AUR (en) - grub-git

Search Criteria

Enter search criteria

Search by

Keywords

Out of Date

Sort by

Sort order

Per page

Package Details: grub-git 2.12.rc1.r106.g7c8ae7dcb-1

Package Actions

Git Clone URL:	https://aur.archlinux.org/grub-git.git (read-only, click to copy)
Package Base:	grub-git
Description:	GNU GRand Unified Bootloader (2)
Upstream URL:	https://www.gnu.org/software/grub/
Licenses:	GPL3
Conflicts:	grub
Provides:	grub
Submitter:	ka2107
Maintainer:	WoefulDerelict
Last Packager:	WoefulDerelict
Votes:	17
Popularity:	0.003937
First Submitted:	2013-10-22 18:55 (UTC)
Last Updated:	2023-12-18 22:58 (UTC)

Dependencies (21)

device-mapper (device-mapper-git^AUR)
freetype2 (freetype2-git^AUR, freetype2-qdoled^AUR, freetype2-macos^AUR)
fuse3 (fuse3-git^AUR)
gettext (gettext-git^AUR)
sdl^AUR (sdl-openglhq^AUR, sdl-nokbgrab^AUR, sdl-openglhq-nokbgrab^AUR, sdl-git^AUR, sdl12-compat-git^AUR, sdl12-compat)
autogen (make)
bdf-unifont^AUR (make)
git (git-git^AUR) (make)
help2man (help2man-git^AUR, python-help2man^AUR) (make)
libusb (libusb-git^AUR) (make)
python (python32^AUR, python37^AUR, python310^AUR) (make)
rsync (rsync-git^AUR, rsync-reflink^AUR, rsync-reflink-git^AUR) (make)
texinfo (texinfo-git^AUR) (make)
ttf-dejavu (ttf-dejavu-ib^AUR, ttf-dejavu-emojiless^AUR) (make)
dosfstools (dosfstools-git^AUR) (optional) – For grub-mkrescue FAT FS and EFI support
efibootmgr (efibootmgr-git^AUR) (optional) – For grub-install EFI support
libisoburn (libisoburn-git^AUR) (optional) – Provides xorriso for generating grub rescue iso using grub-mkrescue
libusb (libusb-git^AUR) (optional) – For grub-emu USB support
lzop (optional) – For grub-mkrescue LZO support
mtools (mtools-svn^AUR) (optional) – For grub-mkrescue FAT FS support
Show 1 more dependencies...

Required by (308)

apple_set_os (requires grub) (optional)
arch-grub2-theme (requires grub)
arch-matrix-grub-theme-git (requires grub)
archiso-git (requires grub)
archiso-grub-themes (requires grub)
archuseriso (requires grub)
bieaz (requires grub)
bieaz-git (requires grub)
boo-grub-git (requires grub)
booty-git (requires grub)
cryptboot (requires grub)
cyberpunk-grub-theme-git (requires grub)
dedsec-grub2-theme (requires grub)
distro-grub-themes-arch (requires grub)
distro-grub-themes-endeavouros (requires grub)
distro-grub-themes-meta (requires grub)
dracula-grub-theme-git (requires grub)
endeavouros-galleon-grub (requires grub)
graphite-grub-theme-default-1080p (requires grub)
graphite-grub-theme-default-2k (requires grub)
Show 288 more...

Sources (7)

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 .. 18 Next › Last »

trumee commented on 2021-04-20 03:47 (UTC)

Anybody used this with ZFS (ZFS on LUKS), with /boot in the pool or outside the pool?

rushaur commented on 2021-04-20 00:35 (UTC) (edited on 2021-04-20 00:36 (UTC) by rushaur)

@air-g4p: I tested in a VM and here my results so far:
grub-install without --modules=".." and without auto unlock script --> grub rescue.

grub-install with --modules=".." and without auto unlock script --> grub rescue.

grub-install with --modules=".." and with auto unlock script --> success!

So, seems both are required for grub 2.06-rc to successfully unlock a LUKS2 container. Thanks for your reply and your effort!

air-g4p commented on 2021-04-19 15:09 (UTC) (edited on 2021-04-19 20:18 (UTC) by air-g4p)

@rushaur: I am not sure, because I have not tested grub-install under grub 2.06 without adding the modules.

You are correct that 2.06 does not yet support Argon2. In fact, a grub developer told me, today, he is actively working on this problem, but that Argon2 support will not become available until a subsequent version is released.

I do KNOW the modules="...." were required under grub-git - and the cryptographic modules I listed (specific for my system) were very likely also required for successful grub 2.06 installation, thereby enabling support for grub's subsequent encrypted LUKS2 /boot (Keyslot 1) unlocking.

As you may know, once grub unlocks Keyslot 1 (encrypted /boot), initramfs and the kernel then unlock Keyslot 0 (your LUKS2 encrypted / and any underlying LVs).

If you want to answer your own query, please have a go and document your results for the benefit of others.

Cheers

rushaur commented on 2021-04-19 12:00 (UTC)

@air-g4p: With grub 2.06 is it really required to include/specify the modules to unlock a LUKS2 container? If grub 2.06 "supports" LUKS2, doesn't this "support" include auto detection of the modules? I thought, the only thing that is not yet supported is argon2. I might be confusing something :-)

air-g4p commented on 2021-04-17 17:40 (UTC) (edited on 2021-04-19 09:59 (UTC) by air-g4p)

As a heads up to all who are interested in native grub LUKS2 automated encrypted /boot, /, and swap unlocking:

grub 2:2.06rc1-1 - is now available from the Arch TESTING repo - and 2.06 DOES support native LUKS2 unlocking. I know that because I am using it to boot from both my LUKS2 laptops.

If that is the package you want, this is the correct upgrade process:

A. Replace grub-git with grub (2.06). This will overwrite your existing /etc/default/grub, so you might want to make a backup, first.

B. Reinstall grub, depending on your cryptsetup options and / filesystem choice, with something like:

grub-install --target=x86_64-efi --efi-directory=/efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512 btrfs" --bootloader-id=<some-ID>

C. For those desiring to automate their LUKS2 GRUB encrypted /boot unlocking process, Patrick Steinhardt (of grub-dev) was kind enough to develop and share with me a generic grub-mkimage unlocking script, which obviously needs to be modified in accordance with the specifics of your system.

The following script includes the modifications I made to unlock my system with grub 2.06, while remaining consistent with my prior system setup comments, which are now a few pages back within these grub-git comments.

#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX) 
cat >"$CONFIG" <<EOF
cryptomount -u XYZ 

#(Where XYZ=the UUID of your Arch encrypted / partition, in my case:  /dev/nvmen0n1p21).#  

#Also note, unlike the previous iteration of grub-git, this UUID string must NOT contain ANY hyphens ('-')!!#

set prefix=(lvm/ArchNVMe-root)/boot/grub
set root=lvm/ArchNVMe-root

insmod normal
normal
EOF

grub-mkimage \
    -p '(lvm/ArchNVMe-root)/boot/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 lvm btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512

rm "$CONFIG"

D. Save your correctly modified script to a file. I call mine luks2.sh.

E. Run:

./luks2.sh

F. Ensure your /etc/default/grub is correct.

G. We need to overwrite our existing grubx64.efi payload with the image created by our luks2.sh script. Run something like:

cp /tmp/image /efi/EFI/<your bootloader-id>/grubx64.efi

H. Generate and write your final grub configuration with:

grub-mkconfig -o /boot/grub/grub.cfg

I. Finally, run:

reboot

Cheers, and enjoy native grub LUKS2 automated encrypted /boot, /, and swap unlocking!!!

Dylan14 commented on 2021-03-14 05:08 (UTC) (edited on 2021-03-14 06:14 (UTC) by Dylan14)

The section of util/grub-mkconfig.in that the add-GRUB_COLOR_variables.patch references has shifted up a few lines in recent commits. It now starts at line 214 instead of 218. This is causing the build to fail.

Edit: Fixed patch here: https://github.com/Dylan1496/aur-pkgbuilds/blob/master/add-GRUB_COLOR_variables.patch Note, it appears by default os-prober is disabled. Another patch will probably be needed to fix that.

spoons commented on 2021-02-13 04:26 (UTC)

For the other space cadets out there...

cryptomount will only detect your luks2 partition UUID if there is no dashes in the identifier otherwise you will be greeted with no such cryptodisk found.

Thanks for making this accessible everybody.

archabuser commented on 2021-01-31 16:55 (UTC) (edited on 2021-01-31 17:05 (UTC) by archabuser)

@ceri This is due to grub-install not correctly configuring your grub EFI-Image. It seems to be one of the limitations of upstream LUKS2 support. I ran into the same issue and then followed air-g4p's comment to add the right early config. I created a file /boot/grub/init.cfg with the following contents:

cryptomount -u <uuid-of-luks2-partition>
set root='lvmid/<vg-uuid>/<lv-uuid>'
set prefix=($root)/grub

insmod normal
normal

Where <vg-uuid> and <vl-uuid> point to the lvm volume that contains your /boot directory (use vgdisplay and lvdisplay for lookup). Then i ran grub-mkimage with all the required modules and added the config with -c /boot/grub/init.cfg.

ceri commented on 2021-01-18 14:53 (UTC) (edited on 2021-01-18 14:53 (UTC) by ceri)

I'm using luks2 with pbkdf2 keys for encrypted /boot and I'm having difficultly with the grub EFI.

It complains/lies "no such cryptodisk found" with the UUID of my boot partition. If I manually unlock it, it shows the same UUID (with hyphens), and the main grub loader starts:

cryptomount (hd2,gpt2)

insmod normal

normal

This is the command I'm using to build my EFI stub

sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub_new --recheck

Any ideas?

praise_x commented on 2020-11-27 17:20 (UTC) (edited on 2020-11-30 15:29 (UTC) by praise_x)

Here is my patch to use 4096-byte sectors with LUKS2

diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 473c93976..4016ed7ba 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -237,6 +237,8 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
     return (do_encrypt ? grub_crypto_ecb_encrypt (dev->cipher, data, data, len)
        : grub_crypto_ecb_decrypt (dev->cipher, data, data, len));

+  sector <<= (dev->log_sector_size - 9);
+
   for (i = 0; i < len; i += (1U << dev->log_sector_size))
     {
       grub_size_t sz = ((dev->cipher->cipher->blocksize
@@ -391,7 +393,7 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
    default:
      return GPG_ERR_NOT_IMPLEMENTED;
    }
-      sector++;
+      sector += 1 << (dev->log_sector_size - 9);
     }
   return GPG_ERR_NO_ERROR;
 }
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index d96764a02..8ec4ed9f5 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -498,7 +498,10 @@ luks2_decrypt_key (grub_uint8_t *out_key,
       goto err;
     }

+  int original_log_sector_size = crypt->log_sector_size;
+  crypt->log_sector_size = 9;
   gcry_ret = grub_cryptodisk_decrypt (crypt, split_key, k->area.size, 0);
+  crypt->log_sector_size = original_log_sector_size;
   if (gcry_ret)
     {
       ret = grub_crypto_gcry_error (gcry_ret);