I suspect part of the motivation for this decision is that GRUB2 still does not have upstream support for Argon2 Key Derivation Functions (KDFs), so adding luks2 'support' only works if the KDF is restricted to PBKDF2. I don't know if the problem with 'grub-probe' not recognising luks2 formatted block-devices has been solved either, which makes automating the creation of the GRUB2 setup up more challenging than it should be.
I do not expect Ubuntu to solve GRUB's problems implementing Argon2 KDFs (it requires non-trivial changes to GRUB2s version of libgcrypt - GRUB2 applies patches to a particular version of the source of libgcrypt from upstream which is then compiled for the GRUB2 environment - see the grub-devel mailing list and search for libgcrypt). Rather than saying "Won't Fix", I'd prefer it if the Ubuntu developers simply made supporting luks2 and Argon2 KDFs a dependency on upstream GRUB2 doing so. Not all systems that people wish to run Ubuntu on support TPM-backed FDE, and it would be helpful to continue allowing an encrypted /boot. I'll say again that I don't expect Ubuntu to develop and support their own patchset on upstream GRUB2 - merely that once upstream GRUB2 offers Argon2 KDFs that Ubuntu will support that by including relevant modules. I don't think that is an unreasonable request. I respectfully request that the status is changed from "Won't Fix" to "In progress", and the assigned person tracks GRUB2's progress on implementing Argon2 KDFs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1062623 Title: enable grub-2.00 boot-from-luks support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1062623/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
