[Bug 1174131] New: /boot/grub2/x86_64-efi/*.mod not needed?
http://bugzilla.opensuse.org/show_bug.cgi?id=1174131 Bug ID: 1174131 Summary: /boot/grub2/x86_64-efi/*.mod not needed? Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: mchang@suse.com Reporter: lnussel@suse.com QA Contact: qa-bugs@suse.de CC: arvidjaar@gmail.com, fvogt@suse.com, glin@suse.com, rw@suse.com Found By: --- Blocker: --- apparently grub2 at least on efi systems is built as one static binary so it can be signed for secure boot. Do we therefore need /boot/grub2/x86_64-efi/*.mod resp /usr/share/grub2/x86_64-efi/* at all then? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1174131 http://bugzilla.opensuse.org/show_bug.cgi?id=1174131#c1 --- Comment #1 from Gary Ching-Pang Lin <glin@suse.com> --- There is an unsigned grubx64.efi which needs those modules. If the user disables Secure Boot in yast2-bootloader, the boot option would be set to grubx64.efi instead of shim.efi. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1174131 http://bugzilla.opensuse.org/show_bug.cgi?id=1174131#c2 --- Comment #2 from Ludwig Nussel <lnussel@suse.com> --- ok but does it bring us any advantage to have both a big static grub and the modular one? Looks like the static one is "good enough" for secure boot so shouldn't it work for the non-secure boot case too? Ie we could simplify the logic and have less clutter in /boot by not having all those files there. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1174131 http://bugzilla.opensuse.org/show_bug.cgi?id=1174131#c3 --- Comment #3 from Fabian Vogt <fvogt@suse.com> --- That's what I thought in other bug reports as well, but apparently there are some which use modules not included in grub.efi. Some modules might also be unsuitable for secureboot environments, though that could be checked on runtime. Another use-case for the .mod files is that they can be used to create a custom grub.efi binary with grub2-mkimage. If the static grub2.efi with all modules doesn't turn out too big, I'd be in favor of not installing the .mod files by default too. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1174131 http://bugzilla.opensuse.org/show_bug.cgi?id=1174131#c4 --- Comment #4 from Michael Chang <mchang@suse.com> --- (In reply to Ludwig Nussel from comment #2)
ok but does it bring us any advantage to have both a big static grub and the modular one? Looks like the static one is "good enough" for secure boot so shouldn't it work for the non-secure boot case too?
Some modules are banned in secure boot, thus can only be useful with module ...
Ie we could simplify the logic and have less clutter in /boot by not having all those files there.
No one would take care of cleaning them also it is hard to tell it is needed by anything or not, so in case of leaving any leftover that could bring up incompatible ABI, we always reinstall them to bring up synced images and modules. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1174131 http://bugzilla.opensuse.org/show_bug.cgi?id=1174131#c5 --- Comment #5 from Ludwig Nussel <lnussel@suse.com> --- (In reply to Michael Chang from comment #4)
(In reply to Ludwig Nussel from comment #2)
ok but does it bring us any advantage to have both a big static grub and the modular one? Looks like the static one is "good enough" for secure boot so shouldn't it work for the non-secure boot case too?
Some modules are banned in secure boot, thus can only be useful with module ...
Can we keep those as modules but don't duplicate the rest? So the same grub.efi is used in both SB as well as no SB case, just that when booted in the latter mode it would allow to load extra stuff? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1174131 http://bugzilla.opensuse.org/show_bug.cgi?id=1174131#c6 --- Comment #6 from Michael Chang <mchang@suse.com> --- (In reply to Ludwig Nussel from comment #5)
(In reply to Michael Chang from comment #4)
(In reply to Ludwig Nussel from comment #2)
Can we keep those as modules but don't duplicate the rest? So the same grub.efi is used in both SB as well as no SB case, just that when booted in the latter mode it would allow to load extra stuff?
I am not sure if the optimization is welcome by everyone. It would break if two grub installed in parallel, that is signed monolithic grub.efi and unsigned micro grubx64.efi. Some people would keep grubx64.efi as fallback or making some fun out of it, like to play with signed grub module by their own pgp key ... -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com