Package Details: grub-git 2.06.r297.g0c6c1aff2-1

Git Clone URL: https://aur.archlinux.org/grub-git.git (read-only, click to copy)
Package Base: grub-git
Description: GNU GRand Unified Bootloader (2)
Upstream URL: https://www.gnu.org/software/grub/
Licenses: GPL3
Conflicts: grub
Provides: grub
Submitter: ridikulusrat
Maintainer: WoefulDerelict
Last Packager: WoefulDerelict
Votes: 16
Popularity: 0.001058
First Submitted: 2013-10-22 18:55 (UTC)
Last Updated: 2022-08-18 21:26 (UTC)

Dependencies (20)

Required by (151)

Sources (7)

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 .. 18 Next › Last »

air-g4p commented on 2021-04-19 15:09 (UTC) (edited on 2021-04-19 20:18 (UTC) by air-g4p)

@rushaur: I am not sure, because I have not tested grub-install under grub 2.06 without adding the modules.

You are correct that 2.06 does not yet support Argon2. In fact, a grub developer told me, today, he is actively working on this problem, but that Argon2 support will not become available until a subsequent version is released.

I do KNOW the modules="...." were required under grub-git - and the cryptographic modules I listed (specific for my system) were very likely also required for successful grub 2.06 installation, thereby enabling support for grub's subsequent encrypted LUKS2 /boot (Keyslot 1) unlocking.

As you may know, once grub unlocks Keyslot 1 (encrypted /boot), initramfs and the kernel then unlock Keyslot 0 (your LUKS2 encrypted / and any underlying LVs).

If you want to answer your own query, please have a go and document your results for the benefit of others.

Cheers

rushaur commented on 2021-04-19 12:00 (UTC)

@air-g4p: With grub 2.06 is it really required to include/specify the modules to unlock a LUKS2 container? If grub 2.06 "supports" LUKS2, doesn't this "support" include auto detection of the modules? I thought, the only thing that is not yet supported is argon2. I might be confusing something :-)

air-g4p commented on 2021-04-17 17:40 (UTC) (edited on 2021-04-19 09:59 (UTC) by air-g4p)

As a heads up to all who are interested in native grub LUKS2 automated encrypted /boot, /, and swap unlocking:

grub 2:2.06rc1-1 - is now available from the Arch TESTING repo - and 2.06 DOES support native LUKS2 unlocking. I know that because I am using it to boot from both my LUKS2 laptops.

If that is the package you want, this is the correct upgrade process:

A. Replace grub-git with grub (2.06). This will overwrite your existing /etc/default/grub, so you might want to make a backup, first.

B. Reinstall grub, depending on your cryptsetup options and / filesystem choice, with something like:

grub-install --target=x86_64-efi --efi-directory=/efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512 btrfs" --bootloader-id=<some-ID>

C. For those desiring to automate their LUKS2 GRUB encrypted /boot unlocking process, Patrick Steinhardt (of grub-dev) was kind enough to develop and share with me a generic grub-mkimage unlocking script, which obviously needs to be modified in accordance with the specifics of your system.

The following script includes the modifications I made to unlock my system with grub 2.06, while remaining consistent with my prior system setup comments, which are now a few pages back within these grub-git comments.

#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX) 
cat >"$CONFIG" <<EOF
cryptomount -u XYZ 

#(Where XYZ=the UUID of your Arch encrypted / partition, in my case:  /dev/nvmen0n1p21).#  

#Also note, unlike the previous iteration of grub-git, this UUID string must NOT contain ANY hyphens ('-')!!#

set prefix=(lvm/ArchNVMe-root)/boot/grub
set root=lvm/ArchNVMe-root

insmod normal
normal
EOF

grub-mkimage \
    -p '(lvm/ArchNVMe-root)/boot/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 lvm btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512

rm "$CONFIG"

D. Save your correctly modified script to a file. I call mine luks2.sh.

E. Run:

./luks2.sh

F. Ensure your /etc/default/grub is correct.

G. We need to overwrite our existing grubx64.efi payload with the image created by our luks2.sh script. Run something like:

cp /tmp/image /efi/EFI/<your bootloader-id>/grubx64.efi

H. Generate and write your final grub configuration with:

grub-mkconfig -o /boot/grub/grub.cfg

I. Finally, run:

reboot

Cheers, and enjoy native grub LUKS2 automated encrypted /boot, /, and swap unlocking!!!

Dylan14 commented on 2021-03-14 05:08 (UTC) (edited on 2021-03-14 06:14 (UTC) by Dylan14)

The section of util/grub-mkconfig.in that the add-GRUB_COLOR_variables.patch references has shifted up a few lines in recent commits. It now starts at line 214 instead of 218. This is causing the build to fail.

Edit: Fixed patch here: https://github.com/Dylan1496/aur-pkgbuilds/blob/master/add-GRUB_COLOR_variables.patch Note, it appears by default os-prober is disabled. Another patch will probably be needed to fix that.

tables commented on 2021-02-13 04:26 (UTC)

For the other space cadets out there...

cryptomount will only detect your luks2 partition UUID if there is no dashes in the identifier otherwise you will be greeted with no such cryptodisk found.

Thanks for making this accessible everybody.

archabuser commented on 2021-01-31 16:55 (UTC) (edited on 2021-01-31 17:05 (UTC) by archabuser)

@ceri This is due to grub-install not correctly configuring your grub EFI-Image. It seems to be one of the limitations of upstream LUKS2 support. I ran into the same issue and then followed air-g4p's comment to add the right early config. I created a file /boot/grub/init.cfg with the following contents:

cryptomount -u <uuid-of-luks2-partition>
set root='lvmid/<vg-uuid>/<lv-uuid>'
set prefix=($root)/grub

insmod normal
normal

Where <vg-uuid> and <vl-uuid> point to the lvm volume that contains your /boot directory (use vgdisplay and lvdisplay for lookup). Then i ran grub-mkimage with all the required modules and added the config with -c /boot/grub/init.cfg.

ceri commented on 2021-01-18 14:53 (UTC) (edited on 2021-01-18 14:53 (UTC) by ceri)

I'm using luks2 with pbkdf2 keys for encrypted /boot and I'm having difficultly with the grub EFI.

It complains/lies "no such cryptodisk found" with the UUID of my boot partition. If I manually unlock it, it shows the same UUID (with hyphens), and the main grub loader starts:

cryptomount (hd2,gpt2)

insmod normal

normal

This is the command I'm using to build my EFI stub

sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub_new --recheck

Any ideas?

praise_x commented on 2020-11-27 17:20 (UTC) (edited on 2020-11-30 15:29 (UTC) by praise_x)

Here is my patch to use 4096-byte sectors with LUKS2

diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 473c93976..4016ed7ba 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -237,6 +237,8 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
     return (do_encrypt ? grub_crypto_ecb_encrypt (dev->cipher, data, data, len)
        : grub_crypto_ecb_decrypt (dev->cipher, data, data, len));

+  sector <<= (dev->log_sector_size - 9);
+
   for (i = 0; i < len; i += (1U << dev->log_sector_size))
     {
       grub_size_t sz = ((dev->cipher->cipher->blocksize
@@ -391,7 +393,7 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
    default:
      return GPG_ERR_NOT_IMPLEMENTED;
    }
-      sector++;
+      sector += 1 << (dev->log_sector_size - 9);
     }
   return GPG_ERR_NO_ERROR;
 }
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index d96764a02..8ec4ed9f5 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -498,7 +498,10 @@ luks2_decrypt_key (grub_uint8_t *out_key,
       goto err;
     }

+  int original_log_sector_size = crypt->log_sector_size;
+  crypt->log_sector_size = 9;
   gcry_ret = grub_cryptodisk_decrypt (crypt, split_key, k->area.size, 0);
+  crypt->log_sector_size = original_log_sector_size;
   if (gcry_ret)
     {
       ret = grub_crypto_gcry_error (gcry_ret);

rushaur commented on 2020-10-07 11:19 (UTC) (edited on 2020-10-07 11:39 (UTC) by rushaur)

I finally could boot from a LUKS2 encrypted root (not converted). If someone is interested, here the steps With help from @air-g4p comments: By the way thank you!

1- As usual, partition/format the disk. I had only two partitions:
sda1 ------> /boot/efi
sda2 ------> /

2- Encryption:

modprobe dm-crypt
cryptsetup -y --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --pbkdf pbkdf2 --type luks2 luksFormat /dev/sda2
__mapper__=/dev/mapper/luks-"$(cryptsetup luksUUID /dev/sda2)"

AFAIK --allow-discards --persistent are LUKS2 only:

cryptsetup --allow-discards --persistent open /dev/sda2 luks-"$(cryptsetup luksUUID /dev/sda2)"

3- Make the filesystem and mount it to /mnt:

mkfs.btrfs "${__mapper__}"
mount -o noatime,compress=zstd,ssd,space_cache=v2 "${__mapper__}" /mnt

Steps to create/mount subvolumes skipped here to keep things short

mkfs.fat -F 32 /dev/sda1
mount /dev/sda1 /mnt/boot/efi

4- Install the new system: the usual pacstrap /mnt pkg1 pkg2 pkgn...

pacman -r /mnt -U /path/to/grub-git.pkg.tar.zst

5- Tweaks: Replace xxxxx with the uuid of your root: You can get it by running:

cryptsetup luksUUID /dev/YOUR_ROOT_PARTITION

Edit (/mnt)/etc/default/grub to reflect this:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxx-xxxxxx-xxxxx-xxxx:mapper-name"
GRUB_ENABLE_CRYPTODISK=y

If you plan to unlock with a keyfile, luksAddKey accepts --pbkdf pbkdf2 cmdline parameter

For later reuse, let's make the script provided by @air-g4p locally available. Modified for own use case. Because I had created a subvolume @grub to be later mounted at /boot/grub; you will see the @grub notation:

cat <<'__END_SCRIPT__' >/usr/local/bin/grub-mkluks2-image
#!/bin/bash
set -e
read -rp "Enter the partition containing /, without '/dev/': " __ROOT__
cr_root_uuid="$(cryptsetup luksUUID /dev/${__ROOT__})"
CONFIG=$(mktemp /tmp/grub-config.XXXXX)
cat >"$CONFIG" <<EOF
cryptomount -u ${cr_root_uuid//-/}

set prefix='(crypto0)/@grub'
set root='(crypto0)'

insmod normal
normal
EOF

grub-mkimage \
    -p '(crypto0)/@grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /boot/efi/EFI/archlinux/grubx64.efi \
    luks2 btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512

rm "$CONFIG"
__END_SCRIPT__

chmod 755 /usr/local/bin/grub-mkluks2-image

It might be useless; but at least it will create the directory structure :)

grub-install --target=x86_64-efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512" --efi-directory=/boot/efi --bootloader-id="archlinux" --recheck

Create the "new" bootloader which will include the modules/instructions needed to unlock our luks2 container:

grub-mkluks2-image

If all goes well, you will be hopefully greeted by grub asking for enc. passphrase :)

yangsheng6810 commented on 2020-10-02 00:15 (UTC)

In case someone like me who do not know how to modify an existing LUKS2 partition with argon2 keys to make it work, here is how I did it. You may need to remove every argon2 keys to make GRUB unlocking work. (For me, those argon2 keys that uses a keyfile instead of a passphrase can be kept)

# my encrypted device is /dev/nvme0n1p3, replace with your own device
DEVICE='/dev/nvme0n1p3'
# show current LUKS header, and observe which are existing key slots
sudo cryptsetup luksDump "$DEVICE"
# add a key using pbkdf2
sudo cryptsetup luksAddKey --pbkdf pbkdf2 "$DEVICE"
# remove old keys that use argon2/argon2i, replace the 0 with your key slot
sudo cryptsetup luksKillSlot "$DEVICE" 0