[Bug 2043101] Re: Mantic+noble inadvertently includes the luks2 module in signed grub-efis

Luci Stanescu 2043101 at bugs.launchpad.net
Mon Jul 8 16:32:36 UTC 2024 

I have also been affected by this. It seems that grub2 version
2.12~rc1-10ubuntu4.1, which was meant to remove the luks2 module from
the signed binary, never made it out of mantic-proposed. Therefore, the
first time I realised this was not supported was when I upgraded to
2.12~rc1-10ubuntu4.2, which was release on 1st July.

Given the rather large time window that mantic users had to "get
accustomed" to this feature, it may good to provide instructions in case
this breaks their installations.

For me, the fix was rather simple, so I'm documenting it here:
1. Take a backup of your LUKS header on some other device (assumes /mnt has a different filesystem mounted):
cryptsetup luksHeaderBackup --header-backup-file /mnt/luks.header /dev/YOUR-CRYPT-DEVICE

2. Check if you use Argon 2 in any of your passphrases (you'll need to switch them to PBKDF2, as only that is supported by LUKS 1):
cryptsetup luksDump /dev/YOUR-CRYPT-DEVICE

3. Convert any Argon 2 passphrases to PBKDF2:
cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/YOUR-CRYPT-DEVICE

You may also want to consider specifying --pbkdf-force-iterations
according to your security requirements.

4. Convert to LUKS 1 (this does not work if the device is active, so you'll need to boot into a live / different system):
cryptsetup convert --type luks1 /DEV/YOUR-CRYPT-DEVICE

Would it have been possible to detect this condition and warn users on
an upgrade? Some users may yet find themselves at a grub shell when
rebooting after an upgrade.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-unsigned in Ubuntu.
https://bugs.launchpad.net/bugs/2043101

Title:
  Mantic+noble inadvertently includes the luks2 module in signed grub-
  efis

Status in grub2-unsigned package in Ubuntu:
  Fix Released
Status in grub2-unsigned source package in Mantic:
  Fix Released
Status in grub2-unsigned source package in Noble:
  Fix Released

Bug description:
  [ Impact ]

   * The luks2 module was accidentally enabled during a merge from Debian. This
     isn't intended to be a supported feature, and we should disable it before
     users accidentally start relying on it.

   * Removing it early in the mantic cycle reduces the chance someone relies on
     it, and hence gets broken when upgrading to noble where it is already gone.

  [ Test Plan ]

   * Boot GRUB2 in Secure Boot mode and make sure LUKS2 is unavailable.
     (e.g. insmod luks2 should throw an error)

  [ Where problems could occur ]

   * If someone already managed to create a Mantic install with /boot on a LUKS2
     encrypted location, this update will break booting with Secure Boot on.

   * However this was never a supported configuration from any
  installer, and this required deliberate manual effort to achieve.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2043101/+subscriptions

More information about the foundations-bugs mailing list