[Bug 1062623] Re: enable grub-2.00 boot-from-luks support

semreh 1062623 at bugs.launchpad.net
Thu Jun 13 14:11:18 UTC 2024 

I suspect part of the motivation for this decision is that GRUB2 still
does not have upstream support for Argon2 Key Derivation Functions
(KDFs), so adding luks2 'support' only works if the KDF is restricted to
PBKDF2. I don't know if the problem with 'grub-probe' not recognising
luks2 formatted block-devices has been solved either, which makes
automating the creation of the GRUB2 setup up more challenging than it
should be.

I do not expect Ubuntu to solve GRUB's problems implementing Argon2 KDFs
(it requires non-trivial changes to GRUB2s version of libgcrypt - GRUB2
applies patches to a particular version of the source of libgcrypt from
upstream which is then compiled for the GRUB2 environment - see the
grub-devel mailing list and search for libgcrypt).

Rather than saying "Won't Fix", I'd prefer it if the Ubuntu developers
simply made supporting luks2 and Argon2 KDFs a dependency on upstream
GRUB2 doing so. Not all systems that people wish to run Ubuntu on
support TPM-backed FDE, and it would be helpful to continue allowing an
encrypted /boot.

I'll say again that I don't expect Ubuntu to develop and support their
own patchset on upstream GRUB2 - merely that once upstream GRUB2 offers
Argon2 KDFs that Ubuntu will support that by including relevant modules.
I don't think that is an unreasonable request. I respectfully request
that the status is changed from "Won't Fix" to "In progress", and the
assigned person tracks GRUB2's progress on implementing Argon2 KDFs.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1062623

Title:
  enable grub-2.00 boot-from-luks support

Status in grub2 package in Ubuntu:
  Won't Fix

Bug description:
  (I suppose this comes too late in the release cycle to make the
  change, but perhaps it's simple enough:)

  With only minimal manual intervention, I found I could use today's
  Ubuntu Server 12.10 daily iso to install a system with luks+lvm and no
  separate /boot partition (which doesn't really have any security
  advantages, but it makes managing space on a smallish disk easier). If
  grub-installer could manage the final 2 steps below, it would all be
  fully automatic. Thanks!

  Steps:
  1: go through the default installer motions
  2: in partman, choose the manual option
  3: create a single, whole-disk primary partition, use it as a luks encrypted volume
  4: on top of that, create an lvm physical volume
  5: insert lvm logical volumes for swap and / (I used btrfs, probably irrelevant)
  6: finish remaining installer steps; find that grub install fails
  7: drop into shell, per alt+f2, and chroot to /target
  8: append "GRUB_CRYPTODISK_ENABLE=y" to /etc/default/grub
  9: run "grub-install /dev/sda" (replace sda etc etc), then "update-grub", reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1062623/+subscriptions

More information about the foundations-bugs mailing list