James House-Lantto (He/Him)

https://linuxiac.com/canonical-plans-controversial-grub-changes-for-ubuntu-26-10-secure-boot/

Canonical wants to remove LUKS disk Encryption, LVM, most mid-raid modes, ZFS, BTRFS and many other file systems and image parsing abilities from GRUB in a recently announced, Planned change to Secure Boot, Supposedly for "security"

In order to retain these features the system would need to not use secure Boot.

Systems that don't use Secure Boot, or rely on the above features, can not upgrade to Ubuntu 26.10

#Linux #OpenSource #Canonical #Ubuntu #Foss #Grub

Canonical Plans Controversial GRUB Changes for Ubuntu 26.10 Secure Boot

Canonical plans changes to Secure Boot GRUB in Ubuntu 26.10, removing support for LUKS, LVM, ZFS, and other features.

Linuxiac
Mar 26 at 12:18pmWeb
Show threadJames House-Lantto (He/Him)1d ago
I just love that there is some guy, out there, who had to say out loud "we're removing Disk encryption, to make Ubuntu more secure" and absolutely no one stopped at that point and said "wait a minute...."
Show threadBruce Elrick23h ago

@Theeo123
Just to be clear, this removes support for such things in /boot only to get access to the kernel. From there the kernel can support all those things.

I'm not commenting on whether this is a good idea or not, just clarifying what hlthis is actually about because the article doesn't make the above fact obvious

Show threadFabian Transchel23h ago
@virtuous_sloth @Theeo123 It's still a splendidly stupid idea, because this way you have to trust your TPM chip to verify the bootloader instead of a self-signed password or other factor.
Show threadJames House-Lantto (He/Him)21h ago

@ftranschel @virtuous_sloth

Assuming you have a TPM chip....

Show threadFabian Transchel20h ago
@Theeo123 @virtuous_sloth rrrrright...
Show threadBruce Elrick20h ago

@ftranschel @Theeo123
You make it sound like trusting a TPM chip to validate the signature on a bootloader is a bad thing.

The whole point of TPM is to make it so you can hide a private key so you don't need to manually enter an encryption secret on every boot. If you are happy to enter one, then you don't need to use TPM.

If you want the convenience of TPM but don't want to rely on Microsoft's signing, you can load your own (mok process).

Show threadBruce Elrick20h ago
@ftranschel @Theeo123
If you view the TPM as a threat vector, well you may want to read up on the recent work that Bunnie Huang is doing. Do you trust the firmware loaded onto your CPU? Do you trust your CPU? Do you validate all chips at the circuit level?
Show threadrAtze6h ago
@Theeo123 I think this is acceptable in pure client use. A TPM is usually already in place there.
However, as soon as Windows is used in parallel, Secure Boot becomes a disaster because Microsoft intervenes arbitrarily.
And is Ubuntu for server or installed on a most mid-raid modes, ZFS, BTRFS and many other file systems even the right choice? they can used seperatly.