On Sun, May 03, 2020 at 04:01:55PM +0200, Bernhard Übelacker wrote: > From the logging is looks like the whole ISO is read > to memory, if the tpm module is loaded. > If it is not loaded the ISO seems to get not touched at all. > > Is it "just" checking if the file is signed? > (Even when running without secureboot?)
This is not about any signatures. If the TPM module is loaded GRUB needs to read and measure the whole file in order to update PCR 9: https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html This way, if the ISO image changes it will affect the PCR values even if the kernel, initrd, etc., have not been modified. The fix for this is not to measure the whole ISO image but only the individual files read from it: https://github.com/olafhering/grub/commit/86ec48882bd0b06268f93033bce9eea168188fae But this patch was added after GRUB 2.12 and a more recent version hasn't been released yet. Berto
