[Bug 1103825] New: grub2 boots to shell when using GRUB_ENABLE_CRYPTODISK=y and LUKS with hash SHA256 because gcry_sha256 is missing from grub.efi
http://bugzilla.opensuse.org/show_bug.cgi?id=1103825 Bug ID: 1103825 Summary: grub2 boots to shell when using GRUB_ENABLE_CRYPTODISK=y and LUKS with hash SHA256 because gcry_sha256 is missing from grub.efi Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: x86-64 OS: openSUSE 42.3 Status: NEW Severity: Major Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: arnd@gronenberg.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 Build Identifier: I'm running a completely encrypted partition (LUKS > LVM PV > LVM LVs > btrfs) on a UEFI secure boot system (Lenovo B70-80) where /boot is contained within the encrypted disk. /etc/default/grub contains GRUB_ENABLE_CRYPTODISK=y. When the LUKS uses --hash=sha256 booting the system fails with message "Couldn't load SHA256 hash" and the grub shell is displayed. "insmod sha256" or "insmod gcry_sha256" does not load the module. Reproducible: Always Steps to Reproduce: 1. Install system to fully encrypted partition created with cryptsetup luksFormat --hash=sha256 on an UEFI system (with or without secure boot) 2. Define GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub 3. Install grub grub2-install /dev/sdx 4. Reboot Actual Results: Error during UEFI boot from grub2 with message "Couldn't load SHA256 hash". No way to decrypt partition and boot Expected Results: Normal UEFI boot with grub2 asking for LUKS password and displaying grub2 menu This setup works flawlessly when the LUKS container uses --hash=sha1, but booting fails when the LUKS container uses --hash=sha256. Previously I was using --hash=sha1 but when replacing the disk, I created the new partition with --hash=sha256 and used pvmove to move all LVs to the new disk. Problem seems to be that /usr/lib/grub2/x86_64-efi/grub.efi (which is copied to /boot/efi/EFI/opensuse/grub.efi) does not contain the gcry_sha256 module. Manually recreating grub.efi including gcry_sha256 and copying it to /boot/efi/EFI/opensuse/grub.efi allows to boot normally. Used script to build grub.efi (gcry_sha256 added to CRYPTO_MODULES): FS_MODULES="ext2 btrfs ext2 xfs jfs reiserfs" CD_MODULES=" all_video boot cat chain configfile echo true \ efinet font gfxmenu gfxterm gzio halt iso9660 \ jpeg minicmd normal part_apple part_msdos part_gpt \ password_pbkdf2 png reboot search search_fs_uuid \ search_fs_file search_label sleep test video fat loadenv" PXE_MODULES=" efinet tftp http" CRYPTO_MODULES=" luks gcry_rijndael gcry_sha1 gcry_sha256" CD_MODULE="${CD_MODULES} linuxefi" GRUB_MODULES="${CD_MODULES} ${FS_MODULES} ${PXE_MODULES} ${CRYPTO_MODULES} mdraid09 mdraid1x lvm" grub2-mkimage -O x86_64-efi -o grub.efi --prefix= -d /usr/lib/grub2/x86_64-efi ${GRUB_MODULES} Problem may be either missing gcry_sha256 in grub2.spec in variable CRYPTO_MODULES or possibly a missing / incorrect module dependency in grub2. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1103825 Arnd Gronenberg <arnd@gronenberg.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arnd@gronenberg.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1103825 Jiri Srain <jsrain@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|jsrain@suse.com |mchang@suse.com Arnd Gronenberg <arnd@gronenberg.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com