Package Details: grub-git 2.12.rc1.r106.g7c8ae7dcb-1

Git Clone URL: https://aur.archlinux.org/grub-git.git (read-only, click to copy)
Package Base: grub-git
Description: GNU GRand Unified Bootloader (2)
Upstream URL: https://www.gnu.org/software/grub/
Licenses: GPL3
Conflicts: grub
Provides: grub
Submitter: ka2107
Maintainer: WoefulDerelict
Last Packager: WoefulDerelict
Votes: 17
Popularity: 0.006163
First Submitted: 2013-10-22 18:55 (UTC)
Last Updated: 2023-12-18 22:58 (UTC)

Dependencies (21)

Required by (310)

Sources (7)

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 8 .. 18 Next › Last »

rushaur commented on 2020-10-07 11:19 (UTC) (edited on 2020-10-07 11:39 (UTC) by rushaur)

I finally could boot from a LUKS2 encrypted root (not converted). If someone is interested, here the steps With help from @air-g4p comments: By the way thank you!

1- As usual, partition/format the disk. I had only two partitions:
sda1 ------> /boot/efi
sda2 ------> /

2- Encryption:

modprobe dm-crypt
cryptsetup -y --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --pbkdf pbkdf2 --type luks2 luksFormat /dev/sda2
__mapper__=/dev/mapper/luks-"$(cryptsetup luksUUID /dev/sda2)"

AFAIK --allow-discards --persistent are LUKS2 only:

cryptsetup --allow-discards --persistent open /dev/sda2 luks-"$(cryptsetup luksUUID /dev/sda2)"

3- Make the filesystem and mount it to /mnt:

mkfs.btrfs "${__mapper__}"
mount -o noatime,compress=zstd,ssd,space_cache=v2 "${__mapper__}" /mnt

Steps to create/mount subvolumes skipped here to keep things short

mkfs.fat -F 32 /dev/sda1
mount /dev/sda1 /mnt/boot/efi

4- Install the new system: the usual pacstrap /mnt pkg1 pkg2 pkgn...

pacman -r /mnt -U /path/to/grub-git.pkg.tar.zst

5- Tweaks: Replace xxxxx with the uuid of your root: You can get it by running:

cryptsetup luksUUID /dev/YOUR_ROOT_PARTITION

Edit (/mnt)/etc/default/grub to reflect this:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxx-xxxxxx-xxxxx-xxxx:mapper-name"
GRUB_ENABLE_CRYPTODISK=y

If you plan to unlock with a keyfile, luksAddKey accepts --pbkdf pbkdf2 cmdline parameter

For later reuse, let's make the script provided by @air-g4p locally available. Modified for own use case. Because I had created a subvolume @grub to be later mounted at /boot/grub; you will see the @grub notation:

cat <<'__END_SCRIPT__' >/usr/local/bin/grub-mkluks2-image
#!/bin/bash
set -e
read -rp "Enter the partition containing /, without '/dev/': " __ROOT__
cr_root_uuid="$(cryptsetup luksUUID /dev/${__ROOT__})"
CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -u ${cr_root_uuid//-/}

set prefix='(crypto0)/@grub'
set root='(crypto0)'

insmod normal
normal
EOF

grub-mkimage \
    -p '(crypto0)/@grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /boot/efi/EFI/archlinux/grubx64.efi \
    luks2 btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512

rm "$CONFIG"
__END_SCRIPT__

chmod 755 /usr/local/bin/grub-mkluks2-image

It might be useless; but at least it will create the directory structure :)

grub-install --target=x86_64-efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512" --efi-directory=/boot/efi --bootloader-id="archlinux" --recheck

Create the "new" bootloader which will include the modules/instructions needed to unlock our luks2 container:

grub-mkluks2-image

If all goes well, you will be hopefully greeted by grub asking for enc. passphrase :)

yangsheng6810 commented on 2020-10-02 00:15 (UTC)

In case someone like me who do not know how to modify an existing LUKS2 partition with argon2 keys to make it work, here is how I did it. You may need to remove every argon2 keys to make GRUB unlocking work. (For me, those argon2 keys that uses a keyfile instead of a passphrase can be kept)

# my encrypted device is /dev/nvme0n1p3, replace with your own device
DEVICE='/dev/nvme0n1p3'
# show current LUKS header, and observe which are existing key slots
sudo cryptsetup luksDump "$DEVICE"
# add a key using pbkdf2
sudo cryptsetup luksAddKey --pbkdf pbkdf2 "$DEVICE"
# remove old keys that use argon2/argon2i, replace the 0 with your key slot
sudo cryptsetup luksKillSlot "$DEVICE" 0

air-g4p commented on 2020-09-29 07:53 (UTC) (edited on 2020-09-29 08:20 (UTC) by air-g4p)

@drgr33n - Noted, however, if you parse through the grub-devel archives you will see there are numerous argon2 threads.

https://lists.gnu.org/archive/html/grub-devel/2020-03/msg00106.html is but one example.

From what I can discern, the devs believe that future support for argon2 will not be all that difficult to incorporate. That being said, it appears that the window for including argon2 support in 2.06 has already closed. So, we'll just have to be patient and continue our LUKS2 grub /boot unlocking with pbkdf2 until then.

Personally, I remain thankful that we now have a documented, working LUKS2 grub /boot unlocking procedure well ahead of schedule! I boot from LUKS2 /boot on both of my laptops without issue.

Cheers

drgr33n commented on 2020-09-25 22:39 (UTC)

luks2 works fine as long as you use pbkdf2. I have just set it up on my new laptop and it works great. Pitty about the argon2 support though. Hopefully that will come soon enough.

air-g4p commented on 2020-09-03 22:48 (UTC) (edited on 2021-04-17 18:02 (UTC) by air-g4p)

If anyone desires to automate their LUKS2 GRUB encrypted /boot unlocking process, Patrick Steinhardt (of grub-dev) was kind enough to develop and share with me a generic grub-mkimage unlocking script, which obviously needs to be modified in accordance with the specifics of your system.

The following script includes the modifications I made to unlock my system, remaining consistent with my prior system setup comments.

#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -u XXX #(where XXX=the UUID of your Arch encrypted / partition, in my case:  /dev/sda7)# 

set prefix=(lvm/ArchSSD-root)/boot/grub
set root=lvm/ArchSSD-root

insmod normal
normal
EOF

grub-mkimage \
    -p '(lvm/ArchSSD-root)/boot/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 lvm btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512

rm "$CONFIG"

That script when executed, generates a GRUB executable image file stored at: /tmp/image.

Finally, you need to overwrite your existing grubx64.efi file. Run something similar to:

cp /tmp/image /efi/EFI/Luks2Testing/grubx64.efi

Reboot, and enjoy automated unlocking of your LUKS2 encrypted /boot, / and swap!

air-g4p commented on 2020-08-30 09:52 (UTC) (edited on 2021-05-04 07:45 (UTC) by air-g4p)

FINALLY! The correct procedure to unlock a LUKS2 encrypted /boot:

I have been working with the fine folks on the grub-devel mailing list. Following MANY hours of testing, I have identified a process to successfully unlock a LUKS2 encrypted /boot.

This process still requires manual intervention following reboot, but the important part is that IT WORKS!

Carefully Note: I originally encrypted my partition with: cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random --type luks1 luksFormat /dev/sdXZ

You may have run cryptsetup luksFormat with different options - and how you set up encryption will become important in the grub-install (Step 5, below). Adapt to your requirements.

Then I set up two LVs: swap (512M) and / (remaining partition space). That encrypted swap LV is assigned as dm-1 and encrypted / is assigned as dm-2. I happen to run dm-2 with BTRFS, but any sane filesystem should also work.

GRUB has always booted my LUKS1 encrypted: /boot, / and swap system without issue.

The process I used to successfully unlock my LUKS2 encrypted /boot:

  1. UEFI boot from any reasonably recent arch iso, and run: cryptsetup convert --type luks2 /dev/sdXZ. That command will succeed, and luksDump will show PBKDF: pbkdf2 for both Keyslot 0 and 1.

  2. Run cryptsetup open /dev/sdXY <something>

  3. Mount everything and arch-chroot into /

  4. Run mkinitcpio -P linux

  5. Run grub-install --target=x86_64-efi --efi-directory=/efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512" --bootloader-id=<some-id>. That installation command completes without error, ASSUMING you are actually running grub-git! If you are running Arch GRUB (version 2.04) from the mainline repos, you WILL GET a luks2.mod not found error! Also note my use of gcry_sha512 given my cryptsetup luksFormat options, shown above.

  6. Run grub-mkconfig -o /boot/grub/grub.cfg

  7. Exit, umount and reboot.

  8. Immediately following power on: you are greeted by the dreaded: error: disk 'lvmid/some-lengthy-UUID' not found. Entering rescue mode. That lengthy UUID is the exact UUID of my dm-2 which is my encrypted / LV.

  9. At the grub rescue> prompt: type ls. There I see (proc) (hd0) and (hd0,gpt1)...(hd0,gpt7) where gpt7 is my last partition and where my encrypted / and /boot reside.

  10. Still at grub rescue> type: cryptomount (hd0,gpt7) which then requires my passphrase. After CORRECT passphrase entry, and hitting Enter: You should see 'Slot 0 opened' and then you are immediately returned to the grub rescue> prompt.

  11. From grub rescue> type: ls. Unlike before, you will now see something similar to: (proc) (hd0) and (hd0,gpt1)...(hd0,gpt7) where gpt7 is my last partition and where my encrypted / resides. ADDITIONALLY, you should now also see your LVs similar to: (/lvm/ArchSDD-root) and (lvm/ArchSSD-swap) depending upon your local LV naming convention decisions. This is important PROGRESS as it demonstrates that GRUB has successfully decrypted your LUKS2 encrypted /boot using your LUKS2 key from Keyslot 1!!!

  12. From grub rescue> type: insmod normal

  13. From grub rescue> type: normal

That should launch your typical/welcome Arch Linux and Advanced options for Arch Linux screen as controlled by /etc/default/grub and by X.

After you select the kernel to boot, GRUB hands over control to your initramfs and the corresponding kernel which uses your LUKS2 key from Keyslot 0 to decrypt your encrypted swap (dm-1) and your encrypted / (dm-2).

My launcher (with multiple Arch kernels, and several multi-booting OSes) works perfectly...hope yours does also!

Cheers!

trialuser commented on 2020-07-10 04:52 (UTC) (edited on 2020-07-10 05:09 (UTC) by trialuser)

i have not gotten this to work with luks2, however once in grub rescue you might try:

set debug=all

ls #find your hd and partition

cryptomount hd0,gpt2

I've noticed that using sha256 as the hash results in a failed to parse digest error, switching to sha1 results in an invalid passphrase error. Hope this helps... if you make a working setup please post here...

DDoSolitary commented on 2020-07-09 14:04 (UTC)

I'm having the same problem as @air-g4p