[Bug 2043101] Re: Mantic+noble inadvertently includes the luks2 module in signed grub-efis
Mate Kukri
2043101 at bugs.launchpad.net
Fri Oct 3 09:31:35 UTC 2025
The supported setup in Ubuntu is to have a non-encrypted /boot partition
with / encrypted with LUKS2. This combined with Secure Boot should not
be a security downgrade at all.
We do not support GRUB unlocked FDE or encrypted /boot at this point,
and LUKS1 support is left in GRUB as an accident of history.
For supported partitioning schemes, please look at what the Ubuntu
installer does.
Mate Kukri
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-unsigned in Ubuntu.
https://bugs.launchpad.net/bugs/2043101
Title:
Mantic+noble inadvertently includes the luks2 module in signed grub-
efis
Status in grub2-unsigned package in Ubuntu:
Fix Released
Status in grub2-unsigned source package in Mantic:
Fix Released
Status in grub2-unsigned source package in Noble:
Fix Released
Bug description:
[ Impact ]
* The luks2 module was accidentally enabled during a merge from Debian. This
isn't intended to be a supported feature, and we should disable it before
users accidentally start relying on it.
* Removing it early in the mantic cycle reduces the chance someone relies on
it, and hence gets broken when upgrading to noble where it is already gone.
[ Test Plan ]
* Boot GRUB2 in Secure Boot mode and make sure LUKS2 is unavailable.
(e.g. insmod luks2 should throw an error)
[ Where problems could occur ]
* If someone already managed to create a Mantic install with /boot on a LUKS2
encrypted location, this update will break booting with Secure Boot on.
* However this was never a supported configuration from any
installer, and this required deliberate manual effort to achieve.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2043101/+subscriptions
More information about the foundations-bugs
mailing list