub2/i386-pc/partmap.lst is not owned by any package
file /boot/grub2/i386-pc/part_msdos.mod is not owned by any package
file /boot/grub2/i386-pc/part_plan.mod is not owned by any package
file /boot/grub2/i386-pc/part_sun.mod is not owned by any package
file /boot/grub2/i386-pc/part_sunpc.mod is not owned by any package
file /boot/grub2/i386-pc/parttool.lst is not owned by any package
file /boot/grub2/i386-pc/parttool.mod is not owned by any package
file /boot/grub2/i386-pc/password.mod is not owned by any package
file /boot/grub2/i386-pc/password_pbkdf2.mod is not owned by any package
file /boot/grub2/i386-pc/pata.mod is not owned by any package
file /boot/grub2/i386-pc/pbkdf2.mod is not owned by any package
file /boot/grub2/i386-pc/pbkdf2_test.mod is not owned by any package
file /boot/grub2/i386-pc/pcidump.mod is not owned by any package
file /boot/grub2/i386-pc/pci.mod is not owned by any package
file /boot/grub2/i386-pc/pgp.mod is not owned by any package
file /boot/grub2/i386-pc/plan9.mod is not owned by any package
file /boot/grub2/i386-pc/play.mod is not owned by any package
file /boot/grub2/i386-pc/png.mod is not owned by any package
file /boot/grub2/i386-pc/priority_queue.mod is not owned by any package
file /boot/grub2/i386-pc/probe.mod is not owned by any package
file /boot/grub2/i386-pc/procfs.mod is not owned by any package
file /boot/grub2/i386-pc/progress.mod is not owned by any package
file /boot/grub2/i386-pc/pxechain.mod is not owned by any package
file /boot/grub2/i386-pc/pxe.mod is not owned by any package
file /boot/grub2/i386-pc/raid5rec.mod is not owned by any package
file /boot/grub2/i386-pc/raid6rec.mod is not owned by any package
file /boot/grub2/i386-pc/random.mod is not owned by any package
file /boot/grub2/i386-pc/rdmsr.mod is not owned by any package
file /boot/grub2/i386-pc/read.mod is not owned by any package
file /boot/grub2/i386-pc/reboot.mod is not owned by any package
file /boot/grub2/i386-pc/regexp.mod is not owned by any package
file /boot/grub2/i386-pc/reiserfs.mod is not owned by any package
file /boot/grub2/i386-pc/relocator.mod is not owned by any package
file /boot/grub2/i386-pc/romfs.mod is not owned by any package
file /boot/grub2/i386-pc/scsi.mod is not owned by any package
file /boot/grub2/i386-pc/search_fs_file.mod is not owned by any package
file /boot/grub2/i386-pc/search_fs_uuid.mod is not owned by any package
file /boot/grub2/i386-pc/search_label.mod is not owned by any package
file /boot/grub2/i386-pc/search.mod is not owned by any package
file /boot/grub2/i386-pc/sendkey.mod is not owned by any package
file /boot/grub2/i386-pc/serial.mod is not owned by any package
file /boot/grub2/i386-pc/setjmp.mod is not owned by any package
file /boot/grub2/i386-pc/setjmp_test.mod is not owned by any package
file /boot/grub2/i386-pc/setpci.mod is not owned by any package
file /boot/grub2/i386-pc/sfs.mod is not owned by any package
file /boot/grub2/i386-pc/shift_test.mod is not owned by any package
file /boot/grub2/i386-pc/signature_test.mod is not owned by any package
file /boot/grub2/i386-pc/sleep.mod is not owned by any package
file /boot/grub2/i386-pc/sleep_test.mod is not owned by any package
file /boot/grub2/i386-pc/spkmodem.mod is not owned by any package
file /boot/grub2/i386-pc/squash4.mod is not owned by any package
file /boot/grub2/i386-pc/strtoull_test.mod is not owned by any package
file /boot/grub2/i386-pc/syslinuxcfg.mod is not owned by any package
file /boot/grub2/i386-pc/tar.mod is not owned by any package
file /boot/grub2/i386-pc/terminal.lst is not owned by any package
file /boot/grub2/i386-pc/terminal.mod is not owned by any package
file /boot/grub2/i386-pc/terminfo.mod is not owned by any package
file /boot/grub2/i386-pc/test_blockarg.mod is not owned by any package
file /boot/grub2/i386-pc/testload.mod is not owned by any package
file /boot/grub2/i386-pc/test.mod is not owned by any package
file /boot/grub2/i386-pc/testspeed.mod is not owned by any package
file /boot/grub2/i386-pc/tftp.mod is not owned by any package
file /boot/grub2/i386-pc/tga.mod is not owned by any package
file /boot/grub2/i386-pc/time.mod is not owned by any package
file /boot/grub2/i386-pc/trig.mod is not owned by any package
file /boot/grub2/i386-pc/tr.mod is not owned by any package
file /boot/grub2/i386-pc/truecrypt.mod is not owned by any package
file /boot/grub2/i386-pc/true.mod is not owned by any package
file /boot/grub2/i386-pc/udf.mod is not owned by any package
file /boot/grub2/i386-pc/ufs1_be.mod is not owned by any package
file /boot/grub2/i386-pc/ufs1.mod is not owned by any package
file /boot/grub2/i386-pc/ufs2.mod is not owned by any package
file /boot/grub2/i386-pc/uhci.mod is not owned by any package
file /boot/grub2/i386-pc/usb_keyboard.mod is not owned by any package
file /boot/grub2/i386-pc/usb.mod is not owned by any package
file /boot/grub2/i386-pc/usbms.mod is not owned by any package
file /boot/grub2/i386-pc/usbserial_common.mod is not owned by any package
file /boot/grub2/i386-pc/usbserial_ftdi.mod is not owned by any package
file /boot/grub2/i386-pc/usbserial_pl2303.mod is not owned by any package
file /boot/grub2/i386-pc/usbserial_usbdebug.mod is not owned by any package
file /boot/grub2/i386-pc/usbtest.mod is not owned by any package
file /boot/grub2/i386-pc/vbe.mod is not owned by any package
file /boot/grub2/i386-pc/verifiers.mod is not owned by any package
file /boot/grub2/i386-pc/vga.mod is not owned by any package
file /boot/grub2/i386-pc/vga_text.mod is not owned by any package
file /boot/grub2/i386-pc/video_bochs.mod is not owned by any package
file /boot/grub2/i386-pc/video_cirrus.mod is not owned by any package
file /boot/grub2/i386-pc/video_colors.mod is not owned by any package
file /boot/grub2/i386-pc/video_fb.mod is not owned by any package
file /boot/grub2/i386-pc/videoinfo.mod is not owned by any package
file /boot/grub2/i386-pc/video.lst is not owned by any package
file /boot/grub2/i386-pc/video.mod is not owned by any package
file /boot/grub2/i386-pc/videotest_checksum.mod is not owned by any package
file /boot/grub2/i386-pc/videotest.mod is not owned by any package
file /boot/grub2/i386-pc/wrmsr.mod is not owned by any package
file /boot/grub2/i386-pc/xfs.mod is not owned by any package
file /boot/grub2/i386-pc/xnu.mod is not owned by any package
file /boot/grub2/i386-pc/xnu_uuid.mod is not owned by any package
file /boot/grub2/i386-pc/xnu_uuid_test.mod is not owned by any package
file /boot/grub2/i386-pc/xzio.mod is not owned by any package
file /boot/grub2/i386-pc/zfscrypt.mod is not owned by any package
file /boot/grub2/i386-pc/zfsinfo.mod is not owned by any package
file /boot/grub2/i386-pc/zfs.mod is not owned by any package
file /boot/grub2/i386-pc/zstd.mod is not owned by any package
file /boot/grub2/themes is not owned by any package
file /boot/kexec_default.1.txt is not owned by any package
file /boot/kexec_default_hashes.txt is not owned by any package
file /boot/kexec_hashes.txt is not owned by any package
file /boot/kexec_hotp_counter is not owned by any package
file /boot/kexec_hotp_key is not owned by any package
file /boot/kexec_key_devices.txt is not owned by any package
file /boot/kexec_lukshdr_hash.txt is not owned by any package
file /boot/kexec_rollback.txt is not owned by any package
file /boot/kexec.sig is not owned by any package
file /boot/loader/entries/ab22ef20d85a490f8e042b251de691a9-5.10.104-3.fc32.qubes.x86_64.conf is not owned by any package
file /boot/loader/entries/ab22ef20d85a490f8e042b251de691a9-5.10.109-1.fc32.qubes.x86_64.conf is not owned by any package
file /boot/loader/entries/ab22ef20d85a490f8e042b251de691a9-5.10.112-1.fc32.qubes.x86_64.conf is not owned by any package
file /boot/loader is not owned by any package
file /boot/lost+found is not owned by any package

Where a dom0 core component upgrade having modified /boot could also be validated against Heads digest prior of reboot:

[user@dom0 boot]$ sudo sha256sum -c kexec_hashes.txt | grep -v "OK"
sha256sum: ./System.map-5.10.90-1.fc32.qubes.x86_64: No such file or directory
sha256sum: ./symvers-5.10.90-1.fc32.qubes.x86_64.gz: No such file or directory
./System.map-5.10.90-1.fc32.qubes.x86_64: FAILED open or read
./symvers-5.10.90-1.fc32.qubes.x86_64.gz: FAILED open or read
sha256sum: ./config-5.10.90-1.fc32.qubes.x86_64: No such file or directory
sha256sum: ./loader/entries/ab22ef20d85a490f8e042b251de691a9-5.10.90-1.fc32.qubes.x86_64.conf: No such file or directory
./config-5.10.90-1.fc32.qubes.x86_64: FAILED open or read
./loader/entries/ab22ef20d85a490f8e042b251de691a9-5.10.90-1.fc32.qubes.x86_64.conf: FAILED open or read
sha256sum: ./initramfs-5.10.90-1.fc32.qubes.x86_64.img: No such file or directory
./initramfs-5.10.90-1.fc32.qubes.x86_64.img: FAILED open or read
sha256sum: ./vmlinuz-5.10.90-1.fc32.qubes.x86_64: No such file or directory
./vmlinuz-5.10.90-1.fc32.qubes.x86_64: FAILED open or read
./grub2/grub.cfg: FAILED
sha256sum: WARNING: 6 listed files could not be read
sha256sum: WARNING: 1 computed checksum did NOT match

@itay-grudev @jtmoree-github-com ?

[tlaurion]

So on next reboot, /boot integrity validation will fail because files were removed and grub.cfg was changed.