The new LUKS2 format stores the metadata in a JSON document which requires a JSON parser in grub. Given that Ubuntu does not support encrypted /boot partitions, the decision was made not to enable the feature such as to prevent the JSON code from becoming an attack vector to break secure boot.
Please note that encryption of /boot is security by obscurity: The data is encrypted, but not authenticated so it is still subject to chosen plaintext attacks, as is any encrypted data. You do not need obscurity for public knowledge like kernel and initrd content, it's only valuable for your personal private data. A secure chain needs to authenticate the initrd against a certificate. For example, Ubuntu Desktop TPM FDE offers fully authenticated early boot environments. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1062623 Title: enable grub-2.00 boot-from-luks support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1062623/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
