Hi, if I boot with grubx64.efi and run the following command: loopback loop some.iso ...it hangs in 2.04 under UEFI, while it worked fine up to 2.02. This affects Debian and Ubuntu, but not Fedora. BIOS mode isn't affected. I tested with grubx64.efi from the following packages: BAD: http://ftp.us.debian.org/debian/pool/main/g/grub2/grub-efi-amd64-bin_2.04-7_amd64.deb BAD: https://launchpad.net/ubuntu/+source/grub2-signed/1.117/+build/17277557/+files/grub-efi-amd64-signed_1.117+2.04-1ubuntu1_amd64.deb GOOD: https://launchpad.net/ubuntu/+source/grub2-signed/1.116/+build/17166212/+files/grub-efi-amd64-signed_1.116+2.02+dfsg1-12ubuntu3_amd64.deb GOOD: https://kojipkgs.fedoraproject.org//packages/grub2/2.04/15.fc33/x86_64/grub2-efi-x64-2.04-15.fc33.x86_64.rpm Related Ubuntu bug report: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1851311 Thank you.
Dear Maintainer, I could reproduce this issue with these grub images inside a QEmu EFI enabled VM (no secureboot enabled). grub-efi-amd64-signed: /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed grub-efi-amd64-bin: /usr/lib/grub/x86_64-efi/monolithic/grubx64.efi Further tried to track it down by manually creating the image like it is done in grub2-2.04/debian/build-efi-images. At the end I had a not hanging image, where just the "tpm" module was left out. Kind regards, Bernhard
I can confirm that running `rmmod tpm` is a workaround. After removing tpm, `loopback loop some.iso` works without hanging. Thank you Bernhard.
Dear Maintainer, I further tried to get some more logging output by "set debug=all". There I found that the loopback command actually returns after around 2 minutes for my 335 MB ISO file. From the logging is looks like the whole ISO is read to memory, if the tpm module is loaded. If it is not loaded the ISO seems to get not touched at all. Is it "just" checking if the file is signed? (Even when running without secureboot?) Kind regards, Bernhard
This is not about any signatures. If the TPM module is loaded GRUB needs to read and measure the whole file in order to update PCR 9: https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html This way, if the ISO image changes it will affect the PCR values even if the kernel, initrd, etc., have not been modified. The fix for this is not to measure the whole ISO image but only the individual files read from it: https://github.com/olafhering/grub/commit/86ec48882bd0b06268f93033bce9eea168188fae But this patch was added after GRUB 2.12 and a more recent version hasn't been released yet. Berto