Source: grub-common
Severity: normal
X-Debbugs-Cc: nmschu...@gmail.com
On an UEFI system with LUKS2/argon2 encrypted root (/), LUKS1/PBKDF encrypted
boot (/boot) (and/via GRUB early crypto),
if desktop-base is installed (providing GRUB [emerald] theme),
mkconfig/05_debian_theme will cause GRUB to prompt to
unlock the LUKS2 device to load the theme background, which silently fails
(cryptomount: error: Invalid passphrase).
This causes GRUB to unnecessarily/annoyingly prompt twice for crypto
passphrases, though it seems a quick work-around at
the LUKS2/root partition prompt is to simply enter an empty phrase to jump to
the menu.
I understand LUKS2 GRUB support is a WIP; I do not know if this includes argon2
support. It would be great to avoid
this annoying prompt situation (e.g. by detecting LUKS2/argon2 on the
partition, or supporting the situation somehow;
preferrably still with a a single prompt in a manner similar to
cryptsetup-initramfs/KEYFILE_PATTERN and
crypttab/keyfile spec).
Thanks!
-- Package-specific info:
*********************** BEGIN /proc/mounts
/dev/mapper/root_crypt / ext4 rw,relatime,errors=remount-ro 0 0
/dev/mapper/boot_crypt /boot ext4 rw,relatime 0 0
/dev/nvme0n1p1 /boot/efi vfat
rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
0 0
*********************** END /proc/mounts
*********************** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
set have_grubenv=true
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u deadc0dedeadc0dedeadc0dedeadc0de
set root='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root
--hint='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de'
d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3
else
search --no-floppy --fs-uuid --set=root d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3
fi
font="/usr/share/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
set timeout=30
else
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u deadc0dedeadc0dedeadc0dedeadc0de
set root='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root
--hint='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de'
d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3
else
search --no-floppy --fs-uuid --set=root d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3
fi
insmod png
if background_image /usr/share/desktop-base/emerald-theme/grub/grub-16x9.png;
then
set color_normal=white/black
set color_highlight=black/white
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###
### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu
--class os $menuentry_id_option
'gnulinux-simple-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha512
insmod ext2
cryptomount -u baddbeefbaddbeefbaddbeefbaddbeef
set root='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root
--hint='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef'
b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f
else
search --no-floppy --fs-uuid --set=root
b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f
fi
echo 'Loading Linux 6.3.0-0-amd64 ...'
linux /vmlinuz-6.3.0-0-amd64
root=UUID=d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ro quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-6.3.0-0-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option
'gnulinux-advanced-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' {
menuentry 'Debian GNU/Linux, with Linux 6.3.0-0-amd64' --class debian
--class gnu-linux --class gnu --class os $menuentry_id_option
'gnulinux-6.3.0-0-amd64-advanced-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio;
fi
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha512
insmod ext2
cryptomount -u baddbeefbaddbeefbaddbeefbaddbeef
set root='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root
--hint='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef'
b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f
else
search --no-floppy --fs-uuid --set=root
b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f
fi
echo 'Loading Linux 6.3.0-0-amd64 ...'
linux /vmlinuz-6.3.0-0-amd64
root=UUID=d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ro quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-6.3.0-0-amd64
}
menuentry 'Debian GNU/Linux, with Linux 6.3.0-0-amd64 (recovery mode)'
--class debian --class gnu-linux --class gnu --class os $menuentry_id_option
'gnulinux-6.3.0-0-amd64-recovery-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio;
fi
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha512
insmod ext2
cryptomount -u baddbeefbaddbeefbaddbeefbaddbeef
set root='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root
--hint='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef'
b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f
else
search --no-floppy --fs-uuid --set=root
b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f
fi
echo 'Loading Linux 6.3.0-0-amd64 ...'
linux /vmlinuz-6.3.0-0-amd64
root=UUID=d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ro single
echo 'Loading initial ramdisk ...'
initrd /initrd.img-6.3.0-0-amd64
}
menuentry 'Debian GNU/Linux, with Linux 6.1.0-9-amd64' --class debian
--class gnu-linux --class gnu --class os $menuentry_id_option
'gnulinux-6.1.0-9-amd64-advanced-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio;
fi
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha512
insmod ext2
cryptomount -u baddbeefbaddbeefbaddbeefbaddbeef
set root='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root
--hint='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef'
b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f
else
search --no-floppy --fs-uuid --set=root
b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f
fi
echo 'Loading Linux 6.1.0-9-amd64 ...'
linux /vmlinuz-6.1.0-9-amd64
root=UUID=d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ro quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-6.1.0-9-amd64
}
menuentry 'Debian GNU/Linux, with Linux 6.1.0-9-amd64 (recovery mode)'
--class debian --class gnu-linux --class gnu --class os $menuentry_id_option
'gnulinux-6.1.0-9-amd64-recovery-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio;
fi
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha512
insmod ext2
cryptomount -u baddbeefbaddbeefbaddbeefbaddbeef
set root='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root
--hint='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef'
b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f
else
search --no-floppy --fs-uuid --set=root
b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f
fi
echo 'Loading Linux 6.1.0-9-amd64 ...'
linux /vmlinuz-6.1.0-9-amd64
root=UUID=d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ro single
echo 'Loading initial ramdisk ...'
initrd /initrd.img-6.1.0-9-amd64
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/30_uefi-firmware ###
menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' {
fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###
### BEGIN /etc/grub.d/35_fwupd ###
### END /etc/grub.d/35_fwupd ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg
fi
### END /etc/grub.d/41_custom ###
*********************** END /boot/grub/grub.cfg
*********************** BEGIN /proc/mdstat
cat: /proc/mdstat: No such file or directory
*********************** END /proc/mdstat
*********************** BEGIN /dev/disk/by-id
total 0
lrwxrwxrwx 1 root root 10 May 30 17:48 dm-name-boot_crypt -> ../../dm-1
lrwxrwxrwx 1 root root 10 May 30 17:48 dm-name-root_crypt -> ../../dm-0
lrwxrwxrwx 1 root root 10 May 30 17:48
dm-uuid-CRYPT-LUKS1-baddbeefbaddbeefbaddbeefbaddbeef-boot_crypt -> ../../dm-1
lrwxrwxrwx 1 root root 10 May 30 17:48
dm-uuid-CRYPT-LUKS2-deadc0dedeadc0dedeadc0dedeadc0de-root_crypt -> ../../dm-0
lrwxrwxrwx 1 root root 13 May 30 17:48 nvme -> ../../nvme0n1
lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-part1 -> ../../nvme0n1p1
lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-part2 -> ../../nvme0n1p2
lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-part3 -> ../../nvme0n1p3
lrwxrwxrwx 1 root root 13 May 30 17:48 nvme-nvme.0000-00000001 -> ../../nvme0n1
lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-nvme.0000-00000001-part1 ->
../../nvme0n1p1
lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-nvme.0000-00000001-part2 ->
../../nvme0n1p2
lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-nvme.0000-00000001-part3 ->
../../nvme0n1p3
*********************** END /dev/disk/by-id
*********************** BEGIN /dev/disk/by-uuid
total 0
lrwxrwxrwx 1 root root 15 May 30 17:48 baddbeef-badd-beef-badd-beefbaddbeef->
../../nvme0n1p2
lrwxrwxrwx 1 root root 15 May 30 17:48 deadc0de-dead-c0de-dead-c0dedeadc0de ->
../../nvme0n1p3
lrwxrwxrwx 1 root root 10 May 30 17:48 b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f ->
../../dm-1
lrwxrwxrwx 1 root root 15 May 30 17:48 A5A5-A5A5 -> ../../nvme0n1p1
lrwxrwxrwx 1 root root 10 May 30 17:48 d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ->
../../dm-0
*********************** END /dev/disk/by-uuid
-- System Information:
Debian Release: 12.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'unstable'), (500, 'testing'),
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, i386
Kernel: Linux 6.3.0-0-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-- no debconf information
