http://bugzilla.opensuse.org/show_bug.cgi?id=917427 Andrei Borzenkov changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arvidjaar@gmail.com --- Comment #1 from Andrei Borzenkov --- Yes, secure boot is using statically built grub binary that disables module loading and does not include crypto support. Do you have the possibility to test updated version (you will need to enroll grub key from /usr/lib64/efi/grub.der)? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=917427 Andrei Borzenkov changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED CC| |mchang@suse.com Assignee|jsrain@suse.com |arvidjaar@gmail.com Flags| |needinfo?(mchang@suse.com) --- Comment #3 from Andrei Borzenkov --- Well, it's not exactly straightforward. It is not a problem to add cryptodisk and luks, but they need actual crypto modules and they could be arbitrary. So basically either we limit ourselves to default (AES+SHA1) or effectively need to include everything. grub-install will limit itself to actual modules. Could you show "grub2-probe -t abstraction /boot"? @Michael - what do you think? Should we push all gcry_* stuff into default EFI image? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=917427 Neil Rickert changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(nrickert@ameritec | |h.net) | --- Comment #4 from Neil Rickert ---

Could you show "grub2-probe -t abstraction /boot"?

# grub2-probe -t abstraction /boot cryptodisk luks gcry_rijndael gcry_rijndael gcry_sha1 lvm Since you need a fixed image that works for all users of secure-boot, I guess you would need to include all of the likely crypto. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=917427 --- Comment #6 from Michael Chang --- (In reply to Andrei Borzenkov from comment #5)

I suppose there won't be much harm in doing it, but let's wait for Michael.

Yes. Let's do it. Currently adding AES+SHA1 support should be suffice imho, because that's set-up by YaST directly. Any other crypto support beyond that can be treated as (future) feature request as we may disagree to maintain that much ways for doing the same thing. So please go ahead and submit your fix. Thanks. :) -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=917427 --- Comment #8 from Neil Rickert --- I added your 13.2 repo (to my Tumbleweed test install). And then I updated grub2-efi from there. It doesn't actually work. I still get a grub shell. However, hitting TAB now shows a "cryptomount" command available. But I'm not quite sure how to use it. When I look at "grub.cfg" (the file in the EFI partition), it looks unchanged. I would expect that an initial line (perhaps using "cryptomount" needs to be inserted at the beginning of that file. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=917427 Neil Rickert changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(nrickert@ameritec | |h.net) | -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=917427 --- Comment #11 from Michael Chang --- (In reply to Andrei Borzenkov from comment #10)

Thank you for testing. grub.cfg is created by shim-install.

SR#286424 for grub2.

Accepted. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=917427 Michael Chang changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |glin@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=917427 --- Comment #15 from Neil Rickert ---

(#14) I submitted as srid#287615 and should be rolling into tumbleweed update soon.

Just a note that this has not yet shown up in Tumbleweed. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=917427 Gary Ching-Pang Lin changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(glin@suse.com) | --- Comment #17 from Gary Ching-Pang Lin --- Although the change in shim-install doesn't affect the signature in shim.efi, unfortunately, the change was right after a major version update of shim which would fail rpm building in openSUSE:Factory unless it receives a new signature. Currently, we only update the signature for the bug fix or security update for the stable release, so the signature in Factory is unlikely to be updated until the next stable release. -- You are receiving this mail because: You are on the CC list for the bug.