[Bug 2043101] Re: Mantic+noble inadvertently includes the luks2 module in signed grub-efis
Mate Kukri
2043101 at bugs.launchpad.net
Mon Nov 18 07:44:56 UTC 2024
@avamander The idea is to discourage the use of GRUB unlocked FDE and
use the standard Ubuntu setup where the initrd unlocks the encrypted
partition, which absolutely does support LUKS2 and any KDF supported by
it.
The reason luks is still in GRUB is to not break legacy setups, not due
to GRUB cryptodisk being a supported feature.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-unsigned in Ubuntu.
https://bugs.launchpad.net/bugs/2043101
Title:
Mantic+noble inadvertently includes the luks2 module in signed grub-
efis
Status in grub2-unsigned package in Ubuntu:
Fix Released
Status in grub2-unsigned source package in Mantic:
Fix Released
Status in grub2-unsigned source package in Noble:
Fix Released
Bug description:
[ Impact ]
* The luks2 module was accidentally enabled during a merge from Debian. This
isn't intended to be a supported feature, and we should disable it before
users accidentally start relying on it.
* Removing it early in the mantic cycle reduces the chance someone relies on
it, and hence gets broken when upgrading to noble where it is already gone.
[ Test Plan ]
* Boot GRUB2 in Secure Boot mode and make sure LUKS2 is unavailable.
(e.g. insmod luks2 should throw an error)
[ Where problems could occur ]
* If someone already managed to create a Mantic install with /boot on a LUKS2
encrypted location, this update will break booting with Secure Boot on.
* However this was never a supported configuration from any
installer, and this required deliberate manual effort to achieve.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2043101/+subscriptions
More information about the foundations-bugs
mailing list