Bug 2144113
| Summary: | Latest grub2 breaks gfxterm | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andy Wang <dopey> |
| Component: | grub2 | Assignee: | Javier Martinez Canillas <fmartine> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 37 | CC: | abuse, alanh, christian.tosta, fmartine, lkundrak, nathanael, Per.t.Sjoholm, pgnet.dev, pjones, rharwood, steve.morris.au, vitaly |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | grub2-2.06-67.fc37 grub2-2.06-57.fc36 grub2-2.06-14.fc35 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-25 02:39:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Andy Wang
2022-11-19 01:07:06 UTC
I have the same issue. Broken version: grub2-efi-x64-1:2.06-63.fc37.x86_64 The last working version: grub2-efi-x64-1:2.06-60.fc37.x86_64 Workaround: sudo dnf downgrade grub2\* Observed the same issue. It is related to font loading and when TERMINAL_OUTPUT="gfxterm" is defined in /etc/sysconfig/grub. Running `loadfont $font` at the grub terminal returns: ../../grub-core/kern/efi/sb.c:109:prohibited by secure boot policy More info: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1879751.html FEDORA-2022-3130c677b4 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-3130c677b4 FEDORA-2022-43027031f1 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-43027031f1 FEDORA-2022-9b03e69561 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9b03e69561 FEDORA-2022-9b03e69561 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9b03e69561` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9b03e69561 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-3130c677b4 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-3130c677b4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-3130c677b4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. (In reply to Fedora Update System from comment #4) > FEDORA-2022-43027031f1 has been submitted as an update to Fedora 37. > https://bodhi.fedoraproject.org/updates/FEDORA-2022-43027031f1 Solved the gfxterm issue for me, but still can't load .pf2 fonts from themes. FEDORA-2022-43027031f1 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-43027031f1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-43027031f1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. > Solved the gfxterm issue for me, but still can't load .pf2 fonts from themes.
Unfortunately, this isn't expected to work, and I'm not sure there's going to be a solution any time soon.
As an additional mitigation from the recent CVEs, all fonts need to be signed in order to be used with secureboot. This is accomplished by bundling them into grubx64.efi (or grubaa64.efi etc.) itself, which is then signed. However, this grows the size of the EFI binary significantly, which is a problem. For unicode.pf2, it was already in /boot and expected to work, so we just bundle it and drop the standalone file. Other fonts today required more setup, so the cost can't really be justified.
So: unicode.pf2 is expected to work with `loadfont unicode`; all other fonts currently require self-signing.
is there a way to sign font files without bundling them into grubx64.efi? FEDORA-2022-04d670e731 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-04d670e731` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-04d670e731 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-f86e203baf has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-f86e203baf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-f86e203baf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-7ce9378e90 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-7ce9378e90` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-7ce9378e90 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-04d670e731 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. Just a heads up for anyone else having an issue with this. I had to comment out GRUB_FONT for the error to go away. The loading theme is back now and looks fine without it... FEDORA-2022-f86e203baf has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. Grub2 2.06.67 has not fixed the secure boot loadfont issue introduced by 2.06.63 in Fedora 37. Nor has it rectified the ignoring of GRUB_TERMINAL_OUTPUT and GRUB_GFXMODE statements in /etc/default/grub. If anything 2.06.67 has made things worse in that it has not rectified the issue with themes not displaying, and it seems to now be displaying the sb.c secure boot error for every font being loaded by a grub theme, whereas in 2.06.63 it was only displayed once. Whatever the upgrade to 2.06.67 has done a downgrade to grub2 2.06.58 does not cause the sb.c error to cease being displayed. This seems to only be an issue with full secure boot. In my motherboard bios in the secure boot settings setting them to "Windows Mode" activates full secure boot which produces this error, if I set it to "Other OS" then Linux runs without secure boot, but then Windows 11 doesn't run properly. This update resolved the issue for me with secure boot enabled. For anyone interested in theming and fonts that aren't unicode.pf2, there is a thread upstream here: https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00155.html Please take any feedback you might have there - I (Fedora grub maintainer) consider this issue resolved until upstream decides on a different approach, as Fedora's behavior is currently more friendly than the grub2 upstream default (in that you get `loadfont unicode` at all). FEDORA-2022-7ce9378e90 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. |