What were you trying to do that didn't work?

Customer would like uEFI support added such that booting with an encrypted /boot partition in Red Hat Enterprise Linux 9 is possible.

NOTE: This capability was previously added to Red Hat Enterprise Linux 8 in BZ:1873725

"UEFI: allow booting from luks encrypted /boot"

https://bugzilla.redhat.com/show_bug.cgi?id=1873725

Please provide the package NVR for which bug is seen:

grub2-efi-x64

How reproducible:

N/A

Steps to reproduce:

1. mkdir /boot-backup
2. umount -v /boot/efi
3. rsync -avAXP /boot/ /boot-backup
4. umount -v /boot
5. cryptsetup luksFormat /dev/sda2 --type luks1 uuid=$(lsblk -dno uuid /dev/sda2) echo "******* $uuid ********"
6. cryptsetup open /dev/sda2 luks-${uuid} orig_uuid=$(grep 'boot.*xfs' /etc/fstab | cut -d' ' -f1 | cut -d'=' -f2)
7. mkfs.xfs m uuid=${orig_uuid} -L BOOT /dev/mapper/luks${uuid}
8. mount v /dev/mapper/luks$uuid /boot
9. rsync -avAXP /boot-backup/ /boot/
10. mount -v /dev/sda1 /boot/efi/
11. restorecon -RFv /boot 
12. rm -rvf /boot-backup/
13. echo "GRUB_PRELOAD_MODULES=\"luks cryptodisk\" >> /etc/default/grub 
14. echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
15. echo "luks-${uuid} UUID=${uuid} none discard" >> /etc/crypttab 
16. grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg 

I've been asked for the password before GRUB2 starts but then I don't see any menu entry.

If I enter in GRUB command line mode:

#cryptomount -u 2161ce0fb4fc4bd0a4010c21e8e79196 search --no-floppy --fs-uuid --set=dev – hint='cryptouuid/2161ce0fb4fc4bd0a4010c21e8e79196' aa3f4dea-f05c-4bd6-9372-967f4b4d5e42 set prefix=($dev)/grub2 export $prefix configfile $prefix/grub.cfg

where 2161ce0fb4fc4bd0a4010c21e8e79196 is the UUID of the encrypted /dev/sda2 and aa3f4dea-f05c-4bd6-9372-967f4b4d5e42 is the UUID of the unencrypted /boot

NOTE: It properly starts but it gives an error with FIPS (because the original system has FIPS enabled).