Bug#1101092: grub-efi-amd64: manual cryptomount from GRUB shell always required
Felix Zielcke
fzielcke at z-51.de
Sun Mar 23 09:37:08 GMT 2025
Am Sonntag, dem 23.03.2025 um 13:12 +0800 schrieb Sean Whitton:
> Package: grub-efi-amd64
> Version: 2.12-7
> Severity: important
> X-Debbugs-Cc: debian-amd64 at lists.debian.org
> User: debian-amd64 at lists.debian.org
> Usertags: amd64
>
> Hello,
>
> I have GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub. I.e. this is
> the setup
> where even /boot is within LVM-on-LUKS. I used '--type luks1' when
> setting it
> up for GRUB compatibility, and everything worked fine on bookworm.
>
> I upgraded to trixie this week, and now the initial prompt to unlock
> the disk
> always fails. When I land at the grub> prompt, I do
>
> cryptomount -a
> insmod normal
> normal
>
> and then everything works fine.
>
> I would have thought that if the initial prompt couldn't unlock the
> disk, then
> the grub> shell wouldn't be able to, either. But that seems not to
> be the
> case. How can I debug this? Could I perhaps turn on keyboard input
> echoing,
> in case there is somehow a different map being used for the initial
> prompt?
>
> Thanks.
>
Hi Sean,
unfortunately there is no easy way to echo the keyboard input. You'd
need to patch + recompile grub.
Maybe it would be easier to test if you add a passphrase without any
special chars and maybe without z/y.
GRUB uses us keyboard layout. And in your grub.cfg there's nothing in
it which changes this.
You could try:
# grub-install --debug-image=cryptodisk,luks,luks2
# reboot
If that prints something useful.
I just tried to reproduce it in a freshly installed vm with d-i alpha
1.
With luks2 + pbkdf2 it just works.
More information about the Pkg-grub-devel
mailing list