Source: grub-common Severity: normal X-Debbugs-Cc: nmschu...@gmail.com On an UEFI system with LUKS2/argon2 encrypted root (/), LUKS1/PBKDF encrypted boot (/boot) (and/via GRUB early crypto), if desktop-base is installed (providing GRUB [emerald] theme), mkconfig/05_debian_theme will cause GRUB to prompt to unlock the LUKS2 device to load the theme background, which silently fails (cryptomount: error: Invalid passphrase).
This causes GRUB to unnecessarily/annoyingly prompt twice for crypto passphrases, though it seems a quick work-around at the LUKS2/root partition prompt is to simply enter an empty phrase to jump to the menu. I understand LUKS2 GRUB support is a WIP; I do not know if this includes argon2 support. It would be great to avoid this annoying prompt situation (e.g. by detecting LUKS2/argon2 on the partition, or supporting the situation somehow; preferrably still with a a single prompt in a manner similar to cryptsetup-initramfs/KEYFILE_PATTERN and crypttab/keyfile spec). Thanks! -- Package-specific info: *********************** BEGIN /proc/mounts /dev/mapper/root_crypt / ext4 rw,relatime,errors=remount-ro 0 0 /dev/mapper/boot_crypt /boot ext4 rw,relatime 0 0 /dev/nvme0n1p1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0 *********************** END /proc/mounts *********************** BEGIN /boot/grub/grub.cfg # # DO NOT EDIT THIS FILE # # It is automatically generated by grub-mkconfig using templates # from /etc/grub.d and settings from /etc/default/grub # ### BEGIN /etc/grub.d/00_header ### if [ -s $prefix/grubenv ]; then set have_grubenv=true load_env fi if [ "${next_entry}" ] ; then set default="${next_entry}" set next_entry= save_env next_entry set boot_once=true else set default="0" fi if [ x"${feature_menuentry_id}" = xy ]; then menuentry_id_option="--id" else menuentry_id_option="" fi export menuentry_id_option if [ "${prev_saved_entry}" ]; then set saved_entry="${prev_saved_entry}" save_env saved_entry set prev_saved_entry= save_env prev_saved_entry set boot_once=true fi function savedefault { if [ -z "${boot_once}" ]; then saved_entry="${chosen}" save_env saved_entry fi } function load_video { if [ x$feature_all_video_module = xy ]; then insmod all_video else insmod efi_gop insmod efi_uga insmod ieee1275_fb insmod vbe insmod vga insmod video_bochs insmod video_cirrus fi } if [ x$feature_default_font_path = xy ] ; then font=unicode else insmod part_gpt insmod cryptodisk insmod luks2 insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 cryptomount -u deadc0dedeadc0dedeadc0dedeadc0de set root='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de' d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 else search --no-floppy --fs-uuid --set=root d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 fi font="/usr/share/grub/unicode.pf2" fi if loadfont $font ; then set gfxmode=auto load_video insmod gfxterm set locale_dir=$prefix/locale set lang=en_US insmod gettext fi terminal_output gfxterm if [ "${recordfail}" = 1 ] ; then set timeout=30 else if [ x$feature_timeout_style = xy ] ; then set timeout_style=menu set timeout=5 # Fallback normal timeout code in case the timeout_style feature is # unavailable. else set timeout=5 fi fi ### END /etc/grub.d/00_header ### ### BEGIN /etc/grub.d/05_debian_theme ### insmod part_gpt insmod cryptodisk insmod luks2 insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 cryptomount -u deadc0dedeadc0dedeadc0dedeadc0de set root='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/deadc0dedeadc0dedeadc0dedeadc0de' d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 else search --no-floppy --fs-uuid --set=root d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 fi insmod png if background_image /usr/share/desktop-base/emerald-theme/grub/grub-16x9.png; then set color_normal=white/black set color_highlight=black/white else set menu_color_normal=cyan/blue set menu_color_highlight=white/blue fi ### END /etc/grub.d/05_debian_theme ### ### BEGIN /etc/grub.d/10_linux ### function gfxmode { set gfxpayload="${1}" } set linux_gfx_mode= export linux_gfx_mode menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha512 insmod ext2 cryptomount -u baddbeefbaddbeefbaddbeefbaddbeef set root='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef' b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f else search --no-floppy --fs-uuid --set=root b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f fi echo 'Loading Linux 6.3.0-0-amd64 ...' linux /vmlinuz-6.3.0-0-amd64 root=UUID=d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ro quiet echo 'Loading initial ramdisk ...' initrd /initrd.img-6.3.0-0-amd64 } submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' { menuentry 'Debian GNU/Linux, with Linux 6.3.0-0-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.3.0-0-amd64-advanced-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha512 insmod ext2 cryptomount -u baddbeefbaddbeefbaddbeefbaddbeef set root='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef' b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f else search --no-floppy --fs-uuid --set=root b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f fi echo 'Loading Linux 6.3.0-0-amd64 ...' linux /vmlinuz-6.3.0-0-amd64 root=UUID=d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ro quiet echo 'Loading initial ramdisk ...' initrd /initrd.img-6.3.0-0-amd64 } menuentry 'Debian GNU/Linux, with Linux 6.3.0-0-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.3.0-0-amd64-recovery-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha512 insmod ext2 cryptomount -u baddbeefbaddbeefbaddbeefbaddbeef set root='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef' b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f else search --no-floppy --fs-uuid --set=root b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f fi echo 'Loading Linux 6.3.0-0-amd64 ...' linux /vmlinuz-6.3.0-0-amd64 root=UUID=d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ro single echo 'Loading initial ramdisk ...' initrd /initrd.img-6.3.0-0-amd64 } menuentry 'Debian GNU/Linux, with Linux 6.1.0-9-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-9-amd64-advanced-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha512 insmod ext2 cryptomount -u baddbeefbaddbeefbaddbeefbaddbeef set root='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef' b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f else search --no-floppy --fs-uuid --set=root b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f fi echo 'Loading Linux 6.1.0-9-amd64 ...' linux /vmlinuz-6.1.0-9-amd64 root=UUID=d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ro quiet echo 'Loading initial ramdisk ...' initrd /initrd.img-6.1.0-9-amd64 } menuentry 'Debian GNU/Linux, with Linux 6.1.0-9-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-9-amd64-recovery-d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha512 insmod ext2 cryptomount -u baddbeefbaddbeefbaddbeefbaddbeef set root='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/baddbeefbaddbeefbaddbeefbaddbeef' b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f else search --no-floppy --fs-uuid --set=root b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f fi echo 'Loading Linux 6.1.0-9-amd64 ...' linux /vmlinuz-6.1.0-9-amd64 root=UUID=d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 ro single echo 'Loading initial ramdisk ...' initrd /initrd.img-6.1.0-9-amd64 } } ### END /etc/grub.d/10_linux ### ### BEGIN /etc/grub.d/20_linux_xen ### ### END /etc/grub.d/20_linux_xen ### ### BEGIN /etc/grub.d/30_os-prober ### ### END /etc/grub.d/30_os-prober ### ### BEGIN /etc/grub.d/30_uefi-firmware ### menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' { fwsetup } ### END /etc/grub.d/30_uefi-firmware ### ### BEGIN /etc/grub.d/35_fwupd ### ### END /etc/grub.d/35_fwupd ### ### BEGIN /etc/grub.d/40_custom ### # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. ### END /etc/grub.d/40_custom ### ### BEGIN /etc/grub.d/41_custom ### if [ -f ${config_directory}/custom.cfg ]; then source ${config_directory}/custom.cfg elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then source $prefix/custom.cfg fi ### END /etc/grub.d/41_custom ### *********************** END /boot/grub/grub.cfg *********************** BEGIN /proc/mdstat cat: /proc/mdstat: No such file or directory *********************** END /proc/mdstat *********************** BEGIN /dev/disk/by-id total 0 lrwxrwxrwx 1 root root 10 May 30 17:48 dm-name-boot_crypt -> ../../dm-1 lrwxrwxrwx 1 root root 10 May 30 17:48 dm-name-root_crypt -> ../../dm-0 lrwxrwxrwx 1 root root 10 May 30 17:48 dm-uuid-CRYPT-LUKS1-baddbeefbaddbeefbaddbeefbaddbeef-boot_crypt -> ../../dm-1 lrwxrwxrwx 1 root root 10 May 30 17:48 dm-uuid-CRYPT-LUKS2-deadc0dedeadc0dedeadc0dedeadc0de-root_crypt -> ../../dm-0 lrwxrwxrwx 1 root root 13 May 30 17:48 nvme -> ../../nvme0n1 lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-part1 -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-part2 -> ../../nvme0n1p2 lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-part3 -> ../../nvme0n1p3 lrwxrwxrwx 1 root root 13 May 30 17:48 nvme-nvme.0000-00000001 -> ../../nvme0n1 lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-nvme.0000-00000001-part1 -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-nvme.0000-00000001-part2 -> ../../nvme0n1p2 lrwxrwxrwx 1 root root 15 May 30 17:48 nvme-nvme.0000-00000001-part3 -> ../../nvme0n1p3 *********************** END /dev/disk/by-id *********************** BEGIN /dev/disk/by-uuid total 0 lrwxrwxrwx 1 root root 15 May 30 17:48 baddbeef-badd-beef-badd-beefbaddbeef-> ../../nvme0n1p2 lrwxrwxrwx 1 root root 15 May 30 17:48 deadc0de-dead-c0de-dead-c0dedeadc0de -> ../../nvme0n1p3 lrwxrwxrwx 1 root root 10 May 30 17:48 b4ddb33f-b4dd-b33f-b4dd-b33fb4ddb33f -> ../../dm-1 lrwxrwxrwx 1 root root 15 May 30 17:48 A5A5-A5A5 -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 10 May 30 17:48 d34dc0d3-d34d-c0d3-d34d-c0d3d34dc0d3 -> ../../dm-0 *********************** END /dev/disk/by-uuid -- System Information: Debian Release: 12.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: arm64, i386 Kernel: Linux 6.3.0-0-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information