Grub2 crypto and verify operations are slow

Copy /usr/lib/grub/x86_64-efi from grub2-efi-x64-modules into /boot/efi/EFI/fedora, ensure that secure boot is off and run insmod verify.

I’m trying to test Changes/Include_security_modules_in_efi_Grub2 to prepare it for “complete” status, but I’m getting caught at testing the functionality with verify_detached <path to a file> <path to file's .sig> . It’s either hanging or taking way too long (greater than 10 minutes). The effect of this is that attempting to boot takes impossibly long (I haven’t timed it, because it hasn’t succeeded yet. I would presume that it takes a long time, or never does actually boot), because it would have to verify several files.

Similarly, utilising the cryptodisk functionality takes a long time, but unlike “verify,” it does actually succeed in a semi-reasonable amount of time (but much longer than decrypting the root partition in initramfs).

Grub is likely single-threaded, but this is too long. I’m looking for an explanation or help. Thanks.

(This is a RSA 2048-bit key, on an i7-6500U, if it helps)

Edit: Made it a 1024-bit key, but as per below, this makes little difference. Also, this is on Fedora 30.

Update: It’s hanging because of “set check_signatures=enforce”. I tried it with check_signatures set to no, and verify_detached completed within a very reasonable amount of time (a few seconds).

I’ve signed every file that I could/that there is in /boot, but it still seems like I’ve missed something.

Using tab complete to navigate the partitions similarly causes it to hang.

So I guess this makes my question: what needs to be signed with check_signatures set to enforce to ensure that my computer boots?

1 Like

I used set debug=all and found that the sha256 algorithm wasn’t being loaded. At that point I guessed that gcry_rsa and gcry_sha256, implicit dependencies of verify, couldn’t be inserted because check_signatures was set to enforce (can’t check the signatures of these modules if the algorithm of their sig files can’t be processed).

Executing insmod gcry_sha256 and insmod gcry_rsa before setting check_signatures to enforce solves the issue.