Bug#924151: grub2-common: wrong grub.cfg for efi boot and fully encrypted disk

Sun Mar 10 14:26:34 GMT 2019

On Sat, Mar 09, 2019 at 11:43:12PM +0100, Joerg Jaspert wrote:
> I'm unsure about the severity, so feel free to adjust it. But it did
> make my system unbootable twice already, and as its a setup one can
> get directly from within debian-installer, it would be nice if it can be
> fixed before buster.

(Not by guided partitioning though, as I believe that always gives you a
separate unencrypted /boot right now, and you have to arrange for
GRUB_ENABLE_CRYPTODISK=y to be set.)

> Setup: A new buster install with a fully (except for the EFI partition)
> encrypted disk. That includes /boot as encrypted, as /boot is just part
> of / here. In that setup, grub-install writes a
> /boot/efi/EFI/debian/grub.cfg that contains something like
> 
> --8<---------------cut here---------------start------------->8---
> cryptomount -u e37941013b6c4997bfcdff6145ee0918
> search.fs_uuid a6cd673c-de1d-474f-8808-2ae4fdc7e755 root lvmid/0l70u1-APaW-hXej-Sn6a-Nnsb-ue1X-0cFW3Y/APpMrR-2yO8-7EOl-V1pi-DH3a-eNby-lwWX3K
> set prefix=($root)'/boot/grub'
> configfile $prefix/grub.cfg
> --8<---------------cut here---------------end--------------->8---
> 
> Which tries to be clever to not duplicate the actual information in
> grub.cfg by loading it from the usual /boot/grub/grub.cfg place.
> 
> Unfortunately the cryptomount line above appears to *not* be enough to
> enable grub to decrypt /, so it can not load the real config and you end
> up in a rather unusable tiny grub shell. Ugh.
> 
> A cp /boot/grub/grub.cfg /boot/efi/EFI/debian/grub.cfg fixes it and
> makes it nicely bootable. No idea which of the many extra commands in
> the full grub.cfg are doing the magic, but they do.

I tried reproducing this today and couldn't.  Now, I was doing it by
setting up a matching stretch installation (somewhat by accident) and
then upgrading, but still ...

Could you tell me exactly which GRUB packages you have installed?  In
particular it may matter whether you have grub-efi-amd64-signed and
shim-signed installed or not (since the -signed image is monolithic
rather than relying on "insmod" commands).  And it would be helpful to
get the full output of "grub-install --debug".

Thanks,

-- 
Colin Watson                                       [cjwatson at debian.org]