Bug 2353335
| Summary: | GRUB prompts for LUKS password again when trying to edit a GRUB entry | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Marc Muehlfeld <mmuehlfe> |
| Component: | grub2 | Assignee: | Nicolas Frayer <nfrayer> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 44 | CC: | lkundrak, lsandova, mlewando, nfrayer, pjones |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Marc Muehlfeld
2025-03-19 09:59:05 UTC
The problem now also exists on an up-to-date Fedora 41 (with GRUB 2.12-21). It seems that one of the recent GRUB updates introduced this problem. If the user already entered the password and the partition was successfully encrypted, then there's no need to prompt for the LUKS password again when the user wants to edit the GRUB entry. Hi, you may be hitting (I have not verified) a stricter LUKS authentication introduced recently on f42 (starting at 2.12-24) [1,2] and f41 (starting at 2.12-18), so this is expected. [1] https://src.fedoraproject.org/rpms/grub2/c/9002ed87b0e756461f08a85881dd6a791636bc1e?branch=f42 [2] https://src.fedoraproject.org/rpms/grub2/blob/9002ed87b0e756461f08a85881dd6a791636bc1e/f/0312-disk-cryptodisk-Require-authentication-after-TPM-unl.patch Thanks for the info. This could be the cause. I'm not saying that the patch should be reverted (especially if it adds security), but the need to unlock the same partition twice seem to be a bug caused by this patch. If I have already manually entered the LUKS passwort for the /boot partition so that GRUB can display the menu, I see no sense if GRUB prompts me again to unlock /boot if I press [e] to edit one of the entries. Agree Marc, it makes no sense to unlock the same partition twice. Feel free to propose a solution on the grub's upstream mailing list if possible. I reported the bug in the upstream bug tracker: https://savannah.gnu.org/bugs/index.php?67063 I compiled GRUB from upstream git master. With this version, the bug is not reproducable.
It seems to be bug either in 2.12 or it is Fedora specific.
----
Just for reference, this is how I replaced GRUB on Fedora 42 with the self-compiled one from upstream:
dnf update
dnf group install development-tools
dnf install autoconf automake texinfo bison flex freetype-devel ncurses-devel gettext-devel cryptsetup-devel
dnf builddep grub2
rm /etc/dnf/protected.d/{grub,shim}*
dnf remove grub2*
git clone https://git.savannah.gnu.org/git/grub.git
cd grub
./bootstrap
./configure --prefix=/opt/grub --with-platform=efi --target=x86_64
make CFLAGS="-Wno-error"
make install
cp /opt/grub/lib/grub/x86_64-efi/* /boot/efi/EFI/fedora/
cp /opt/grub/sbin/grub-mkconfig /usr/sbin/
cp /opt/grub/sbin/grub-install /usr/sbin/
mkdir /opt/grub/etc/default/
ln -s /etc/default/grub /opt/grub/etc/default/
grub-install --efi-directory=/boot/efi --bootloader-id=GRUB-UPSTREAM --boot-directory=/boot
grub-mkconfig -o /boot/grub/grub.cfg
Once I reboot, it shows "2.13" in the GRUB menu, so I assume the procedure works, and I really use the version from upstream git master.
This message is a reminder that Fedora Linux 42 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '42'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 42 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. The problem still exists with GRUB 2.12-56 on Fedora 44. (In reply to Marc Muehlfeld from comment #8) > The problem still exists with GRUB 2.12-56 on Fedora 44. Sorry for the delay Marc. As you may know, GRUB upstream has moved to [1]. Can you file a issue there [2]? Also, there was recently a commit (partially related) [3]. On gitlab, one gets much better traction than savannah, so reporting in [2] is important. [1] https://gitlab.freedesktop.org/gnu-grub/grub [2] https://gitlab.freedesktop.org/gnu-grub/grub/-/work_items [3] https://gitlab.freedesktop.org/gnu-grub/grub/-/commit/6f59551489783b717470f3acb147b704c9559e2b I reported the problem upstream last year (see #c5) and was told to try if it's reproducible in master. It worked in master (see #c6). So my guess was that it's a bug only in 2.12.x or is Fedora specific. Should I again report it upstream? I can set up a VM an try to reproduce it with the latest 2.14 branch if you want. Are there any plans to switch to 2.14 in Fedora 44? It's available since some months. I re-used the procedure from #c6. I cloned the repo from GitLab, checked out the grub-2.14 tag from January, and built GRUB. The bug doesn't is not present in upstream 2.14. (In reply to Marc Muehlfeld from comment #10) > I reported the problem upstream last year (see #c5) and was told to try if > it's reproducible in master. It worked in master (see #c6). > So my guess was that it's a bug only in 2.12.x or is Fedora specific. > > Should I again report it upstream? no need as upstream has no issues. > > I can set up a VM an try to reproduce it with the latest 2.14 branch if you > want. no need > Are there any plans to switch to 2.14 in Fedora 44? It's available > since some months. yes, there are plans. Our plan is to start this summer (2026) this summer. |