GRUB 2.14 is on the way!
> A common setup is to use a separate encrypted /boot partition that
must be unlocked by GRUB (cryptodisk) in order to load the kernel and
initramfs.
This setup is not supported by Ubuntu. We do sign the luks module due to
historical reasons (it will be removed), but we do not sign luks2 at
all. The intended way to do it is to have /boot readable in clear (with
ideally signed boot assets) and use the initrd to unlock the root
LUKS(2) container.
Please note that if you do not need secure boot support, this will still
be possible in GRUB 2.14, but we do not plan on signing luks2 module.
** Changed in: grub2-signed (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2141233
Title:
26.04: outdated signed GRUB (Secure Boot) cannot unlock LUKS2 /boot
with Argon2 (argon2i/argon2id) KDF – needs update + signed artifacts
parity
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/2141233/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
