> The new LUKS2 format stores the metadata in a JSON document which requires a JSON parser in grub. Given that Ubuntu does not support encrypted /boot partitions, the decision was made not to enable the feature such as to prevent the JSON code from becoming an attack vector to break secure boot.
I'd rather invest in fuzzer or integrate Rust-based JSON parser than removing it completely. > Please note that encryption of /boot is security by obscurity: The data is encrypted, but not authenticated so it is still subject to chosen plaintext attacks, as is any encrypted data. You do not need obscurity for public knowledge like kernel and initrd content, it's only valuable for your personal private data. While true in theory, I'm not sure it is applicable. Modern well designed ciphers and encryption schemes should not be succeptible to this attack, though I can't speak to LUKS specifically, I do not fully know how it is implemented in detail. Also kernel and initrd content might be public knowledge with kernels that you, Ubuntu, ship, which is not true if there are customizations applied on the system. While I don't think they are particularly sensitive, the fact that kernel and initrd are public knowledge is strictly speaking not true. > A secure chain needs to authenticate the initrd against a certificate. For example, Ubuntu Desktop TPM FDE offers fully authenticated early boot environments. Ubuntu's desktop FDE is a special case that only works with Ubuntu- signed precompiled kernel that depends on Snap (I use neither Ubuntu kernel nor Snap on my desktop). I was initially very optimistic an then kind of disappointed by implementation. I have configured TPM FDE encryption that fully verifies everything on one of my Ubuntu servers with self-signed initrd (mostly based on https://blastrock.github.io/fde-tpm-sb.html while using different tools for some of the steps). It does work, but even then was a bit painful on 23.10 due to Ubuntu not shipping some of the systemd components required for this to work on purpose (ukify specifically, see https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2031898). I understand that you have a "canonical" way of doing FDE that is user- friendly, but that is not the only way and making it impossible to use alternatives is very annoying. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1062623 Title: enable grub-2.00 boot-from-luks support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1062623/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs