Default image of the signed EFI GRUB2 (secureboot) doesn't have "GRUB_ENABLE_CRYPTODISK" feature

Bug #1548293 reported by kay on 2016-02-22
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Undecided
Unassigned
grub2-signed (Ubuntu)
Undecided
Unassigned

Bug Description

Fully encrypted LVM (+ encrypted boot partition) with the signed linux images.

When I install grub-efi-amd64 with the "GRUB_ENABLE_CRYPTODISK=y" (please note that suggested "GRUB_ENABLE_CRYPTODISK=1" doesn't work because of the bug inside /usr/share/grub/grub-mkconfig_lib) it successfully generates /boot/grub/x86_64-efi/core.efi file, copies it into /boot/efi/EFI/ubuntu/grubx64.efi and boots fine. /boot/efi/EFI/ubuntu/grub.cfg looks like:

cryptomount -u 756189f1463542039f2c03fd3cbb12f6
search.fs_uuid 22167461-e1e7-4188-80bf-8044c57977b0 root lvmid/qXy4Mj-jfjK-f0r2-ei33-fZrm-y4x5-SciAJP/giWh12-csOK-s766-lnFO-Zxh4-6LY5-pk50UM
set prefix=($root)'/grub'
configfile $prefix/grub.cfg

But when I enable SecureBoot and install grub-efi-amd64-signed - it doesn't generate custom /boot/grub/x86_64-efi/core.efi (because it is signed) and just copies /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed to the /boot/efi/EFI/ubuntu/grubx64.efi. But unfortunately this precompiled signed grub efi image doesn't support encrypted volumes (I assume because of the "GRUB_ENABLE_CRYPTODISK=1" bug in original grub-efi-amd64 package mentioned above).

Also affected new Ubuntu Xenial (I tried grub efi image from xenial package and it doesn't work as expected). I really appreciate you'll fix that before Xenial release.

kay (kay-diam) on 2016-02-22
affects: linux (Ubuntu) → grub2-signed (Ubuntu)
summary: - Default image of the signed EFI GRUB2 doesn't have
- "GRUB_ENABLE_CRYPTODISK" feature (secureboot)
+ Default image of the signed EFI GRUB2 (secureboot) doesn't have
+ "GRUB_ENABLE_CRYPTODISK" feature
kay (kay-diam) on 2016-02-23
description: updated
kay (kay-diam) wrote :

Looks like cryptodisk module was not audited.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu):
status: New → Confirmed
Changed in grub2-signed (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers