[Bug 2037537] Re: grub-mkconfig always generates a devicetree line when a dtb is present, causing a boot delay when grub is in lockdown

Julian Andres Klode 2037537 at bugs.launchpad.net
Wed Sep 27 18:59:11 UTC 2023 

Hi Isaac,

it seems to me that either the platform requires a device tree or not.
If you place one next to it, it seems reasonable to alert the user (if
present) that the machine may not function correctly when booting
securely.

If the platform does not require the device tree after all, then it
would be preferable not to ship it.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2037537

Title:
  grub-mkconfig always generates a devicetree line when a dtb is
  present, causing a boot delay when grub is in lockdown

Status in grub2 package in Ubuntu:
  New

Bug description:
  When a device tree is found in /boot, grub-mkconfig automatically
  appends a devicetree line to the menu entry to load the device tree
  alongside the initrd and kernel.

  Excerpt from /etc/grub.d/10_linux from grub-2.12:

      if test -n "${dtb}" ; then
        if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then
          message="$(gettext_printf "Loading device tree blob...")"
          sed "s/^/$submenu_indentation/" << EOF
          echo    '$(echo "$message" | grub_quote)'
  EOF
        fi
        sed "s/^/$submenu_indentation/" << EOF
          devicetree      ${rel_dirname}/${dtb}
  EOF
      fi

  This is however not always desired, in particular when GRUB is in
  lockdown (e.g. due to Secure Boot), as the devicetree command is then
  forbidden. This causes a ~5 second boot delay during startup as the
  following message is shown:

  error: devicetree: the command is not allowed when lockdown is
  enforced.

  Press any key to continue...

  GRUB continues to boot without a key being pressed, but this is an
  unnecessary delay when booting. I suggest adding an additional
  variable (e.g. GRUB_DISABLE_DEVICETREE) that can be set in
  /etc/default/grub to tell GRUB that it should not add the devicetree
  command.

  I don't think this is something that can be automatically detected and
  accounted for during grub-mkconfig, as the command may not be being
  executed on the target, and it may not know that the target will be
  booting with a locked down GRUB.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2037537/+subscriptions

More information about the foundations-bugs mailing list