Ubuntu
grub2-signed package

grub-efi-amd64-signed is missing modules for GRUB_ENABLE_CRYPTODISK=y

Bug #1360203 reported by Anders Kaseorg
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
grub2-signed (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Grub has support for booting from a fully encrypted /, including encrypted /boot, when GRUB_ENABLE_CRYPTODISK=y is set in /etc/default/grub. However, grub-efi-amd64-signed needs some extra modules to support this: procfs, cryptodisk, luks, gcry_rijndael, gcry_sha1. I had to copy these five modules into /boot/efi/EFI/ubuntu/x86_64-efi and prepend these lines to /boot/efi/EFI/ubuntu/grub.cfg:

  insmod procfs
  insmod cryptodisk
  insmod luks
  insmod gcry_rijndael
  insmod gcry_sha1
  cryptomount -u <32-digit uuid>

With secure boot disabled, this works fine. (I’m slightly annoyed about getting two passphrase prompts, one for GRUB and one for Linux, but whatever.)

However, the insmod commands prevent me from enabling secure boot:

error: Secure Boot forbids loading module from (hd0,gpt2)/efi/ubuntu/x86_64/procfs.mod
error: Secure Boot forbids loading module from (hd0,gpt2)/efi/ubuntu/x86_64/cryptodisk.mod
error: Secure Boot forbids loading module from (hd0,gpt2)/efi/ubuntu/x86_64/luks.mod
error: Secure Boot forbids loading module from (hd0,gpt2)/efi/ubuntu/x86_64/gcry_rijndael.mod
error: Secure Boot forbids loading module from (hd0,gpt2)/efi/ubuntu/x86_64/gcry_sha1.mod

Would it be possible to add those modules to grub-efi-amd64-signed?

Tags: amd64 utopic
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2-signed (Ubuntu):
status: New → Confirmed
Revision history for this message
kay (kay-diam) wrote :

+1. But it looks like cryptodisk module was not audited.
probably duplicate for https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1548293

Revision history for this message
kay (kay-diam) wrote :

Some additional info:
* partly relates to https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1475954
* cryptodisk is not included here: https://anonscm.debian.org/cgit/pkg-grub/grub.git/tree/debian/build-efi-images
* efi image should also include at least these modules: gcry_sha256, gcry_sha512, luks, gcry_rijndael

Revision history for this message
Vertago1 (vertago1) wrote :

Is there a workaround to this problem without disabling secure boot?

Revision history for this message
kay (kay-diam) wrote :

@vertago, build your own efi grub and sign it with your own key. custom certificates should be installed into efi bios.

Revision history for this message
Chris Marks (christopher-l-marks) wrote :

@kay-diam, That doesn't work for my situation. I have a USB drive that I need to be able to boot on various machines that I either can't or don't want to make bios changes to.

Revision history for this message
kay (kay-diam) wrote :

@christopher-l-marks, well, please ping Ubuntu grub team. They didn't yet respond to me :(

Revision history for this message
Nicholas (palma95) wrote :

All gcry modules should be included, since any user can choose a different cipher or hash and using a custom grub config file does not prevent, for example, the boot of a pendrive on a different system, while the need to mok a own key quite a lot.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.