Ubuntu
ubiquity package

Bootloader installation fails on UEFI systems with FDE (incl. /boot)

Bug #1762988 reported by Hamish Farrant
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
ubiquity (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Partition setup was a luks partition with an existing home directory, which I'd unlocked prior to starting ubiquity (otherwise it wouldn't even find the partition)

Bootloader install partition was an efi system partition

This section of syslog looks relevant, looks like it couldn't handle the encrypted disk

Apr 11 10:02:32 kubuntu ubiquity: grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=y' in file `/etc/default/grub'.
Apr 11 10:02:32 kubuntu ubiquity: dpkg: error processing package shim-signed (--configure):
Apr 11 10:02:32 kubuntu ubiquity: subprocess installed post-installation script returned error exit status 1
Apr 11 10:02:32 kubuntu ubiquity: Setting up grub-efi-amd64-signed (1.85.3+2.02~beta3-4ubuntu7.3) ...
Apr 11 10:02:32 kubuntu ubiquity: Installing for x86_64-efi platform.
Apr 11 10:02:33 kubuntu ubiquity: File descriptor 4 (/dev/nvme0n1p1) leaked on vgs invocation. Parent PID 4675: grub-install
Apr 11 10:02:33 kubuntu ubiquity: File descriptor 4 (/dev/nvme0n1p1) leaked on vgs invocation. Parent PID 4675: grub-install
Apr 11 10:02:33 kubuntu ubiquity: grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=y' in file `/etc/default/grub'.

Also this bit might be useful as well

updates/main amd64 linux-headers-generic amd64 4.13.0.38.41 [2290 B]
Apr 11 10:03:08 kubuntu /plugininstall.py: Exception during installation:
Apr 11 10:03:08 kubuntu /plugininstall.py: Traceback (most recent call last):
Apr 11 10:03:08 kubuntu /plugininstall.py: File "/usr/share/ubiquity/plugininstall.py", line 1721, in <module>
Apr 11 10:03:08 kubuntu /plugininstall.py: install.run()
Apr 11 10:03:08 kubuntu /plugininstall.py: File "/usr/share/ubiquity/plugininstall.py", line 61, in wrapper
Apr 11 10:03:08 kubuntu /plugininstall.py: func(self)
Apr 11 10:03:08 kubuntu /plugininstall.py: File "/usr/share/ubiquity/plugininstall.py", line 227, in run
Apr 11 10:03:08 kubuntu /plugininstall.py: self.configure_bootloader()
Apr 11 10:03:08 kubuntu /plugininstall.py: File "/usr/share/ubiquity/plugininstall.py", line 971, in configure_bootloader
Apr 11 10:03:08 kubuntu /plugininstall.py: "GrubInstaller failed with code %d" % ret)
Apr 11 10:03:08 kubuntu /plugininstall.py: ubiquity.install_misc.InstallStepError: GrubInstaller failed with code 141
Apr 11 10:03:08 kubuntu /plugininstall.py:
Apr 11 10:03:08 kubuntu ubiquity: umount: /target: target is busy.

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ubiquity 17.10.10
ProcVersionSignature: Ubuntu 4.13.0-21.24-generic 4.13.13
Uname: Linux 4.13.0-21-generic x86_64
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
CasperVersion: 1.387
Date: Wed Apr 11 20:06:47 2018
LiveMediaBuild: Kubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.2)
ProcEnviron:
 LANGUAGE=
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: ubiquity
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Hamish Farrant (farrantino) wrote :
Tom Reynolds (tomreyn)
summary: - Ubiquity crashes at the bootloader installation phase
+ Bootloader installation fails on UEFI systems with FDE (incl. /boot)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubiquity (Ubuntu):
status: New → Confirmed
Revision history for this message
Tom Reynolds (tomreyn) wrote :

This also affects the 18.04.1 "alterantive installer (debian-installer), where I reproduced it today.

This error will not occur on the current default server installer (Subiquity) at this time since it does not support dmcrypt-luks at all. To my knowledge, the desktop installer (Ubiquity) does not support dmcrypt-luks FDE incl. /boot), so it will not occur there either.

To work around this issue, after d-i reports that grub-install failed, choose to 'continue', confirm that you will have to live without a boot loader. Then press escape or select 'go back', which brings up the installers' main menu. There, select to 'run a shell' (one of the latter options), then:

# Mount the EFI system partition (ESP) you defined during manual partitioning ( usually /dev/sda1 - double-check this using: blkid -t TYPE=vfat ) to /target/boot/efi:
mount /dev/sda1 /target/boot/efi

mount --bind /dev /target/dev
mount --bind /dev/pts /target/dev/pts
mount --bind /sys /target/sys
mount --bind /sys/firmware/efi/efivars /target/sys/firmware/efi/efivars
mount --bind /run /target/run # needed for resolver

chroot /target /bin/bash
echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub
apt update
apt purge grub-efi-amd64-signed # unfortunately, to this date, this lacks the grub "cryptodisk" command required to decrypt LUKS and we have to resort to the unsigned grub variant
apt --purge autoremove
apt install grub-efi-amd64
update-initramfs -k all
update-grub
grub-install /dev/sda # this may be different for you, choose the storage device which contains the ESP
exit

umount /target/run
umount /target/sys/firmware/efi/efivars
umount /target/sys
umount /target/dev/pts
umount /target/dev
umount /target/boot/efi

exit

This brings you back into the installer, from where you can continue from the step after "install bootloader".

Revision history for this message
Tom Reynolds (tomreyn) wrote :

The root cause of this is discussed at bug #1565950.

Revision history for this message
Niklas Sombert (ytvwld) wrote :

The root cause is fixed, now.

I tried to create a new install with this configuration and ubiquity wouldn't let me install: It claimed that a separate boot partition would be needed, but I know this is not the case, because calamares (lubuntu) handles this successfully.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.