Ubuntu
grub2 package

Configuration generated for encrypted boot is not bootable

Bug #1670552 reported by Nazar Mokrynskyi on 2017-03-07

This bug report is a duplicate of: Bug #1062623: enable grub-2.00 boot-from-luks support. Edit Remove

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	grub2 (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

I've being experimenting with completely encrypted system on virtual machine and got some problems with automatically generated configs.

In my test setup:
/dev/sda - ESP partition, mounted as /boot/efi
/dev/mapper/system1 is BTRFS partition on /dev/sdb with LUKS encryption

/etc/fstab:
/dev/mapper/system1 / btrfs defaults,subvol=@ 0 1
UUID=6EF4-C0FE /boot/efi vfat umask=0077 0 1
/dev/mapper/system1 /home btrfs defaults,subvol=@home 0 2

Except first column generated during initial installation.

/etc/crypttab:
system1 UUID=6a01d12f-f4c4-4818-8650-2df0baca84bc none luks,keyscript=/etc/cryptroot/system.64.sh

File /etc/cryptroot/system.64.sh, obviously, exists.

/etc/default/grub contains:
- `GRUB_ENABLE_CRYPTODISK=y`
- and even `GRUB_PRELOAD_MODULES="luks cryptodisk procfs"` (shouldn't be necessary and doesn't change anything anyway)

What goes wrong in this setup out of the box:
1) `ESP\EFI\ubuntu\grubx64.efi` doesn't have built-in modules `luks`, `cryptodisk`, `procfs` and `gcry_*` without which it is not possible to decrypt anything and thus boot the system (initially commented here: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950)
2) `ESP\EFI\ubuntu\grub.cfg` contains incomplete config to actually decrypt system (and will be re-written on package update, which is even worse)

`ESP\EFI\ubuntu\grub.cfg` as generated by `dpkg-reconfigure grub-efi-amd64`:
cryptomount -u 6a01d12ff4c4481886502df0baca84bc
search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg

What I did instead is I've copied `/boot/grub/x86_64-efi` (only `luks.mod`, `cryptodisk.mod`, `procfs.mod` and relevant `gcry_*.mod` files are needed from there) to `ESP\x86_64-efi` and changed `ESP\EFI\ubuntu\grub.cfg` to following (first 4 lines added):
search.fs_uuid 6EF4-C0FE boot
set prefix=($boot)
insmod luks
cryptomount -u 6a01d12ff4c4481886502df0baca84bc
search.fs_uuid bb3594a7-41b0-484c-91ad-48424184169e root cryptouuid/6a01d12ff4c4481886502df0baca84bc
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg

Things are getting even worse when BTRFS is not on single partition/disk, but on few in RAID, since more manual configuration is needed.

Would be nice to see additional modules added to `grubx64.efi` and fixed `ESP\EFI\ubuntu\grub.cfg` generation by grub2 package.

See original description

Nazar Mokrynskyi (nazar-pc) on 2017-03-07

description:

updated

Nazar Mokrynskyi (nazar-pc) on 2017-03-07

description:

updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-03-14:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu):
status:	New → Confirmed

Revision history for this message

The Lynxy (lynxy) wrote on 2017-03-14:

Thank you so much for your detailed steps, I was encountering the same problem and was able to fix it based on your info.

An encrypted boot partition seems like an important thing to have. Since grub supports such a thing, it only seems logical that grub would be able to detect an encrypted partition and automatically insert the correct configuration into the EFI grub.cfg file. Am I crazy?