Canonical Plans Controversial GRUB Changes for Ubuntu 26.10 Secure Boot

Canonical is considering a significant overhaul to how Secure Boot works in Ubuntu 26.10, with a proposal aimed at reducing the functionality of the GRUB bootloader in signed environments.

The idea, outlined in a Discourse post titled “Streamlining Secure Boot for 26.10” by Canonical engineer Julian Klode, suggests introducing a stripped-down version of GRUB for systems using Secure Boot. The goal is to limit the amount of code executed before the operating system loads, thereby improving overall security.

Under this proposal, the signed GRUB build would drop support for several advanced features. These include LUKS-based disk encryption, LVM, most md-raid configurations, as well as filesystems like ZFS and Btrfs. Support for various filesystem parsers and image formats would also be reduced. Instead, systems would be expected to boot using a simpler setup, typically relying on a standard ext4 /boot partition on either GPT or MBR.

Canonical’s reasoning centers on minimizing risk. Since GRUB processes filesystems and disk structures in the early boot phase, every additional feature expands the potential attack surface. By limiting what GRUB can handle in Secure Boot mode, the likelihood of vulnerabilities in this critical stage could be reduced.

Importantly, these capabilities are not being removed entirely. Users who choose to disable Secure Boot or use unsigned GRUB builds would still have access to the full feature set. However, those configurations would no longer benefit from Secure Boot protections.

The proposal introduces a potential complication for upgrades. Systems that rely on unsupported features within the Secure Boot chain may not be able to upgrade to Ubuntu 26.10 through the standard upgrade process. In such cases, Canonical indicates those systems would likely remain on Ubuntu 26.04 LTS unless their configurations are modified.

As expected, the proposal has sparked active discussion within the Ubuntu community. Many users—particularly those running server environments—depend on setups involving encrypted disks with LVM. Adjusting these deployments to fit a simplified boot model could require significant changes.

Users of ZFS and Btrfs have also raised concerns, as these filesystems are commonly used for advanced storage setups and snapshot-based workflows. Moving to a separate ext4 /boot partition may complicate existing configurations and maintenance practices.

Upgrade limitations are another key concern. If certain systems are blocked from upgrading, users may need to consider alternatives such as reinstalling, restructuring their storage layout, or turning off Secure Boot entirely.

Questions have also been raised about RAID support, especially regarding which md-raid modes would remain functional. Details on how mirrored boot configurations would operate under the proposed changes are still not fully defined.

Additionally, the proposal suggests removing support for image formats like PNG and JPEG in signed GRUB builds. These formats are typically used for visual elements such as themes, backgrounds, and icons in the boot menu. Canonical argues that eliminating image decoding code further reduces unnecessary complexity in the Secure Boot path.

At this stage, the plan remains a proposal for Ubuntu 26.10, and no final decisions have been confirmed. Given the scale of the changes and the feedback from the community, further revisions and discussions are likely before anything is finalized.