[Bug 2141233] Re: 26.04: outdated signed GRUB (Secure Boot) cannot unlock LUKS2 /boot with Argon2 (argon2i/argon2id) KDF – needs update + signed artifacts parity

Mate Kukri 2141233 at bugs.launchpad.net
Sun Feb 8 20:04:18 UTC 2026 

GRUB 2.14 is on the way!

> A common setup is to use a separate encrypted /boot partition that
must be unlocked by GRUB (cryptodisk) in order to load the kernel and
initramfs.

This setup is not supported by Ubuntu. We do sign the luks module due to
historical reasons (it will be removed), but we do not sign luks2 at
all. The intended way to do it is to have /boot readable in clear (with
ideally signed boot assets) and use the initrd to unlock the root
LUKS(2) container.

Please note that if you do not need secure boot support, this will still
be possible in GRUB 2.14, but we do not plan on signing luks2 module.

** Changed in: grub2-signed (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/2141233

Title:
  26.04: outdated signed GRUB (Secure Boot) cannot unlock LUKS2 /boot
  with Argon2 (argon2i/argon2id) KDF – needs update + signed artifacts
  parity

Status in grub2-signed package in Ubuntu:
  Invalid

Bug description:
  A common setup is to use a separate encrypted /boot partition that
  must be unlocked by GRUB (cryptodisk) in order to load the kernel and
  initramfs. On Secure Boot systems, the boot path uses Ubuntu’s signed
  GRUB EFI binaries, so this capability must be present in the signed
  artifacts shipped via grub2-signed, not only in the unsigned build.​​

  With the current Ubuntu 26.04 GRUB packaging snapshot lineage, GRUB
  cannot unlock LUKS2 keyslots using Argon2 KDF (argon2i / argon2id). In
  the current snapshot, the LUKS2 decrypt path still hard-fails with
  “Argon2 not supported”, which blocks Secure Boot users from booting
  systems with an encrypted /boot that uses Argon2.

  Argon2 (especially Argon2id) is considered a stronger, more modern
  password-based key derivation approach than PBKDF2 for protecting
  encrypted volumes against offline cracking, because it is memory-hard
  rather than mostly CPU-bound. This matters for encrypted /boot, where
  a stolen disk enables unlimited offline guessing, and being forced to
  PBKDF2 due to bootloader limitations is a real security downgrade.

  Steps to reproduce:

  1.Enable Secure Boot in firmware/UEFI.
  2. Create a separate LUKS2 partition for /boot with keyslot KDF = argon2id (or argon2i).
  3. Install Ubuntu 26.04 (daily/devel) using the default Secure Boot path (signed GRUB).
  4. Boot and enter the LUKS passphrase at the GRUB prompt.

  Actual result:
  Signed GRUB fails to unlock /boot when the keyslot uses Argon2 KDF (the decrypt path hard-fails with “Argon2 not supported”).

  Expected result:
  Signed GRUB successfully derives the key using Argon2 and unlocks the LUKS2 /boot partition, then continues boot.

  Additional info / evidence:

  1. Ubuntu 26.04 devel currently uses GRUB snapshot 2.14~git20250718.0e36779 lineage; the unsigned source package page is:
      https://launchpad.net/ubuntu/+source/grub2-unsigned
      ​
      (In grub-core/disk/luks2.c, luks2_decrypt_key() returns “Argon2 not supported” for Argon2 KDF type in this snapshot.)

  2. Signed GRUB is delivered via the grub2-signed source package:
      https://launchpad.net/ubuntu/+source/grub2-signed​

  3. There is an upstream grub-devel patch series adding Argon2 KDF support for LUKS2 (e.g. “disk/luks2: Add Argon2 support”).
      Upstream thread: https://www.mail-archive.com/grub-devel@gnu.org/msg41723.html​

  4. Link to the related grub2-unsigned bug for the core implementation
  update; this grub2-signed bug is to ensure Secure Boot parity:
  https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2141232

  Request:
  Please update Ubuntu 26.04 signed GRUB (grub2-signed) to a version (upstream 2.14 release tarball or newer snapshot) that includes LUKS2 Argon2 KDF unlock support for cryptodisk, and ensure the signed EFI images shipped for Secure Boot include this functionality.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/2141233/+subscriptions

More information about the foundations-bugs mailing list