[Bug 2043101] Re: Mantic+noble inadvertently includes the luks2 module in signed grub-efis
Josef Wolf
2043101 at bugs.launchpad.net
Sun Oct 5 09:33:29 UTC 2025
@mkukri: are you really sure about secure boot checking integrity of
initrd?
I just did this test:
# cd /boot
# cp initrd.img initrd.img.bak
# dd if=/dev/zero bs=1 count=1 >>initrd.img
then reboot with secure boot enabled. No error, no warning. Boots as if
nothing happened.
I'd have a better feeling with /boot enrypted with LUKS2.
YMMV!
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-unsigned in Ubuntu.
https://bugs.launchpad.net/bugs/2043101
Title:
Mantic+noble inadvertently includes the luks2 module in signed grub-
efis
Status in grub2-unsigned package in Ubuntu:
Fix Released
Status in grub2-unsigned source package in Mantic:
Fix Released
Status in grub2-unsigned source package in Noble:
Fix Released
Bug description:
[ Impact ]
* The luks2 module was accidentally enabled during a merge from Debian. This
isn't intended to be a supported feature, and we should disable it before
users accidentally start relying on it.
* Removing it early in the mantic cycle reduces the chance someone relies on
it, and hence gets broken when upgrading to noble where it is already gone.
[ Test Plan ]
* Boot GRUB2 in Secure Boot mode and make sure LUKS2 is unavailable.
(e.g. insmod luks2 should throw an error)
[ Where problems could occur ]
* If someone already managed to create a Mantic install with /boot on a LUKS2
encrypted location, this update will break booting with Secure Boot on.
* However this was never a supported configuration from any
installer, and this required deliberate manual effort to achieve.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2043101/+subscriptions
More information about the foundations-bugs
mailing list