Grub-efi hangs when enter button not hit in grub menu on secure boot
#79
Comments
|
This is odd. I have left my machine for a couple of hours in that state that I have moved an arrow to disable the timer in grub menu and when came back it was hanged as well... Definitely, there must be some kind of a deadlock or something. P.S. I have just checked it and verified that actually it happens after ~8-10 seconds. |
|
Hello, can provide more information? Which board did you use ? Which DISTRO_FEATURES were enabled besides efi-secure-boot ? How did you deploy the image ? using wic or rootfs.tar.gz ? |
Hi @yizhao1 I can.
The board is ours for x86-64 intel architecture with Insyde uefi.
Only the
Actually I'm using both (installer is made from wic and contains inside rootfs.tar.gz which is being extracted to target machine) and it happens on both. When I disable secure boot in uefi than everything is fine and this does not happen. |
|
I can not reproduce it with wic image on my intel NUC7. The default grub menu only has one entry. Did you have more than one entry in your grub menu ? |
Both one and more entries and still it happens. |
|
Currently I'm reverting only the packages of Additionally I have some suspicions that our UEFI implementation can cause it... |
Downgrading shim on scarthgap is a nightmare... And downgraded seloader is not working with new shim.
Regarding this I can test the image on qemu and see if the error also persist. |
|
OK we have tested the image on QEMU and it is working as suppoused to so the issue is related rather to our UEFI implementation, so I'm closing the issue as solved. |
|
OK after more digging it occurs that the issue is not related to the UEFI but to the USB connection. We have tested the image on one more different platform which has UEFI from AMI and the issue occurs as well and what we discovered that when plugging some usb device like keyboard or mouse that grub hangs. @yizhao1 can you please verify it on your intel's NUC 7 does it occur as well? |
|
@Dvergatal I tested wic image with usb keyboard and usb mouse on my intel NUC7. It works well. I have no other platforms for testing. Can you test the original secure-core-image scarthgap image on your platform ? |
|
Yes i can test it. I think I will get for myself this intel NUC7 to test as well... |
|
OK a new nuc7 has came and I've tested the same image and to my surprise it has behaved like on our devices in our lab, meaning it did not hang in the grub but hanged when I have disconnected keyboard from USB and plugged it again... So on device which I have at home, it hangs always and on the other devices, even on intel NUC7 it hangs only when usb device is plugged to it when on grub stage not before power on. @yizhao1 have you made your test in such steps? |
|
OK more digging and it occured that the instant freeze is caused by USB LTE modem connected through m.2 slot. When I unplugged this modem my machine stopped to freeze after ~5-8 seconds. Now it works but still when I will unplug USB keyboard and plug it again than grub hangs...
BTW. do you have some latest SecureCore repository/implementation because building secure-core-image scarthgap image with our distro brings too many changes and SecureCore layer is too old moreover it uses poky which has only MACHINE defined for qemu. |
|
@yizhao1 more interesting informations. I have finally managed to test it with older version of shim 15.2 from mickledor revision and grub together with seloader are the newest one and everything is working as it is supposed. The difference which is mostly interesting is that shim contains own repo for gnuefi which is completely different than the one used by seloader and grub... Need to dig it more... |
|
OK finally i got it working on scarthgap but with shim and gnu-efi from kirkstone... Now i need to somehow do the same with latest shim but with the usage of gnu-efi from opemembedded-core instead of the one provided with shim. |
|
@yizhao1 additional question are you using in your case UEFI_SELOADER or not? P.S. I have read README file :P and came to conclusion that I'm a moron hehe Now I'm building the secure-core-image for scarthgap release according to it and will see if the issue will be reproduced |
|
@yizhao1 OK I have built the image and the issue exists on the reference image as well and it behaves exactly the same as I've described it. Just built from master and same issue as well. One last thing which came to my mind is to update UEFI on my NUC7 machine and see if that can be the cause. Will report you later. |
|
@Dvergatal I can reproduce this issue now. It only happens with UEFI_SELOADER but not with GRUB_SIGN_VERIFY. |
|
@yizhao1 finally 😃 glad to read it 👍 Now we need to solve it. Do you have any ideas? P.S. I confirm that with GRUB_SIGN_VERIFY instead of UEFI_SELOADER it does not happen. Question is, if SELoader project is abandoned, because I haven't seen and updates in the repository for over 2 years. In addition to it, what way is more secure? P.S.2 IMHO UEFI_SELOADER approach is more secure as it uses PKCS#7 with all the overhead that this standard brings in contrast to what grub offers... |
As in the subject when secure boot is turned on and grub menu is showed, there is some time left for choosing the entry to boot and if
enterbutton was not hit the highlighted entry is run automatically but actually it hangs and nothing helps to reboot.This happens to be scarthgap related, not on kirkstone.
The text was updated successfully, but these errors were encountered: