Can't unlock LUKS2 encrypted boot partition with GRUB

[Mike Benson]

I am playing around with full disk encryption, but Grub is not being
cooperative.

I am using a build of Grub cloned from the Git repository, so luks2 support
is available. I have run grub-mkconfig and grub-install, preloading
part_gpt, luks2 and cryptodisk modules

The boot partition is locked with two keys at the moment. The second is a
temporary, memorable (but low entropy) passphrase for testing.

If I boot from the live usb, I can do:
*Code:*
cryptsetup luksOpen /dev/nvme0n1p2 BOOT

and that works fine with the second key.

When I boot the target, I get a "no such device" error and get dropped into
a rescue shell. I'll deal with that later.

I type:
*Code:*
set debug=all
cryptomount (hd0,gpt2)
...
Enter passphrase for hd0,gpt2 (<UUID follows>): <Types passphrase>
disk/luks2.c:598: Trying keyslot 0
disk/luks2.c:613: Decryption with keyslot 0 failed
...
error: Could not parse digest 1.


If I do a luksDump, I can confirm there is no digest 1 (although there is a
digest 0, referenced by both keyslots). I don't know if this is a bug with
searching the keyslots, or a problem with the LUKS header (though surely
cryptsetup would have problems if that were the case).

Any grub masters available to offer suggestions?