[Bug 1813126] Re: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored if /boot/ in LUKSv2 format
[Expired for grub2 (Ubuntu) because there has been no activity for 60 days.] ** Changed in: grub2 (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813126 Title: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored if /boot/ in LUKSv2 format To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1813126/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1813126] Re: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored if /boot/ in LUKSv2 format
Disregard my post, my issue was unrelated. (I inadvertently must have removed my crypttab file, sigh.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813126 Title: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored if /boot/ in LUKSv2 format To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1813126/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1813126] Re: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored if /boot/ in LUKSv2 format
I can confirm similar behavior, but slightly different setup. I installed 19.04 from scratch, and used the disk encryption with lvm option during setup. Everything was working fine until upgrading to the latest kernel, 5.0.0-16-generic. The previous kernel I had installed, 5.0.0-15-generic, still works fine. I see no differences in the grub config for the 2 kernels: menuentry 'Ubuntu, with Linux 5.0.0-16-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.0.0-16-generic-advanced-69cc3212-6aef-415d-a65d-30362fc514f6' { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 070883ed-c707-4199-b2b2-84145dc3355d else search --no-floppy --fs-uuid --set=root 070883ed-c707-4199-b2b2-84145dc3355d fi echo'Loading Linux 5.0.0-16-generic ...' linux /vmlinuz-5.0.0-16-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash $vt_handoff echo'Loading initial ramdisk ...' initrd /initrd.img-5.0.0-16-generic } menuentry 'Ubuntu, with Linux 5.0.0-15-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.0.0-15-generic-advanced-69cc3212-6aef-415d-a65d-30362fc514f6' { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 070883ed-c707-4199-b2b2-84145dc3355d else search --no-floppy --fs-uuid --set=root 070883ed-c707-4199-b2b2-84145dc3355d fi echo'Loading Linux 5.0.0-15-generic ...' linux /vmlinuz-5.0.0-15-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash $vt_handoff echo'Loading initial ramdisk ...' initrd /initrd.img-5.0.0-15-generic } -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813126 Title: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored if /boot/ in LUKSv2 format To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1813126/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1813126] Re: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored
Further investigation revealed that a change to the semantics of 'cryptsetup' tool is responsible for the specific manual build I did. On 18.04 'cryptsetup luksFormat --type=luks ...' would create a LUKS v1 header. On 19.04 it creates a LUKS v2 header. GRUB only supports LUKS v1 headers currently. To resolve this on 19.04 we need to use "cryptsetup luksFormat --type=luks1 ...". If the do-release-upgrade process is breaking existing bootable GRUB file-systems this is likely because there is some LUKSv1 to LUKSv2 conversion being done - which the OS is fine with. If this is correct, presumably the conversion code doesn't check if GRUB is also using the LUKS device and in converting it to v2 breaks GRUB. My workaround from a liveISO to switch back to LUKS v1 was to do the following (as UID 0 root). I've tried to make this portable but there may be some typing mistakes so please proof-read carefully! # set the following variables for your target system # device where OS is installed (usually the same as GRUB_DEV) DEV_INSTALL="sdZ" # partition number for /boot/ partition (e.g. from /dev/sdZ3) PART_BOOT="3" # partition for root file-system (e.g. from /dev/sdZ4) PART_ROOT="4" # device-mapper name of unencrypted /boot/ device LUKS_BOOT="LUKS_BOOT" # LVM names of root file-system VG="ubuntu" LV="rootfs" # shouldn't need to edit any variables from here onwards # device to install GRUB on export DEV_GRUB="/dev/$INSTALL_DEV" # device-mapper name of the unencrypted /boot device FS_BOOT="/dev/mapper/$LUKS_BOOT" # encrypted /boot device DEV_BOOT="/dev/${DEV_INSTALL}${PART_BOOT}" # device-mapper name of the rootfs device FS_ROOT="/dev/mapper/$VG-$LV" LUKS_ROOT="${INSTALL_DEV}${PART_ROOT}_crypt" # encrypted rootfs device DEV_ROOT="/dev/${INSTALL_DEV}${PART_ROOT}" # mountpoint for root file-system TARGET="/target" # boot directory BOOT="$TARGET/boot" # back-up directory BAK="/tmp/boot.bak" mkdir $TARGET $BAK cryptdisk_start $LUKS_ROOT lvm vgchange -ay mount $FS_ROOT $TARGET cryptdisk_start $LUKS_BOOT mount $FS_BOOT $BOOT cp -a $BOOT/* $BAK/ umount $BOOT cryptdisk_stop $LUKS_BOOT cryptsetup luksFormat --type=luks1 $DEV_BOOT # use the existing UUID from crypttab cryptsetup luksUUID --uuid $( sed -n '/'$LUKS_BOOT'/ s/.*UUID=\([^ ]*\).*/\1/ p' $TARGET/etc/crypttab ) $DEV_BOOT cryptdisk_start $LUKS_BOOT mkfs.ext -L /boot $FS_BOOT mount $FS_BOOT $BOOT cp -a $BAK/* $BOOT/ for n in proc sys dev etc/resolv.conf; do mount --rbind /$n $TARGET/$n; done chroot $TARGET # inside the chroot of the broken OS mount -a update-grub grep -o 'cryptodisk' || echo "Eror: grub.cfg has no LUKS support" grub-install -v $DEV_GRUB >& /tmp/grub-install.log grep 'grub-mkimage' /tmp/grub-install.log | grep -o cryptodisk || echo "Error: GRUB has no LUKS support installed" # if all OK... exit # clean up for n in etc/resolv.conf dev sys proc $BOOT $TARGET; do umount $TARGET/$n; done cryptdisk_stop $LUKS_BOOT cryptdisk_stop $LUKS_ROOT # finished exit # reboot and test ** Summary changed: - [19.04] GRUB_ENABLE_CRYPTODISK=y ignored + [19.04] GRUB_ENABLE_CRYPTODISK=y ignored if /boot/ in LUKSv2 format -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813126 Title: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored if /boot/ in LUKSv2 format To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1813126/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1813126] Re: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored
If you manage to boot off a USB key or something else and discover the drives, can you then run grub-probe on the device to check if grub correctly identifies the disk as a crypto disk? Running the following command: sudo grub-probe --device=/dev/mapper/ --target=abstraction Should get you output a bit like the following: cryptodisk luks gcry_rijndael gcry_rijndael gcry_sha256 If not, then the device is not getting recognized properly. At a glance, my first guess would be that the format changes in LUKS that happened in 19.04 are causing an issue, but I'm not sure. I would not have expected this to be a problem on upgrade. Please report with the output for the command above if possible, so we can dig in more into what is happening in grub's probing. ** Changed in: grub2 (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813126 Title: [19.04] GRUB_ENABLE_CRYPTODISK=y ignored To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1813126/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs