Package Details: grub-git 2.06.r297.g0c6c1aff2-1

Git Clone URL: https://aur.archlinux.org/grub-git.git (read-only, click to copy)
Package Base: grub-git
Description: GNU GRand Unified Bootloader (2)
Upstream URL: https://www.gnu.org/software/grub/
Licenses: GPL3
Conflicts: grub
Provides: grub
Submitter: ridikulusrat
Maintainer: WoefulDerelict
Last Packager: WoefulDerelict
Votes: 16
Popularity: 0.000996
First Submitted: 2013-10-22 18:55 (UTC)
Last Updated: 2022-08-18 21:26 (UTC)

Dependencies (20)

Required by (151)

Sources (7)

Latest Comments

1 2 3 4 5 6 .. 18 Next › Last »

air-g4p commented on 2022-11-22 18:26 (UTC) (edited on 2022-11-22 18:52 (UTC) by air-g4p)

Haiya (again) grub-invested Guys and Gals,

Recently, I've noticed several significant upstream grub and mkinitcpio changes, beginning with this 30 Aug 2022 archlinux.org announcement: https://archlinux.org/news/grub-bootloader-upgrade-and-configuration-incompatibilities/

However, I've also seen several more subsequent grub iterations since then, which may impact your ability to boot encrypted luks2 /boot without error prior to seeing: 'Slot "0" unlocked' following successful passphrase entry.

To be clear, as of 22 Nov 2022, I am running this grub version: 2:2.06.r380.g151467888-1 from the Arch repos.

Given these multiple changes, I am updating my known-to-work previously suggested approach.

Please recall, as I told to you on 30 Aug 2020, I had originally (many years earlier) encrypted my / with: 

cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random --type luks1 luksFormat /dev/sdXZ

then I ran: 

cryptsetup convert --type luks2 /dev/sdXZ

I run btrfs, you may NOT! Adapt below, as required.

The following is ONLY APPLICABLE TO FULLY UPDATED, AND REBOOTED, SYSTEMS!

No Arch installation *.iso (or chroot) is required.

Re-install grub with:

grub-install --target=x86_64-efi --efi-directory=/efi --modules="luks2 lvm part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512 btrfs" --bootloader-id=<some-id>

Note the addition of the 'lvm' module which is now supported.

Carefully check/diff your /etc/mkinitcpio.conf.pacnew file! There are several important changes as well as new default hooks.

Despite these changes, I know my current /etc/mkinitcpio.conf hooks statement (the order is important) works.

HOOKS=(base udev autodetect modconf block encrypt lvm2 resume filesystems keyboard)

Grub now supports 'cryptomount -u XXX' where XXX=standard uuid (8-4-4-4-12 digit) character formatting. The use of hyphens caused read failures, previously.

You can find your correct encrypted / partition uuid with:

lsblk -f

My current (generic) GRUB unlocking script:

#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -u XXX #(where XXX=the UUID of your Arch encrypted / partition#

set prefix=(lvm/ArchNVMe-root)/boot/grub
set root=lvm/ArchNVMe-root

insmod normal
normal
EOF

grub-mkimage \
    -p '(lvm/ArchNVMe-root)/boot/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 lvm part_gpt btrfs cryptodisk gcry_rijndael pbkdf2 gcry_sha512

rm "$CONFIG"

cp /tmp/image /efi/EFI/<YOUR-bootloader-ID>/grubx64.efi

Run:

mkinitcpio -P linux

Run:

grub-mkconfig -o /boot/grub/grub.cfg

Finally, run your GRUB unlocking script. I call mine 'luks2.sh'

./luks2.sh

You can now check that your grubx64.efi payload has been updated with:

ls -al /efi/EFI/<YOUR-bootloader-ID>/

Cheers...and continue to ENJOY evolving grub!!!

callmejoe commented on 2021-11-02 03:53 (UTC) (edited on 2022-05-29 16:17 (UTC) by callmejoe)

@rushaur: yes I guess you're right. i rarely install from git pkgs, and forgot that's how it goes.

EDIT: turns out my system was woefully out of date. upgrading solved everything

rushaur commented on 2021-11-02 01:47 (UTC)

@callmejoe: That is the thing with git packages, they can break anytime. I would suggest to check the grub source repo for commits that deal with fixing build errors and rebuild when new stuff is committed.

callmejoe commented on 2021-11-02 01:35 (UTC)

having trouble building. getting a lot of configure.ac warnings&errors.

https://imgur.com/HpTcFta.png

any ideas? thanks

qupfer commented on 2021-09-24 12:56 (UTC) (edited on 2021-09-24 13:00 (UTC) by qupfer)

Hi, I modified air-g4p's script and it works great with btrfs and background image. Thanks.

Also give attention, if you change your Passphrase that it will have pbkdf2 again sudo cryptsetup luksChangeKey --hash sha512 --pbkdf=pbkdf2 --pbkdf-force-iterations=500000 /dev/sdb2

The Background lays next to the BOOTX64.EFI file (unencrypted)


#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX) 
cat >"$CONFIG" <<EOF

insmod all_video
set gfxmode=auto
terminal_input console
terminal_output gfxterm

background_image $root/EFI/BOOT/background.jpg

cryptomount -u a7b02c3563e14a60bed8bf8f934ed89a 

set root=crypto0
set prefix=(crypto0)/@/boot/grub

insmod normal
normal
EOF

grub-mkimage \
    -p '/boot/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 lvm fat all_video png jpeg gfxterm gfxmenu gfxterm_background btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha256 gcry_sha512
rm "$CONFIG"

cp /tmp/image /efi/EFI/BOOT/BOOTX64.efi

aizomul commented on 2021-06-25 17:19 (UTC) (edited on 2021-06-25 17:22 (UTC) by aizomul)

Does anyone know how to include a keyfile unlocking on the early boot passphrase? Since the cryptomount -u UUID doesn't include a keyfile option, I'm stuck.....

dani0854 commented on 2021-04-30 15:52 (UTC) (edited on 2021-05-01 08:20 (UTC) by dani0854)

I am trying to setup lvm on luks2 with boot inside lvm.

NAME                 FSTYPE       FSVER      FSAVAIL    FSUSE%  MOUNTPOINT
nvme0n1
├─nvme0n1p1          vfat         FAT32      510.7M     0%      /mnt/efi
└─nvme0n1p2          crypto_LUKS  2
  └─cryptlvm         LVM2_member  LVM2 001
    ├─ArchNVMe-swap  swap         1                             [SWAP]
    ├─ArchNVMe-root  ext4         1.0        27G        8%      /mnt
    └─ArchNVMe-home  ext4         1.0        395.5G     0%      /mnt/home

cryptomount works, and ls in grub rescue shows all the volumes, but it can't identify their filesystem (error: unknown filesystem), including ArchNVMe-root and nvme0n1p2. On wiki it says that it can happen if BIOS boot partition outside of the first 2TiB. But I didn't create BIOS boot partition because it also says that UEFI systems don't need one. Anyone has seen errors like that? Thanks in advance.

EDIT: I have tried with BIOS boot partition, it didn't change anything, still getting that error.

EDIT2: The issue was that I didn't install ext2 module

air-g4p commented on 2021-04-20 15:37 (UTC) (edited on 2021-04-20 15:39 (UTC) by air-g4p)

@rushaur - You're welcome, but thank you for testing the with and without 'crypto modules' cases, both without the modified grub-mkimage script!

No surprises here, but now we know for a for a fact that having the correct grub-install --modules="...." statement AND a correct grub-mkimage script (both adapted for each user's system) are mandatory for successful LUKS2 /boot unlocking!

Hopefully, this will save others wasting time speculating and to immediately begin efficiently implementing the correct grub 2.06 LUKS2 encrypted /boot upgrade procedure as documented below.

Cheers!

trumee commented on 2021-04-20 03:47 (UTC)

Anybody used this with ZFS (ZFS on LUKS), with /boot in the pool or outside the pool?

rushaur commented on 2021-04-20 00:35 (UTC) (edited on 2021-04-20 00:36 (UTC) by rushaur)

@air-g4p: I tested in a VM and here my results so far:
grub-install without --modules=".." and without auto unlock script --> grub rescue.

grub-install with --modules=".." and without auto unlock script --> grub rescue.

grub-install with --modules=".." and with auto unlock script --> success!

So, seems both are required for grub 2.06-rc to successfully unlock a LUKS2 container. Thanks for your reply and your effort!