Package Details: grub-git 2.06.rc1.r0.ga53e530f8-1

Git Clone URL: https://aur.archlinux.org/grub-git.git (read-only, click to copy)
Package Base: grub-git
Description: GNU GRand Unified Bootloader (2)
Upstream URL: https://www.gnu.org/software/grub/
Licenses: GPL3
Conflicts: grub
Provides: grub
Submitter: ridikulusrat
Maintainer: WoefulDerelict
Last Packager: WoefulDerelict
Votes: 15
Popularity: 0.073352
First Submitted: 2013-10-22 18:55
Last Updated: 2021-03-25 00:55

Dependencies (20)

Required by (122)

Sources (6)

Latest Comments

1 2 3 4 5 6 ... Next › Last »

qupfer commented on 2021-09-24 12:56

Hi, I modified air-g4p's script and it works great with btrfs and background image. Thanks.

Also give attention, if you change your Passphrase that it will have pbkdf2 again sudo cryptsetup luksChangeKey --hash sha512 --pbkdf=pbkdf2 --pbkdf-force-iterations=500000 /dev/sdb2

The Background lays next to the BOOTX64.EFI file (unencrypted)


#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX) 
cat >"$CONFIG" <<EOF

insmod all_video
set gfxmode=auto
terminal_input console
terminal_output gfxterm

background_image $root/EFI/BOOT/background.jpg

cryptomount -u a7b02c3563e14a60bed8bf8f934ed89a 

set root=crypto0
set prefix=(crypto0)/@/boot/grub

insmod normal
normal
EOF

grub-mkimage \
    -p '/boot/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 lvm fat all_video png jpeg gfxterm gfxmenu gfxterm_background btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha256 gcry_sha512
rm "$CONFIG"

cp /tmp/image /efi/EFI/BOOT/BOOTX64.efi

aizomul commented on 2021-06-25 17:19

Does anyone know how to include a keyfile unlocking on the early boot passphrase? Since the cryptomount -u UUID doesn't include a keyfile option, I'm stuck.....

dani0854 commented on 2021-04-30 15:52

I am trying to setup lvm on luks2 with boot inside lvm.

NAME                 FSTYPE       FSVER      FSAVAIL    FSUSE%  MOUNTPOINT
nvme0n1
├─nvme0n1p1          vfat         FAT32      510.7M     0%      /mnt/efi
└─nvme0n1p2          crypto_LUKS  2
  └─cryptlvm         LVM2_member  LVM2 001
    ├─ArchNVMe-swap  swap         1                             [SWAP]
    ├─ArchNVMe-root  ext4         1.0        27G        8%      /mnt
    └─ArchNVMe-home  ext4         1.0        395.5G     0%      /mnt/home

cryptomount works, and ls in grub rescue shows all the volumes, but it can't identify their filesystem (error: unknown filesystem), including ArchNVMe-root and nvme0n1p2. On wiki it says that it can happen if BIOS boot partition outside of the first 2TiB. But I didn't create BIOS boot partition because it also says that UEFI systems don't need one. Anyone has seen errors like that? Thanks in advance.

EDIT: I have tried with BIOS boot partition, it didn't change anything, still getting that error.

EDIT2: The issue was that I didn't install ext2 module

air-g4p commented on 2021-04-20 15:37

@rushaur - You're welcome, but thank you for testing the with and without 'crypto modules' cases, both without the modified grub-mkimage script!

No surprises here, but now we know for a for a fact that having the correct grub-install --modules="...." statement AND a correct grub-mkimage script (both adapted for each user's system) are mandatory for successful LUKS2 /boot unlocking!

Hopefully, this will save others wasting time speculating and to immediately begin efficiently implementing the correct grub 2.06 LUKS2 encrypted /boot upgrade procedure as documented below.

Cheers!

trumee commented on 2021-04-20 03:47

Anybody used this with ZFS (ZFS on LUKS), with /boot in the pool or outside the pool?

rushaur commented on 2021-04-20 00:35

@air-g4p: I tested in a VM and here my results so far:
grub-install without --modules=".." and without auto unlock script --> grub rescue.

grub-install with --modules=".." and without auto unlock script --> grub rescue.

grub-install with --modules=".." and with auto unlock script --> success!

So, seems both are required for grub 2.06-rc to successfully unlock a LUKS2 container. Thanks for your reply and your effort!

air-g4p commented on 2021-04-19 15:09

@rushaur: I am not sure, because I have not tested grub-install under grub 2.06 without adding the modules.

You are correct that 2.06 does not yet support Argon2. In fact, a grub developer told me, today, he is actively working on this problem, but that Argon2 support will not become available until a subsequent version is released.

I do KNOW the modules="...." were required under grub-git - and the cryptographic modules I listed (specific for my system) were very likely also required for successful grub 2.06 installation, thereby enabling support for grub's subsequent encrypted LUKS2 /boot (Keyslot 1) unlocking.

As you may know, once grub unlocks Keyslot 1 (encrypted /boot), initramfs and the kernel then unlock Keyslot 0 (your LUKS2 encrypted / and any underlying LVs).

If you want to answer your own query, please have a go and document your results for the benefit of others.

Cheers

rushaur commented on 2021-04-19 12:00

@air-g4p: With grub 2.06 is it really required to include/specify the modules to unlock a LUKS2 container? If grub 2.06 "supports" LUKS2, doesn't this "support" include auto detection of the modules? I thought, the only thing that is not yet supported is argon2. I might be confusing something :-)

air-g4p commented on 2021-04-17 17:40

As a heads up to all who are interested in native grub LUKS2 automated encrypted /boot, /, and swap unlocking:

grub 2:2.06rc1-1 - is now available from the Arch TESTING repo - and 2.06 DOES support native LUKS2 unlocking. I know that because I am using it to boot from both my LUKS2 laptops.

If that is the package you want, this is the correct upgrade process:

A. Replace grub-git with grub (2.06). This will overwrite your existing /etc/default/grub, so you might want to make a backup, first.

B. Reinstall grub, depending on your cryptsetup options and / filesystem choice, with something like:

grub-install --target=x86_64-efi --efi-directory=/efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512 btrfs" --bootloader-id=<some-ID>

C. For those desiring to automate their LUKS2 GRUB encrypted /boot unlocking process, Patrick Steinhardt (of grub-dev) was kind enough to develop and share with me a generic grub-mkimage unlocking script, which obviously needs to be modified in accordance with the specifics of your system.

The following script includes the modifications I made to unlock my system with grub 2.06, while remaining consistent with my prior system setup comments, which are now a few pages back within these grub-git comments.

#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX) 
cat >"$CONFIG" <<EOF
cryptomount -u XYZ 

#(Where XYZ=the UUID of your Arch encrypted / partition, in my case:  /dev/nvmen0n1p21).#  

#Also note, unlike the previous iteration of grub-git, this UUID string must NOT contain ANY hyphens ('-')!!#

set prefix=(lvm/ArchNVMe-root)/boot/grub
set root=lvm/ArchNVMe-root

insmod normal
normal
EOF

grub-mkimage \
    -p '(lvm/ArchNVMe-root)/boot/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 lvm btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512

rm "$CONFIG"

D. Save your correctly modified script to a file. I call mine luks2.sh.

E. Run:

./luks2.sh

F. Ensure your /etc/default/grub is correct.

G. We need to overwrite our existing grubx64.efi payload with the image created by our luks2.sh script. Run something like:

cp /tmp/image /efi/EFI/<your bootloader-id>/grubx64.efi

H. Generate and write your final grub configuration with:

grub-mkconfig -o /boot/grub/grub.cfg

I. Finally, run:

reboot

Cheers, and enjoy native grub LUKS2 automated encrypted /boot, /, and swap unlocking!!!

Dylan14 commented on 2021-03-14 05:08

The section of util/grub-mkconfig.in that the add-GRUB_COLOR_variables.patch references has shifted up a few lines in recent commits. It now starts at line 214 instead of 218. This is causing the build to fail.

Edit: Fixed patch here: https://github.com/Dylan1496/aur-pkgbuilds/blob/master/add-GRUB_COLOR_variables.patch Note, it appears by default os-prober is disabled. Another patch will probably be needed to fix that.