Improve GRUB_SIGN_VERIFY protections

[diorcety]

We can reach the same level of protection provided by shim + SELoader but only using PGP signing by levering few spots:

• Fix the -s test flag that should add GRUB_FILE_TYPE_SKIP_SIGNATURE flags in order to test the presence of the file ignoring the the signature file in this case (even if doesn't seems to be a good idea to use it -s flaw in grub-efi.cfg? #97)
• Force the verifier to set the grub_errno if it fails to verify (https://github.com/rhboot/grub2/blob/fedora-39/grub-core/kern/verifiers.c#L204)
• Don't let pass the grub_file_open on GRUB_ERR_BAD_SIGNATURE (https://github.com/rhboot/grub2/blob/fedora-39/grub-core/kern/file.c#L150): Error message, sleep, reboot . Which cover all file openings globally, like buffiles, initrd, kernel. Every file opened by the grub2 has to be correctly signed (if no GRUB_FILE_TYPE_SKIP_SIGNATURE is set)
• Don't ignore error on source commands (https://github.com/rhboot/grub2/blob/fedora-39/grub-core/normal/main.c#L287): Removing the signature of the sourced file will make the source to fail and may completly change the behaviour of the wanted process (even with a fix for -s flaw in grub-efi.cfg? #97, the source will not be executed). Which is handled by this patch in the case of mok2verify:

  meta-secure-core/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0003-mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch

  Line 571 in c8ffbd6

  +#ifdef GRUB_MACHINE_EFI

(I have patch for this issue, but for kirkstone branch. I may try to port it)

[yizhao1]

(I have patch for this issue, but for kirkstone branch. I may try to port it)

Maybe you can create a pull request for kirkstone branch. Then we can evaluate it. Thanks.