kernel-packages team mailing list archive

Thread
Date
[Bug 1548293] [NEW] Default image of the signed EFI GRUB2 (secureboot) doesn't have "GRUB_ENABLE_CRYPTODISK" feature

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: kay <1548293@xxxxxxxxxxxxxxxxxx>
Date: Mon, 22 Feb 2016 12:22:43 -0000
Reply-to: Bug 1548293 <1548293@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Fully encrypted LVM (+ encrypted boot partition) with the signed linux
images.

When I install grub-efi-amd64 with the "GRUB_ENABLE_CRYPTODISK=y"
(please note that suggested "GRUB_ENABLE_CRYPTODISK=1" doesn't work
because of the bug inside /usr/share/grub/grub-mkconfig_lib) it
successfully generates /boot/grub/x86_64-efi/core.efi file, copies it
into /boot/efi/EFI/ubuntu/grubx64.efi and boots fine.
/boot/efi/EFI/ubuntu/grub.cfg looks like:

search.fs_uuid 22167461-e1e7-4188-80bf-8044c57977b0 root lvmid/qXy4Mj-jfjK-f0r2-ei33-fZrm-y4x5-SciAJP/giWh12-csOK-s766-lnFO-Zxh4-6LY5-pk50UM 
set prefix=($root)'/grub'
configfile $prefix/grub.cfg

But when I enable SecureBoot and install grub-efi-amd64-signed - it
doesn't generate custom /boot/grub/x86_64-efi/core.efi (because it is
signed) and just copies /usr/lib/grub/x86_64-efi-
signed/grubx64.efi.signed to the /boot/efi/EFI/ubuntu/grubx64.efi. But
unfortunately this precompiled signed grub efi image doesn't support
encrypted volumes (I assume because of the "GRUB_ENABLE_CRYPTODISK=1"
bug in original grub-efi-amd64 package mentioned above).

Also affected new Ubuntu Xenial (I tried grub efi image from xenial
package and it doesn't work as expected). I really appreciate you'll fix
that before Xenial release.

** Affects: grub2-signed (Ubuntu)
     Importance: Undecided
         Status: New

** Package changed: linux (Ubuntu) => grub2-signed (Ubuntu)

** Summary changed:

- Default image of the signed EFI GRUB2 doesn't have "GRUB_ENABLE_CRYPTODISK" feature (secureboot)
+ Default image of the signed EFI GRUB2 (secureboot) doesn't have "GRUB_ENABLE_CRYPTODISK" feature

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1548293

Title:
  Default image of the signed EFI GRUB2 (secureboot) doesn't have
  "GRUB_ENABLE_CRYPTODISK" feature

Status in grub2-signed package in Ubuntu:
  New

Bug description:
  Fully encrypted LVM (+ encrypted boot partition) with the signed linux
  images.

  When I install grub-efi-amd64 with the "GRUB_ENABLE_CRYPTODISK=y"
  (please note that suggested "GRUB_ENABLE_CRYPTODISK=1" doesn't work
  because of the bug inside /usr/share/grub/grub-mkconfig_lib) it
  successfully generates /boot/grub/x86_64-efi/core.efi file, copies it
  into /boot/efi/EFI/ubuntu/grubx64.efi and boots fine.
  /boot/efi/EFI/ubuntu/grub.cfg looks like:

  search.fs_uuid 22167461-e1e7-4188-80bf-8044c57977b0 root lvmid/qXy4Mj-jfjK-f0r2-ei33-fZrm-y4x5-SciAJP/giWh12-csOK-s766-lnFO-Zxh4-6LY5-pk50UM 
  set prefix=($root)'/grub'
  configfile $prefix/grub.cfg

  But when I enable SecureBoot and install grub-efi-amd64-signed - it
  doesn't generate custom /boot/grub/x86_64-efi/core.efi (because it is
  signed) and just copies /usr/lib/grub/x86_64-efi-
  signed/grubx64.efi.signed to the /boot/efi/EFI/ubuntu/grubx64.efi. But
  unfortunately this precompiled signed grub efi image doesn't support
  encrypted volumes (I assume because of the "GRUB_ENABLE_CRYPTODISK=1"
  bug in original grub-efi-amd64 package mentioned above).

  Also affected new Ubuntu Xenial (I tried grub efi image from xenial
  package and it doesn't work as expected). I really appreciate you'll
  fix that before Xenial release.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1548293/+subscriptions