[Bug 1914953] [NEW] grub2 incompatibility between at_keyboard and gfxterm modules lead to impossible to type passphrase or access ubuntu grub2 menu on a fully encrypted installation

Fabien 1914953 at bugs.launchpad.net
Sun Feb 7 19:37:03 UTC 2021 

Public bug reported:

Hello,

On a fresh installed Ubuntu 20.04.1 LTS (tested with Mate & Ubuntu with
two different brands and configurations of laptops) fully luks encrypted
systems using this guide
https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019 with
the fellowing configurations:

laptop 1 (Dell): x64_86 BIOS/GPT
/dev/sda1 => bios_grub
/dev/sda2 => luks encrypted LVM with VG,LV /boot, /root, /home, /swap

laptop 2 (Acer): x64_86 UEFI/GPT
/dev/sda1 => ESP
/dev/sda2 => luks encrypted LVM with VG,LV /boot, /root, /home, /swap

It's impossible with :
=> 1st stage grub: /dev/sda1 bios_grub (core.img) or ESP partition (grub.efi)
=> 2nd stage grub: /dev/sda2/LUKS_VOL/LVM/boot/grub
to:
1- set a local grub keyboard layout (French) to type passphrase in 1st stage grub
2- access (edit mode or typing command under grub console) in 2nd stage grub

Here all my tests results from the last 3 days on the two laptops at
same time:

[0] Defaults setting after installation :
1st stage grub: US keyboard layout (standard)
2nd stage grub: gfxterm module loaded (install defaults)
=> 1st stage grub: almost impossible to type strong passphrase with accentuated characters and special characters due typos error and keyboard layout difference and unlock encrypted luks volume
=> 2nd stage grub: working without trouble, can access ubuntu grub menus, edit command and type command in the grub console as normal.

[1] Modfied settings after installation : 1st stage grub only
1st stage grub: FR keyboard layouts with at_keyboard module ([1A] grub core image config at the end)
2nd stage grub: gfxterm module loaded (no modification from default installation)
=> 1st stage grub: can type strong passphrase and unlock at the first attempt the luks encrypted volume
=> 2nd stage grub: Impossible to access grub menus, edit command and type command in the grub console

[2] Modfied settings after installation : 2nd stage grub only
1st stage grub: default grub core.img after installation with US layout
2nd stage grub: gfxterm module loaded + at_keybord, "terminal_input at_keyboard", keymap fr.gkb ([2A] grub.cfg config at the end)
=> 1st stage grub: almost impossible to type strong passphrase as in test case [0]
=> 2nd stage grub: almost Impossible to access grub menus, edit command and type command in the grub console). I need to repeat the same keystrokes 7 times or more give me only one keystroke at screen (and PC speaker beep every 1x or 4x keystrokes but it's really secondary).. Ressetting "terminal_output console" (by removing at_keyboard) or "terminal_input console" (by removing gfxterm) (by typing t(x7+2xbeep)e(x7+3xbeep)+r(x7+4xbeep)+m(x7+1xbeep)...) resolved the situation.

[3] Modfied settings after installation : 1nd stage grub only
1st stage grub: FR keyboard layouts with at_keybord + gfxterm module
2nd stage grub: gfxterm module loaded (no modification from default installation)
=> 1st stage grub: Impossible to type strong passphrase as in test case [0] but this time it's due to gfxterm and at_keyboard loaded at same time and each character must be typed 7x or more times (+ beep) so impossible to know what you are typping because nothing is printed at screen while you type your password. By accessing grub minimal console due to a limited core.img and removing at_keybord with "terminal_input console" or removing gfxterm with "terminal_output console" resolved the situation but typing such command as set prefix=(memdisk), ... cryptomount -u xyzaabac, set root='lvmid/Eh2HHw-Bceq-VfsK-Kz01-kaeg-dRbz-Rwcntf/nVAE5f-GOrJ-wvu3-RTN0-mzAe-G4Oo-mzTQrN' and then passphrase without any typos erros at first attempt with a different keyboard layout was a real challenge.
=> 2nd stage grub: Impossible to access grub menus, edit command and type command in the grub console with at_keybord eg: "terminal_input at_keyboard" is loaded even in 1st stage grub.

Conclusion:
It seems that if grub at_keyboard module is loaded with "terminal_input at_keyboard" (to load a custom keyboard layout tested with german, italian, french ...) even only in the 1st stage grub ... it's almost impossible to access any grub menu (edit command or console) in grub (same level) or even in another child grub as the 2nd stage if grub gfxterm module is loaded too.

So, for international users typing a strong passphrase is almost
impossible without using something like "test123" or "qwerty123" and
keeping access on any child grub.

For me it's something like critical because I can use a secure
installation with all partition/data encrypted but I can't type a strong
passphrase (eg "C0udéeM+(@rpantÀ)") or access any child grub menu or
console if any grub at_keyboard module is loaded (at a upper level or at
same level) with a gfxterm module somewhere else (at same level or at a
child level).

I found an old bug report at debian.org but it seems resolved with grub 2.02+dfsg1-11.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741464

I apologize for my english language mistakes.
Regards,
Fabien


[1A] grub core.img (1st grub stage) with french keyboard layout (Dell Laptop only but I can provide too the Acer laptaop with EFI difference to generate a grub.efi)
Based on Archwiki tutorial: https://wiki.archlinux.org/index.php/GRUB/Tips_and_tricks#Manual_configuration_of_core_image_for_early_boot

insmod echo
insmod gzio
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod lvm
insmod ext2
insmod keylayouts
insmod at_keyboard
set root=(memdisk)
set prefix=($root)/
terminal_input at_keyboard
keymap /fr.gkb
cryptomount -u fb6777ad81f3409982e8110e15e97a39
set root='lvmid/Eh2HHw-Bceq-VfsK-Kz01-kaeg-dRbz-Rwcntf/nVAE5f-GOrJ-wvu3-RTN0-mzAe-G4Oo-mzTQrN'
set prefix=($root)/grub
configfile grub.cfg

[2A] Ubuntu grub (2nd stage) modification (Dell or Acer laptop)
insmod keylayouts
insmod at_keyboard
keymap $(prefix)/fr.gkb

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: grub

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1914953

Title:
  grub2 incompatibility between at_keyboard and gfxterm modules lead to
  impossible to type passphrase or access ubuntu grub2 menu on a fully
  encrypted installation

Status in grub2 package in Ubuntu:
  New

Bug description:
  Hello,

  On a fresh installed Ubuntu 20.04.1 LTS (tested with Mate & Ubuntu
  with two different brands and configurations of laptops) fully luks
  encrypted systems using this guide
  https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019 with
  the fellowing configurations:

  laptop 1 (Dell): x64_86 BIOS/GPT
  /dev/sda1 => bios_grub
  /dev/sda2 => luks encrypted LVM with VG,LV /boot, /root, /home, /swap

  laptop 2 (Acer): x64_86 UEFI/GPT
  /dev/sda1 => ESP
  /dev/sda2 => luks encrypted LVM with VG,LV /boot, /root, /home, /swap

  It's impossible with :
  => 1st stage grub: /dev/sda1 bios_grub (core.img) or ESP partition (grub.efi)
  => 2nd stage grub: /dev/sda2/LUKS_VOL/LVM/boot/grub
  to:
  1- set a local grub keyboard layout (French) to type passphrase in 1st stage grub
  2- access (edit mode or typing command under grub console) in 2nd stage grub

  Here all my tests results from the last 3 days on the two laptops at
  same time:

  [0] Defaults setting after installation :
  1st stage grub: US keyboard layout (standard)
  2nd stage grub: gfxterm module loaded (install defaults)
  => 1st stage grub: almost impossible to type strong passphrase with accentuated characters and special characters due typos error and keyboard layout difference and unlock encrypted luks volume
  => 2nd stage grub: working without trouble, can access ubuntu grub menus, edit command and type command in the grub console as normal.

  [1] Modfied settings after installation : 1st stage grub only
  1st stage grub: FR keyboard layouts with at_keyboard module ([1A] grub core image config at the end)
  2nd stage grub: gfxterm module loaded (no modification from default installation)
  => 1st stage grub: can type strong passphrase and unlock at the first attempt the luks encrypted volume
  => 2nd stage grub: Impossible to access grub menus, edit command and type command in the grub console

  [2] Modfied settings after installation : 2nd stage grub only
  1st stage grub: default grub core.img after installation with US layout
  2nd stage grub: gfxterm module loaded + at_keybord, "terminal_input at_keyboard", keymap fr.gkb ([2A] grub.cfg config at the end)
  => 1st stage grub: almost impossible to type strong passphrase as in test case [0]
  => 2nd stage grub: almost Impossible to access grub menus, edit command and type command in the grub console). I need to repeat the same keystrokes 7 times or more give me only one keystroke at screen (and PC speaker beep every 1x or 4x keystrokes but it's really secondary).. Ressetting "terminal_output console" (by removing at_keyboard) or "terminal_input console" (by removing gfxterm) (by typing t(x7+2xbeep)e(x7+3xbeep)+r(x7+4xbeep)+m(x7+1xbeep)...) resolved the situation.

  [3] Modfied settings after installation : 1nd stage grub only
  1st stage grub: FR keyboard layouts with at_keybord + gfxterm module
  2nd stage grub: gfxterm module loaded (no modification from default installation)
  => 1st stage grub: Impossible to type strong passphrase as in test case [0] but this time it's due to gfxterm and at_keyboard loaded at same time and each character must be typed 7x or more times (+ beep) so impossible to know what you are typping because nothing is printed at screen while you type your password. By accessing grub minimal console due to a limited core.img and removing at_keybord with "terminal_input console" or removing gfxterm with "terminal_output console" resolved the situation but typing such command as set prefix=(memdisk), ... cryptomount -u xyzaabac, set root='lvmid/Eh2HHw-Bceq-VfsK-Kz01-kaeg-dRbz-Rwcntf/nVAE5f-GOrJ-wvu3-RTN0-mzAe-G4Oo-mzTQrN' and then passphrase without any typos erros at first attempt with a different keyboard layout was a real challenge.
  => 2nd stage grub: Impossible to access grub menus, edit command and type command in the grub console with at_keybord eg: "terminal_input at_keyboard" is loaded even in 1st stage grub.

  Conclusion:
  It seems that if grub at_keyboard module is loaded with "terminal_input at_keyboard" (to load a custom keyboard layout tested with german, italian, french ...) even only in the 1st stage grub ... it's almost impossible to access any grub menu (edit command or console) in grub (same level) or even in another child grub as the 2nd stage if grub gfxterm module is loaded too.

  So, for international users typing a strong passphrase is almost
  impossible without using something like "test123" or "qwerty123" and
  keeping access on any child grub.

  For me it's something like critical because I can use a secure
  installation with all partition/data encrypted but I can't type a
  strong passphrase (eg "C0udéeM+(@rpantÀ)") or access any child grub
  menu or console if any grub at_keyboard module is loaded (at a upper
  level or at same level) with a gfxterm module somewhere else (at same
  level or at a child level).

  I found an old bug report at debian.org but it seems resolved with grub 2.02+dfsg1-11.
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741464

  I apologize for my english language mistakes.
  Regards,
  Fabien

  
  [1A] grub core.img (1st grub stage) with french keyboard layout (Dell Laptop only but I can provide too the Acer laptaop with EFI difference to generate a grub.efi)
  Based on Archwiki tutorial: https://wiki.archlinux.org/index.php/GRUB/Tips_and_tricks#Manual_configuration_of_core_image_for_early_boot

  insmod echo
  insmod gzio
  insmod part_gpt
  insmod cryptodisk
  insmod luks
  insmod gcry_rijndael
  insmod gcry_rijndael
  insmod gcry_sha256
  insmod lvm
  insmod ext2
  insmod keylayouts
  insmod at_keyboard
  set root=(memdisk)
  set prefix=($root)/
  terminal_input at_keyboard
  keymap /fr.gkb
  cryptomount -u fb6777ad81f3409982e8110e15e97a39
  set root='lvmid/Eh2HHw-Bceq-VfsK-Kz01-kaeg-dRbz-Rwcntf/nVAE5f-GOrJ-wvu3-RTN0-mzAe-G4Oo-mzTQrN'
  set prefix=($root)/grub
  configfile grub.cfg

  [2A] Ubuntu grub (2nd stage) modification (Dell or Acer laptop)
  insmod keylayouts
  insmod at_keyboard
  keymap $(prefix)/fr.gkb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1914953/+subscriptions

More information about the foundations-bugs mailing list