Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-145531

[RFE] GRUB2: Avoid repeated loading of identical kernel, initramfs, and tboot artifacts across multiple menu entries when using Trusted Boot and IMA

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-9.7
    • grub2
    • None
    • None
    • rhel-bootloader
    • 1
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • bootloader RFE (partner/RH)
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      We were trying to boot a RHEL 9 system using Trusted Boot (tboot) with Integrity Measurement Architecture (IMA) enabled, with multiple IMA modes configured as separate GRUB2 menu entries. The system fails to reliably boot into the measured launch environment when all default GRUB menu entries are present.

      What is the impact of this issue to you?

      On RHEL 9 systems with Trusted Boot and multiple IMA modes configured as separate GRUB menu entries, GRUB2 loads the same kernel, initramfs, and tboot artifacts independently for each menu entry, even when the file paths are identical.

      This behavior causes excessive memory consumption inside GRUB during early boot. On systems with more constrained memory availability at boot time, such as servers with 16 GB RAM, this results in GRUB failures and boot hangs.

      Observed errors include:

      • Unknown TPM error
      • Must load the kernel first

      These errors occur at the GRUB stage and prevent the system from booting.

      Please provide the package NVR for which the bug is seen:

      • grub2-common-2.06-86.el9_4.3
      • Also reproduced with grub2-common-2.06-114.el9_7

      How reproducible is this bug?:

      Always reproducible. The issue occurs on every boot when the described GRUB configuration is present.

      Steps to reproduce

      1. Install RHEL 9 on a UEFI-based system with TPM 2.0 available.
      1. Configure GRUB2 with multiple menu entries that reference the same kernel, initramfs, and tboot.gz
      1. Enable Trusted Boot and configure multiple IMA modes (enforce, audit, fix) as separate GRUB entries.
      1. Boot the system on hardware with 16 GB RAM.
      1. Observe GRUB errors and boot hang.
      1. Remove most GRUB entries, leaving only standard RHEL, rescue, and one Trusted Boot with IMA enforcing entry.
      1. Reboot and observe that the system boots successfully.

      Expected results

      GRUB2 should efficiently manage memory when multiple menu entries reference identical artifacts and avoid loading duplicate copies into memory.

      Requested Enhancement

      • Deduplicate identical kernel, initramfs, and tboot images across GRUB menu entries.
      • Improve GRUB memory handling when Trusted Boot and IMA are enabled.
      • Prevent GRUB-stage failures caused by excessive memory usage from large or repetitive menu configurations.

              bootloader-eng-team bootloader -eng-team
              rhn-support-prjagtap Pradeep Jagtap
              bootloader -eng-team bootloader -eng-team
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: