[Bug 2043101] Re: Mantic+noble inadvertently includes the luks2 module in signed grub-efis

Avamander 2043101 at bugs.launchpad.net
Mon Nov 18 00:30:35 UTC 2024 

It's somewhat annoying that this support is not included and that it was
even removed. LUKS2 brings quite a few improvements, for example storing
options persistently (such as `allow-discards`) but also other
operational benefits. It would work better with newly created LUKS
volumes by-default, reducing the amount of unexpected surprises.

Secondly, from security perspective, not only should LUKS2 support be
reincluded (is its support really that complex to warrant disabling over
review?). But ideally the push would be for Argon2 support to be added
as well. This has been done by Arch maintainers
(https://aur.archlinux.org/packages/grub-improved-luks2-git) but it
would be preferred if it was supported by upsteam (especially if
Ubuntu/Canonical would like it). This would finally allow modern KDFs to
be used by everyone, even for volumes unlocked by GRUB.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-unsigned in Ubuntu.
https://bugs.launchpad.net/bugs/2043101

Title:
  Mantic+noble inadvertently includes the luks2 module in signed grub-
  efis

Status in grub2-unsigned package in Ubuntu:
  Fix Released
Status in grub2-unsigned source package in Mantic:
  Fix Released
Status in grub2-unsigned source package in Noble:
  Fix Released

Bug description:
  [ Impact ]

   * The luks2 module was accidentally enabled during a merge from Debian. This
     isn't intended to be a supported feature, and we should disable it before
     users accidentally start relying on it.

   * Removing it early in the mantic cycle reduces the chance someone relies on
     it, and hence gets broken when upgrading to noble where it is already gone.

  [ Test Plan ]

   * Boot GRUB2 in Secure Boot mode and make sure LUKS2 is unavailable.
     (e.g. insmod luks2 should throw an error)

  [ Where problems could occur ]

   * If someone already managed to create a Mantic install with /boot on a LUKS2
     encrypted location, this update will break booting with Secure Boot on.

   * However this was never a supported configuration from any
  installer, and this required deliberate manual effort to achieve.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2043101/+subscriptions

More information about the foundations-bugs mailing list