Ubuntu
grub2 package

grub-mkconfig always generates a devicetree line when a dtb is present, causing a boot delay when grub is in lockdown

Bug #2037537 reported by Isaac True
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
New
Undecided
Unassigned

Bug Description

When a device tree is found in /boot, grub-mkconfig automatically appends a devicetree line to the menu entry to load the device tree alongside the initrd and kernel.

Excerpt from /etc/grub.d/10_linux from grub-2.12:

    if test -n "${dtb}" ; then
      if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then
        message="$(gettext_printf "Loading device tree blob...")"
        sed "s/^/$submenu_indentation/" << EOF
        echo '$(echo "$message" | grub_quote)'
EOF
      fi
      sed "s/^/$submenu_indentation/" << EOF
        devicetree ${rel_dirname}/${dtb}
EOF
    fi

This is however not always desired, in particular when GRUB is in lockdown (e.g. due to Secure Boot), as the devicetree command is then forbidden. This causes a ~5 second boot delay during startup as the following message is shown:

error: devicetree: the command is not allowed when lockdown is enforced.

Press any key to continue...

GRUB continues to boot without a key being pressed, but this is an unnecessary delay when booting. I suggest adding an additional variable (e.g. GRUB_DISABLE_DEVICETREE) that can be set in /etc/default/grub to tell GRUB that it should not add the devicetree command.

I don't think this is something that can be automatically detected and accounted for during grub-mkconfig, as the command may not be being executed on the target, and it may not know that the target will be booting with a locked down GRUB.

Tags: patch
Revision history for this message
Isaac True (itrue) wrote :

I've created a patch showing a potential fix for this using an environment variable.

summary: grub-mkconfig always generates a devicetree line when a dtb is present,
- causing a boot delay when grub is in lockdown (e.g. due to Secure Boot)
+ causing a boot delay when grub is in lockdown
Revision history for this message
Isaac True (itrue) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "ubuntu-add-disable-devicetree-variable.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Julian Andres Klode (juliank) wrote :

Hi Isaac,

it seems to me that either the platform requires a device tree or not. If you place one next to it, it seems reasonable to alert the user (if present) that the machine may not function correctly when booting securely.

If the platform does not require the device tree after all, then it would be preferable not to ship it.

Revision history for this message
Isaac True (itrue) wrote (last edit ):

Hi @juliank,

This is mostly coming from a customer project where we need to support both U-Boot UEFI Secure Boot and standard U-Boot FIT images. As the device tree is required for creating the FIT image, we need to ship the .dtb file with the kernel. The UEFI use case does not necessarily need the .dtb file as the device tree can also be provided by ATF, but for the sake of developer and user friendliness, we are using the .dtb that ships with the each kernel release and loading it in U-Boot before handing off to UEFI/Grub. (side note, this .dtb will be bundled in a signed FIT image at a later date to increase security)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.