Bug ID 917427
Summary LUKS encrypted LVM without separate "/boot" fails using UEFI secure boot
Classification openSUSE
Product openSUSE Factory
Version 201501*
Hardware x86-64
OS SUSE Other
Status NEW
Severity Normal
Priority P5 - None
Component Bootloader
Assignee jsrain@suse.com
Reporter nrickert@ameritech.net
QA Contact jsrain@suse.com
Found By ---
Blocker --- 

User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.21 (KHTML,
like Gecko) konqueror/4.14.4 Safari/537.21
Build Identifier: 

This is based on a test install (minimal X) using 20150201.

I installed into an existing encrypted LVM.  I did not use a separate
unencrypted "/boot".

Yast did not see a problem with this install.

On reboot, I see only a grub shell.

Note that I set grub distributor to "betasuse" to avoid conflict with my main
install on that box.

When I disable secure-boot, and select "betasuse" (rather than
"betasuse-secureboot") from the UEFI boot menu, I am able to boot.  If I select
"betasuse-secureboot" from the menu, I am unable to boot.

It looks to me as if "grubx64.efi" has the needed grub code for decryption, but
{"shim.efi",grub.efi,grub.cfg} between them do not have what is needed.

This is unfortunate.  Avoiding an unencrypted "/boot" mainly makes sense when
secure-boot is used.  And that is just what doesn't work.

Reproducible: Always

You are receiving this mail because: