Fix setup on Secure Boot systems where cryptodisk is in use

On full-encrypted systems, including /boot, the current code omits cryptodisk commands needed to open the drives if Secure Boot is enabled. This prevents grub2 from reading any further configuration residing on the encrypted disk. This patch fixes this issue by adding the needed "cryptomount" commands in the load.cfg file that is then copied in the EFI partition. Bug-Debian: https://bugs.debian.org/917117 Last-Update: 2019-02-10 Patch-Name: uefi-secure-boot-cryptomount.patch
2025-10-23 22:43:56 +00:00 · 2019-01-28 17:24:23 +01:00 · 2019-01-28 17:24:23 +01:00 · ec85b3d37c
commit ec85b3d37c
parent b5148a7311
1 changed files with 17 additions and 0 deletions
--- a/util/grub-install.c
+++ b/util/grub-install.c
@ -1502,6 +1502,23 @@ main (int argc, char *argv[])
 	  || uefi_secure_boot)
 	{
 	  char *uuid = NULL;
+
+	  if (uefi_secure_boot && config.is_cryptodisk_enabled)
+	    {
+	      if (grub_dev->disk)
+		probe_cryptodisk_uuid (grub_dev->disk);
+
+	      for (curdrive = grub_drives + 1; *curdrive; curdrive++)
+		{
+		  grub_device_t dev = grub_device_open (*curdrive);
+		  if (!dev)
+		    continue;
+		  if (dev->disk)
+		    probe_cryptodisk_uuid (dev->disk);
+		  grub_device_close (dev);
+		}
+	    }
+
 	  /*  generic method (used on coreboot and ata mod).  */
 	  if (!force_file_id && grub_fs->uuid && grub_fs->uuid (grub_dev,
 								&uuid))