[Bug 2043101] Re: Mantic+noble inadvertently includes the luks2 module in signed grub-efis

Josef Wolf 2043101 at bugs.launchpad.net
Sun Oct 5 12:16:58 UTC 2025 

With cleartext /boot, anybody can inject traps into initrd while the
system is shut down. As shown above, secure boot won't prevent this.

With encrypted /boot, the attacker would need the LUKS password in order
to inject any malicious content into initrd. Attacker is limited to grub
(and maybe kernel), which should be protected by secure boot.

This makes a big difference!

Removing support for LUKS2 from grub and leaving /boot unencrypted opens
up a big hole even for the unexperienced attacker.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-unsigned in Ubuntu.
https://bugs.launchpad.net/bugs/2043101

Title:
  Mantic+noble inadvertently includes the luks2 module in signed grub-
  efis

Status in grub2-unsigned package in Ubuntu:
  Fix Released
Status in grub2-unsigned source package in Mantic:
  Fix Released
Status in grub2-unsigned source package in Noble:
  Fix Released

Bug description:
  [ Impact ]

   * The luks2 module was accidentally enabled during a merge from Debian. This
     isn't intended to be a supported feature, and we should disable it before
     users accidentally start relying on it.

   * Removing it early in the mantic cycle reduces the chance someone relies on
     it, and hence gets broken when upgrading to noble where it is already gone.

  [ Test Plan ]

   * Boot GRUB2 in Secure Boot mode and make sure LUKS2 is unavailable.
     (e.g. insmod luks2 should throw an error)

  [ Where problems could occur ]

   * If someone already managed to create a Mantic install with /boot on a LUKS2
     encrypted location, this update will break booting with Secure Boot on.

   * However this was never a supported configuration from any
  installer, and this required deliberate manual effort to achieve.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2043101/+subscriptions

More information about the foundations-bugs mailing list