grub-efi-amd64-signed is missing modules for GRUB_ENABLE_CRYPTODISK=y

Bug #1360203 reported by Anders Kaseorg on 2014-08-22
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
grub2-signed (Ubuntu)
Undecided
Unassigned

Bug Description

Grub has support for booting from a fully encrypted /, including encrypted /boot, when GRUB_ENABLE_CRYPTODISK=y is set in /etc/default/grub. However, grub-efi-amd64-signed needs some extra modules to support this: procfs, cryptodisk, luks, gcry_rijndael, gcry_sha1. I had to copy these five modules into /boot/efi/EFI/ubuntu/x86_64-efi and prepend these lines to /boot/efi/EFI/ubuntu/grub.cfg:

  insmod procfs
  insmod cryptodisk
  insmod luks
  insmod gcry_rijndael
  insmod gcry_sha1
  cryptomount -u <32-digit uuid>

With secure boot disabled, this works fine. (I’m slightly annoyed about getting two passphrase prompts, one for GRUB and one for Linux, but whatever.)

However, the insmod commands prevent me from enabling secure boot:

error: Secure Boot forbids loading module from (hd0,gpt2)/efi/ubuntu/x86_64/procfs.mod
error: Secure Boot forbids loading module from (hd0,gpt2)/efi/ubuntu/x86_64/cryptodisk.mod
error: Secure Boot forbids loading module from (hd0,gpt2)/efi/ubuntu/x86_64/luks.mod
error: Secure Boot forbids loading module from (hd0,gpt2)/efi/ubuntu/x86_64/gcry_rijndael.mod
error: Secure Boot forbids loading module from (hd0,gpt2)/efi/ubuntu/x86_64/gcry_sha1.mod

Would it be possible to add those modules to grub-efi-amd64-signed?

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2-signed (Ubuntu):
status: New → Confirmed
kay (kay-diam) wrote :

+1. But it looks like cryptodisk module was not audited.
probably duplicate for https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1548293

kay (kay-diam) wrote :

Some additional info:
* partly relates to https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1475954
* cryptodisk is not included here: https://anonscm.debian.org/cgit/pkg-grub/grub.git/tree/debian/build-efi-images
* efi image should also include at least these modules: gcry_sha256, gcry_sha512, luks, gcry_rijndael

Vertago1 (vertago1) wrote :

Is there a workaround to this problem without disabling secure boot?

kay (kay-diam) wrote :

@vertago, build your own efi grub and sign it with your own key. custom certificates should be installed into efi bios.

@kay-diam, That doesn't work for my situation. I have a USB drive that I need to be able to boot on various machines that I either can't or don't want to make bios changes to.

kay (kay-diam) wrote :

@christopher-l-marks, well, please ping Ubuntu grub team. They didn't yet respond to me :(

Nicholas (palma95) wrote :

All gcry modules should be included, since any user can choose a different cipher or hash and using a custom grub config file does not prevent, for example, the boot of a pendrive on a different system, while the need to mok a own key quite a lot.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers