[Bug 1062623] Re: enable grub-2.00 boot-from-luks support
Nazar Mokrynskyi
1062623 at bugs.launchpad.net
Thu Jun 13 15:05:26 UTC 2024
> The new LUKS2 format stores the metadata in a JSON document which
requires a JSON parser in grub. Given that Ubuntu does not support
encrypted /boot partitions, the decision was made not to enable the
feature such as to prevent the JSON code from becoming an attack vector
to break secure boot.
I'd rather invest in fuzzer or integrate Rust-based JSON parser than
removing it completely.
> Please note that encryption of /boot is security by obscurity: The
data is encrypted, but not authenticated so it is still subject to
chosen plaintext attacks, as is any encrypted data. You do not need
obscurity for public knowledge like kernel and initrd content, it's only
valuable for your personal private data.
While true in theory, I'm not sure it is applicable. Modern well
designed ciphers and encryption schemes should not be succeptible to
this attack, though I can't speak to LUKS specifically, I do not fully
know how it is implemented in detail. Also kernel and initrd content
might be public knowledge with kernels that you, Ubuntu, ship, which is
not true if there are customizations applied on the system. While I
don't think they are particularly sensitive, the fact that kernel and
initrd are public knowledge is strictly speaking not true.
> A secure chain needs to authenticate the initrd against a certificate.
For example, Ubuntu Desktop TPM FDE offers fully authenticated early
boot environments.
Ubuntu's desktop FDE is a special case that only works with Ubuntu-
signed precompiled kernel that depends on Snap (I use neither Ubuntu
kernel nor Snap on my desktop). I was initially very optimistic an then
kind of disappointed by implementation.
I have configured TPM FDE encryption that fully verifies everything on
one of my Ubuntu servers with self-signed initrd (mostly based on
https://blastrock.github.io/fde-tpm-sb.html while using different tools
for some of the steps). It does work, but even then was a bit painful on
23.10 due to Ubuntu not shipping some of the systemd components required
for this to work on purpose (ukify specifically, see
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2031898).
I understand that you have a "canonical" way of doing FDE that is user-
friendly, but that is not the only way and making it impossible to use
alternatives is very annoying.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1062623
Title:
enable grub-2.00 boot-from-luks support
Status in grub2 package in Ubuntu:
Won't Fix
Bug description:
(I suppose this comes too late in the release cycle to make the
change, but perhaps it's simple enough:)
With only minimal manual intervention, I found I could use today's
Ubuntu Server 12.10 daily iso to install a system with luks+lvm and no
separate /boot partition (which doesn't really have any security
advantages, but it makes managing space on a smallish disk easier). If
grub-installer could manage the final 2 steps below, it would all be
fully automatic. Thanks!
Steps:
1: go through the default installer motions
2: in partman, choose the manual option
3: create a single, whole-disk primary partition, use it as a luks encrypted volume
4: on top of that, create an lvm physical volume
5: insert lvm logical volumes for swap and / (I used btrfs, probably irrelevant)
6: finish remaining installer steps; find that grub install fails
7: drop into shell, per alt+f2, and chroot to /target
8: append "GRUB_CRYPTODISK_ENABLE=y" to /etc/default/grub
9: run "grub-install /dev/sda" (replace sda etc etc), then "update-grub", reboot
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1062623/+subscriptions
More information about the foundations-bugs
mailing list