[Bug 917427] New: LUKS encrypted LVM without separate "/boot" fails using UEFI secure boot
http://bugzilla.opensuse.org/show_bug.cgi?id=917427 Bug ID: 917427 Summary: LUKS encrypted LVM without separate "/boot" fails using UEFI secure boot Classification: openSUSE Product: openSUSE Factory Version: 201501* Hardware: x86-64 OS: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: nrickert@ameritech.net QA Contact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.21 (KHTML, like Gecko) konqueror/4.14.4 Safari/537.21 Build Identifier: This is based on a test install (minimal X) using 20150201. I installed into an existing encrypted LVM. I did not use a separate unencrypted "/boot". Yast did not see a problem with this install. On reboot, I see only a grub shell. Note that I set grub distributor to "betasuse" to avoid conflict with my main install on that box. When I disable secure-boot, and select "betasuse" (rather than "betasuse-secureboot") from the UEFI boot menu, I am able to boot. If I select "betasuse-secureboot" from the menu, I am unable to boot. It looks to me as if "grubx64.efi" has the needed grub code for decryption, but {"shim.efi",grub.efi,grub.cfg} between them do not have what is needed. This is unfortunate. Avoiding an unencrypted "/boot" mainly makes sense when secure-boot is used. And that is just what doesn't work. Reproducible: Always -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
--- Comment #2 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Neil Rickert
Could you show "grub2-probe -t abstraction /boot"?
# grub2-probe -t abstraction /boot cryptodisk luks gcry_rijndael gcry_rijndael gcry_sha1 lvm Since you need a fixed image that works for all users of secure-boot, I guess you would need to include all of the likely crypto. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
--- Comment #5 from Andrei Borzenkov
cryptodisk luks gcry_rijndael gcry_rijndael gcry_sha1 lvm
Yes, that's default aes-xts-plain64, LUKS header hashing: sha1
Since you need a fixed image that works for all users of secure-boot, I guess you would need to include all of the likely crypto.
I suppose there won't be much harm in doing it, but let's wait for Michael. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
--- Comment #6 from Michael Chang
I suppose there won't be much harm in doing it, but let's wait for Michael.
Yes. Let's do it. Currently adding AES+SHA1 support should be suffice imho, because that's set-up by YaST directly. Any other crypto support beyond that can be treated as (future) feature request as we may disagree to maintain that much ways for doing the same thing. So please go ahead and submit your fix. Thanks. :) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
--- Comment #8 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
--- Comment #9 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
--- Comment #10 from Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
--- Comment #11 from Michael Chang
Thank you for testing. grub.cfg is created by shim-install.
SR#286424 for grub2.
Accepted. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
--- Comment #15 from Neil Rickert
(#14) I submitted as srid#287615 and should be rolling into tumbleweed update soon.
Just a note that this has not yet shown up in Tumbleweed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
Gary Ching-Pang Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=917427
http://bugzilla.opensuse.org/show_bug.cgi?id=917427#c18
Neil Rickert
participants (1)
-
bugzilla_noreply@novell.com