Public bug reported:
Grub has support for booting from a fully encrypted /, including
encrypted /boot, when GRUB_ENABLE_CRYPTODISK=y is set in
/etc/default/grub. However, grub-efi-amd64-signed needs some extra
modules to support this: procfs, cryptodisk, luks, gcry_rijndael,
gcry_sha1. I had to copy these five modules into
/boot/efi/EFI/ubuntu/x86_64-efi and prepend these lines to
/boot/efi/EFI/ubuntu/grub.cfg:
insmod procfs
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_sha1
cryptomount -u <32-digit uuid>
With secure boot disabled, this works fine. (I’m slightly annoyed about
getting two passphrase prompts, one for GRUB and one for Linux, but
whatever.)
However, the insmod commands prevent me from enabling secure boot:
error: Secure Boot forbids loading module from
(hd0,gpt2)/efi/ubuntu/x86_64/procfs.mod
error: Secure Boot forbids loading module from
(hd0,gpt2)/efi/ubuntu/x86_64/cryptodisk.mod
error: Secure Boot forbids loading module from
(hd0,gpt2)/efi/ubuntu/x86_64/luks.mod
error: Secure Boot forbids loading module from
(hd0,gpt2)/efi/ubuntu/x86_64/gcry_rijndael.mod
error: Secure Boot forbids loading module from
(hd0,gpt2)/efi/ubuntu/x86_64/gcry_sha1.mod
Would it be possible to add those modules to grub-efi-amd64-signed?
** Affects: grub2-signed (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 utopic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1360203
Title:
grub-efi-amd64-signed is missing modules for GRUB_ENABLE_CRYPTODISK=y
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1360203/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
