2016-02-22 12:22:43 |
kay |
bug |
|
|
added bug |
2016-02-22 12:23:34 |
kay |
affects |
linux (Ubuntu) |
grub2-signed (Ubuntu) |
|
2016-02-22 12:26:39 |
kay |
summary |
Default image of the signed EFI GRUB2 doesn't have "GRUB_ENABLE_CRYPTODISK" feature (secureboot) |
Default image of the signed EFI GRUB2 (secureboot) doesn't have "GRUB_ENABLE_CRYPTODISK" feature |
|
2016-02-22 12:51:11 |
kay |
bug task added |
|
grub2 (Ubuntu) |
|
2016-02-23 12:00:30 |
kay |
description |
Fully encrypted LVM (+ encrypted boot partition) with the signed linux images.
When I install grub-efi-amd64 with the "GRUB_ENABLE_CRYPTODISK=y" (please note that suggested "GRUB_ENABLE_CRYPTODISK=1" doesn't work because of the bug inside /usr/share/grub/grub-mkconfig_lib) it successfully generates /boot/grub/x86_64-efi/core.efi file, copies it into /boot/efi/EFI/ubuntu/grubx64.efi and boots fine. /boot/efi/EFI/ubuntu/grub.cfg looks like:
search.fs_uuid 22167461-e1e7-4188-80bf-8044c57977b0 root lvmid/qXy4Mj-jfjK-f0r2-ei33-fZrm-y4x5-SciAJP/giWh12-csOK-s766-lnFO-Zxh4-6LY5-pk50UM
set prefix=($root)'/grub'
configfile $prefix/grub.cfg
But when I enable SecureBoot and install grub-efi-amd64-signed - it doesn't generate custom /boot/grub/x86_64-efi/core.efi (because it is signed) and just copies /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed to the /boot/efi/EFI/ubuntu/grubx64.efi. But unfortunately this precompiled signed grub efi image doesn't support encrypted volumes (I assume because of the "GRUB_ENABLE_CRYPTODISK=1" bug in original grub-efi-amd64 package mentioned above).
Also affected new Ubuntu Xenial (I tried grub efi image from xenial package and it doesn't work as expected). I really appreciate you'll fix that before Xenial release. |
Fully encrypted LVM (+ encrypted boot partition) with the signed linux images.
When I install grub-efi-amd64 with the "GRUB_ENABLE_CRYPTODISK=y" (please note that suggested "GRUB_ENABLE_CRYPTODISK=1" doesn't work because of the bug inside /usr/share/grub/grub-mkconfig_lib) it successfully generates /boot/grub/x86_64-efi/core.efi file, copies it into /boot/efi/EFI/ubuntu/grubx64.efi and boots fine. /boot/efi/EFI/ubuntu/grub.cfg looks like:
cryptomount -u 756189f1463542039f2c03fd3cbb12f6
search.fs_uuid 22167461-e1e7-4188-80bf-8044c57977b0 root lvmid/qXy4Mj-jfjK-f0r2-ei33-fZrm-y4x5-SciAJP/giWh12-csOK-s766-lnFO-Zxh4-6LY5-pk50UM
set prefix=($root)'/grub'
configfile $prefix/grub.cfg
But when I enable SecureBoot and install grub-efi-amd64-signed - it doesn't generate custom /boot/grub/x86_64-efi/core.efi (because it is signed) and just copies /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed to the /boot/efi/EFI/ubuntu/grubx64.efi. But unfortunately this precompiled signed grub efi image doesn't support encrypted volumes (I assume because of the "GRUB_ENABLE_CRYPTODISK=1" bug in original grub-efi-amd64 package mentioned above).
Also affected new Ubuntu Xenial (I tried grub efi image from xenial package and it doesn't work as expected). I really appreciate you'll fix that before Xenial release. |
|
2016-02-26 17:05:53 |
kay |
marked as duplicate |
|
1360203 |
|
2016-04-05 08:26:47 |
Bernhard Schmidt |
bug |
|
|
added subscriber Bernhard Schmidt |
2016-04-05 13:20:03 |
Chris Marks |
changed duplicate marker |
1360203 |
1565950 |
|
2016-07-13 14:22:50 |
Phillip Susi |
changed duplicate marker |
1565950 |
1062623 |
|
2016-07-14 03:25:26 |
Anders Kaseorg |
changed duplicate marker |
1062623 |
1565950 |
|
2017-01-19 07:23:34 |
Launchpad Janitor |
grub2 (Ubuntu): status |
New |
Confirmed |
|
2017-01-19 07:23:34 |
Launchpad Janitor |
grub2-signed (Ubuntu): status |
New |
Confirmed |
|
2017-12-03 05:04:25 |
Andrew Gunnerson |
bug |
|
|
added subscriber Andrew Gunnerson |