[Bug 1565950] [NEW] Grub 2 fails to boot a kernel on a luks encrypted volume with Secure Boot enabled

Chris Marks christopher.l.marks at gmail.com
Mon Apr 4 18:55:37 UTC 2016 

Public bug reported:

Booting in UEFI  Secure Boot requires that all code loaded up to and
including the OS kernel be signed.  This includes all grub modules.
This is accomplished by including selected modules in a single signed
binary.  However, the modules required for grub to use an encrypted
volume have been omitted from the binary package and therefore Ubuntu
cannot boot from an encrypted volume with Secure Boot enabled.  This can
be corrected as follows.


The debian/build-efi-images file needs to have lines 136-140 changed from:

GRUB_MODULES="$CD_MODULES
	lvm
	mdraid09
	mdraid1x
	"

to:

GRUB_MODULES="$CD_MODULES
	cryptodisk
	gcry_arcfour
	gcry_blowfish
	gcry_camellia
	gcry_cast5
	gcry_crc
	gcry_des
	gcry_dsa
	gcry_idea
	gcry_md4
	gcry_md5
	gcry_rfc2268
	gcry_rijndael
	gcry_rmd160
	gcry_rsa
	gcry_seed
	gcry_serpent
	gcry_sha1
	gcry_sha256
	gcry_sha512
	gcry_tiger
	gcry_twofish
	gcry_whirlpool
	luks
	lvm
	mdraid09
	mdraid1x
	"

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: boot encrypted luks partition secure uefi

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1565950

Title:
  Grub 2 fails to boot a kernel on a luks encrypted volume with Secure
  Boot enabled

Status in grub2 package in Ubuntu:
  New

Bug description:
  Booting in UEFI  Secure Boot requires that all code loaded up to and
  including the OS kernel be signed.  This includes all grub modules.
  This is accomplished by including selected modules in a single signed
  binary.  However, the modules required for grub to use an encrypted
  volume have been omitted from the binary package and therefore Ubuntu
  cannot boot from an encrypted volume with Secure Boot enabled.  This
  can be corrected as follows.

  
  The debian/build-efi-images file needs to have lines 136-140 changed from:

  GRUB_MODULES="$CD_MODULES
  	lvm
  	mdraid09
  	mdraid1x
  	"

  to:

  GRUB_MODULES="$CD_MODULES
  	cryptodisk
  	gcry_arcfour
  	gcry_blowfish
  	gcry_camellia
  	gcry_cast5
  	gcry_crc
  	gcry_des
  	gcry_dsa
  	gcry_idea
  	gcry_md4
  	gcry_md5
  	gcry_rfc2268
  	gcry_rijndael
  	gcry_rmd160
  	gcry_rsa
  	gcry_seed
  	gcry_serpent
  	gcry_sha1
  	gcry_sha256
  	gcry_sha512
  	gcry_tiger
  	gcry_twofish
  	gcry_whirlpool
  	luks
  	lvm
  	mdraid09
  	mdraid1x
  	"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950/+subscriptions

More information about the foundations-bugs mailing list