[Bug 2037537] Re: grub-mkconfig always generates a devicetree line when a dtb is present, causing a boot delay when grub is in lockdown

Isaac True 2037537 at bugs.launchpad.net
Thu Sep 28 07:30:36 UTC 2023 

Hi @juliank,

This is mostly coming from a customer project where we need to support
both U-Boot UEFI Secure Boot and standard U-Boot FIT images. As the
device tree is required for creating the FIT image, we need to ship the
.dtb file with the kernel. The UEFI use case does not necessarily need
the .dtb file as the device tree can also be provided by ATF, but for
the sake of developer and user friendliness, we are using the .dtb that
ships with the each kernel release and loading it in U-Boot before
handing off to UEFI/Grub. (side note, this .dtb will be bundled in a
signed FIT image at a later date to increase security)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2037537

Title:
  grub-mkconfig always generates a devicetree line when a dtb is
  present, causing a boot delay when grub is in lockdown

Status in grub2 package in Ubuntu:
  New

Bug description:
  When a device tree is found in /boot, grub-mkconfig automatically
  appends a devicetree line to the menu entry to load the device tree
  alongside the initrd and kernel.

  Excerpt from /etc/grub.d/10_linux from grub-2.12:

      if test -n "${dtb}" ; then
        if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then
          message="$(gettext_printf "Loading device tree blob...")"
          sed "s/^/$submenu_indentation/" << EOF
          echo    '$(echo "$message" | grub_quote)'
  EOF
        fi
        sed "s/^/$submenu_indentation/" << EOF
          devicetree      ${rel_dirname}/${dtb}
  EOF
      fi

  This is however not always desired, in particular when GRUB is in
  lockdown (e.g. due to Secure Boot), as the devicetree command is then
  forbidden. This causes a ~5 second boot delay during startup as the
  following message is shown:

  error: devicetree: the command is not allowed when lockdown is
  enforced.

  Press any key to continue...

  GRUB continues to boot without a key being pressed, but this is an
  unnecessary delay when booting. I suggest adding an additional
  variable (e.g. GRUB_DISABLE_DEVICETREE) that can be set in
  /etc/default/grub to tell GRUB that it should not add the devicetree
  command.

  I don't think this is something that can be automatically detected and
  accounted for during grub-mkconfig, as the command may not be being
  executed on the target, and it may not know that the target will be
  booting with a locked down GRUB.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2037537/+subscriptions

More information about the foundations-bugs mailing list