Bug#924151: grub2-common: wrong grub.cfg for efi boot and fully encrypted disk

Joerg Jaspert joerg at ganneff.de
Sat Mar 9 22:43:12 GMT 2019 

Package: grub2-common
Version: 2.02+dfsg1-11
Severity: grave

Dear Maintainer,

I'm unsure about the severity, so feel free to adjust it. But it did
make my system unbootable twice already, and as its a setup one can
get directly from within debian-installer, it would be nice if it can be
fixed before buster.

Setup: A new buster install with a fully (except for the EFI partition)
encrypted disk. That includes /boot as encrypted, as /boot is just part
of / here. In that setup, grub-install writes a
/boot/efi/EFI/debian/grub.cfg that contains something like

--8<---------------cut here---------------start------------->8---
cryptomount -u e37941013b6c4997bfcdff6145ee0918
search.fs_uuid a6cd673c-de1d-474f-8808-2ae4fdc7e755 root 
lvmid/0l70u1-APaW-hXej-Sn6a-Nnsb-ue1X-0cFW3Y/APpMrR-2yO8-7EOl-V1pi-DH3a-eNby-lwWX3K 
set prefix=($root)'/boot/grub'
configfile $prefix/grub.cfg
--8<---------------cut here---------------end--------------->8---

Which tries to be clever to not duplicate the actual information in
grub.cfg by loading it from the usual /boot/grub/grub.cfg place.

Unfortunately the cryptomount line above appears to *not* be enough to
enable grub to decrypt /, so it can not load the real config and you end
up in a rather unusable tiny grub shell. Ugh.

A cp /boot/grub/grub.cfg /boot/efi/EFI/debian/grub.cfg fixes it and
makes it nicely bootable. No idea which of the many extra commands in
the full grub.cfg are doing the magic, but they do. grub asks for
passphrase, then takes ages (easily 45 seconds) to decrypt, then shows
grub menu and boots. Yay.

I do get the same small efi grub.cfg again if i run another grub-install
--efi-directory=/boot/efi/EFI/debian/ so I guess it comes from there.

-- Package-specific info:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20190309/e6960241/attachment-0001.ksh>
-------------- next part --------------

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages grub2-common depends on:
ii  dpkg                1.19.5
ii  grub-common         2.02+dfsg1-11
ii  install-info        6.5.0.dfsg.1-4+b1
ii  libc6               2.28-7
ii  libdevmapper1.02.1  2:1.02.155-2
ii  liblzma5            5.2.4-1

grub2-common recommends no packages.

grub2-common suggests no packages.

-- no debconf information

-- 
bye, Joerg

More information about the Pkg-grub-devel mailing list