Ubuntu 26.10 proposal targets ZFS, RAID and encryption in Secure Boot GRUB

Julian Andres Klode, a Canonical engineer focused on Ubuntu's Secure Boot signing, posted a proposal on the Ubuntu community forums to streamline the GRUB bootloader for Ubuntu 26.10. He described GRUB's parsers as a 'constant source of security issues' and suggested eliminating several features from signed builds to shrink the pre-boot attack surface. Affected components include filesystem drivers for Btrfs, HFS+, XFS and ZFS, leaving only ext4, FAT, ISO 9660 and SquashFS. The plan also drops image support, Apple partition tables, LVM, most md-RAID modes except RAID1, and LUKS encryption. As a result, Secure Boot systems would require a plain, unencrypted ext4 partition on GPT or MBR disks. Unsigned GRUB builds would retain these options, but at the cost of Secure Boot compatibility. Klode presented this as a security boost and a path to future bootloaders. The release upgrader would prevent upgrades from 26.04 LTS for incompatible setups. Neal Gompa, a contributor to Fedora and openSUSE, countered that GRUB's Btrfs driver is read-only, upstream-maintained and essential for boot-to-snapshot users. He noted software RAID1 is 'incredibly common' and challenged claims of rare native /boot RAID use. Gompa added that many web hosting, cloud and VPS environments lack reliable UEFI support. Paddy Landau objected to dropping PNG and JPEG support, which would end boot menu theming, and questioned the security rationale for formats like TGA given vulnerabilities predate GRUB 2.12. Thomas Ward, an Ubuntu Technical Board member, highlighted that Canonical's installers default to LVM, required for LUKS encryption, making the proposal incompatible with standard configurations. He demanded clear, per-feature justifications before proceeding.