[Bug 1813126] Re: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored

TJ ubuntu at iam.tj
Tue Jun 4 18:51:10 UTC 2019 

Further investigation revealed that a change to the semantics of
'cryptsetup' tool is responsible for the specific manual build I did.

On 18.04 'cryptsetup luksFormat --type=luks ...' would create a LUKS v1
header. On 19.04 it creates a LUKS v2 header. GRUB only supports LUKS v1
headers currently.

To resolve this on 19.04 we need to use "cryptsetup luksFormat
--type=luks1 ...".

If the do-release-upgrade process is breaking existing bootable GRUB
file-systems this is likely because there is some LUKSv1 to LUKSv2
conversion being done - which the OS is fine with. If this is correct,
presumably the conversion code doesn't check if GRUB is also using the
LUKS device and in converting it to v2 breaks GRUB.

My workaround from a liveISO to switch back to LUKS v1 was to do the
following (as UID 0 root). I've tried to make this portable but there
may be some typing mistakes so please proof-read carefully!

# set the following variables for your target system

# device where OS is installed (usually the same as GRUB_DEV)
DEV_INSTALL="sdZ"
# partition number for /boot/ partition (e.g. from /dev/sdZ3)
PART_BOOT="3"
# partition for root file-system  (e.g. from /dev/sdZ4)
PART_ROOT="4"
# device-mapper name of unencrypted /boot/ device
LUKS_BOOT="LUKS_BOOT"
# LVM names of root file-system 
VG="ubuntu"
LV="rootfs"

# shouldn't need to edit any variables from here onwards

# device to install GRUB on
export DEV_GRUB="/dev/$INSTALL_DEV"

# device-mapper name of the unencrypted /boot device
FS_BOOT="/dev/mapper/$LUKS_BOOT"
# encrypted /boot device
DEV_BOOT="/dev/${DEV_INSTALL}${PART_BOOT}"

# device-mapper name of the rootfs device
FS_ROOT="/dev/mapper/$VG-$LV"
LUKS_ROOT="${INSTALL_DEV}${PART_ROOT}_crypt"
# encrypted rootfs device
DEV_ROOT="/dev/${INSTALL_DEV}${PART_ROOT}"

# mountpoint for root file-system
TARGET="/target"
# boot directory
BOOT="$TARGET/boot"
# back-up directory 
BAK="/tmp/boot.bak"


mkdir $TARGET $BAK
cryptdisk_start $LUKS_ROOT
lvm vgchange -ay
mount $FS_ROOT $TARGET
cryptdisk_start $LUKS_BOOT
mount $FS_BOOT $BOOT 
cp -a $BOOT/* $BAK/
umount $BOOT
cryptdisk_stop $LUKS_BOOT
cryptsetup luksFormat --type=luks1 $DEV_BOOT
# use the existing UUID from crypttab
cryptsetup luksUUID --uuid $( sed -n '/'$LUKS_BOOT'/ s/.*UUID=\([^ ]*\).*/\1/ p' $TARGET/etc/crypttab ) $DEV_BOOT
cryptdisk_start $LUKS_BOOT
mkfs.ext -L /boot $FS_BOOT
mount $FS_BOOT $BOOT
cp -a $BAK/* $BOOT/

for n in proc sys dev etc/resolv.conf; do mount --rbind /$n $TARGET/$n; done
chroot $TARGET

# inside the chroot of the broken OS
mount -a
update-grub
grep -o 'cryptodisk' || echo "Eror: grub.cfg has no LUKS support"
grub-install -v $DEV_GRUB >& /tmp/grub-install.log
grep 'grub-mkimage' /tmp/grub-install.log | grep -o cryptodisk || echo "Error: GRUB has no LUKS support installed"

# if all OK...
exit

# clean up
for n in etc/resolv.conf dev sys proc $BOOT $TARGET; do umount $TARGET/$n; done
cryptdisk_stop $LUKS_BOOT
cryptdisk_stop $LUKS_ROOT

# finished
exit

# reboot and test

** Summary changed:

- [19.04] GRUB_ENABLE_CRYPTODISK=y ignored
+ [19.04] GRUB_ENABLE_CRYPTODISK=y ignored if /boot/ in LUKSv2 format

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1813126

Title:
  [19.04] GRUB_ENABLE_CRYPTODISK=y ignored if /boot/ in LUKSv2 format

Status in grub2 package in Ubuntu:
  Incomplete

Bug description:
  On my freshly-installed and up-to-date 18.10 with full-disk encryption, I decided to upgrade to 19.04 (dev) using _update-manager -d_.
  Everything seemed fine, until I rebooted and the Grub configuration apparently had been overwritten, and it does not offer to enter the master password, so cannot find the root VG.

  This is all happening on my Lenovo T480 PC, with only Ubuntu (no dual-
  boot).

  I tried boot-repair, applying any suggestion it threw at me, but it
  could not fix the issue.

  I did try to add GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub and
  successfully run update-grub in a chroot, but this did not fix the
  issue.

  Feel free to ask for more details, but diagnostic is limited, as the
  system is not booting, from the very early stages.

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1813126/+subscriptions

More information about the foundations-bugs mailing list