Bug#959425: loopback command hangs in 2.04 under UEFI
Alberto Garcia
berto at igalia.com
Thu Jul 24 06:39:44 BST 2025
On Sun, May 03, 2020 at 04:01:55PM +0200, Bernhard Übelacker wrote:
> From the logging is looks like the whole ISO is read
> to memory, if the tpm module is loaded.
> If it is not loaded the ISO seems to get not touched at all.
>
> Is it "just" checking if the file is signed?
> (Even when running without secureboot?)
This is not about any signatures. If the TPM module is loaded GRUB
needs to read and measure the whole file in order to update PCR 9:
https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html
This way, if the ISO image changes it will affect the PCR values even
if the kernel, initrd, etc., have not been modified.
The fix for this is not to measure the whole ISO image but only the
individual files read from it:
https://github.com/olafhering/grub/commit/86ec48882bd0b06268f93033bce9eea168188fae
But this patch was added after GRUB 2.12 and a more recent version
hasn't been released yet.
Berto
More information about the Pkg-grub-devel
mailing list