Bug ID 1103825
Summary grub2 boots to shell when using GRUB_ENABLE_CRYPTODISK=y and LUKS with hash SHA256 because gcry_sha256 is missing from grub.efi
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.3
Hardware x86-64
OS openSUSE 42.3
Status NEW
Severity Major
Priority P5 - None
Component Bootloader
Assignee jsrain@suse.com
Reporter arnd@gronenberg.com
QA Contact jsrain@suse.com
Found By ---
Blocker --- 

User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/68.0.3440.75 Safari/537.36
Build Identifier: 

I'm running a completely encrypted partition (LUKS > LVM PV > LVM LVs > btrfs)
on a UEFI secure boot system (Lenovo B70-80) where /boot is contained within
the encrypted disk. /etc/default/grub contains GRUB_ENABLE_CRYPTODISK=y. When
the LUKS uses --hash=sha256 booting the system fails with message "Couldn't
load SHA256 hash" and the grub shell is displayed. "insmod sha256" or "insmod
gcry_sha256" does not load the module.

Reproducible: Always

Steps to Reproduce:
1. Install system to fully encrypted partition created with cryptsetup
luksFormat --hash=sha256 on an UEFI system (with or without secure boot)
2. Define GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub
3. Install grub grub2-install /dev/sdx
4. Reboot
Actual Results:  
Error during UEFI boot from grub2 with message "Couldn't load SHA256 hash".
No way to decrypt partition and boot

Expected Results:  
Normal UEFI boot with grub2 asking for LUKS password and displaying grub2 menu

This setup works flawlessly when the LUKS container uses --hash=sha1, but
booting fails when the LUKS container uses --hash=sha256.
Previously I was using --hash=sha1 but when replacing the disk, I created the
new partition with --hash=sha256 and used pvmove to move all LVs to the new
disk.
Problem seems to be that /usr/lib/grub2/x86_64-efi/grub.efi (which is copied to
/boot/efi/EFI/opensuse/grub.efi) does not contain the gcry_sha256 module.
Manually recreating grub.efi including gcry_sha256 and copying it to
/boot/efi/EFI/opensuse/grub.efi allows to boot normally.
Used script to build grub.efi (gcry_sha256 added to CRYPTO_MODULES):

FS_MODULES="ext2 btrfs ext2 xfs jfs reiserfs"
CD_MODULES=" all_video boot cat chain configfile echo true \
        efinet font gfxmenu gfxterm gzio halt iso9660 \
        jpeg minicmd normal part_apple part_msdos part_gpt \
        password_pbkdf2 png reboot search search_fs_uuid \
        search_fs_file search_label sleep test video fat loadenv"
PXE_MODULES=" efinet tftp http"
CRYPTO_MODULES=" luks gcry_rijndael gcry_sha1 gcry_sha256"

CD_MODULE="${CD_MODULES} linuxefi"

GRUB_MODULES="${CD_MODULES} ${FS_MODULES} ${PXE_MODULES} ${CRYPTO_MODULES}
mdraid09 mdraid1x lvm"
grub2-mkimage -O x86_64-efi -o grub.efi --prefix= -d /usr/lib/grub2/x86_64-efi
${GRUB_MODULES}

Problem may be either missing gcry_sha256 in grub2.spec in variable
CRYPTO_MODULES or possibly a missing / incorrect module dependency in grub2.

You are receiving this mail because: