Search Criteria
Package Details: grub-git 2.12.rc1.r106.g7c8ae7dcb-1
Package Actions
Git Clone URL: | https://aur.archlinux.org/grub-git.git (read-only, click to copy) |
---|---|
Package Base: | grub-git |
Description: | GNU GRand Unified Bootloader (2) |
Upstream URL: | https://www.gnu.org/software/grub/ |
Licenses: | GPL3 |
Conflicts: | grub |
Provides: | grub |
Submitter: | ka2107 |
Maintainer: | WoefulDerelict |
Last Packager: | WoefulDerelict |
Votes: | 17 |
Popularity: | 0.000044 |
First Submitted: | 2013-10-22 18:55 (UTC) |
Last Updated: | 2023-12-18 22:58 (UTC) |
Dependencies (21)
- device-mapper (device-mapper-gitAUR)
- freetype2 (freetype2-qdoledAUR, freetype2-macosAUR, freetype2-gitAUR)
- fuse3 (fuse3-gitAUR)
- gettext (gettext-gitAUR)
- sdlAUR (sdl-openglhqAUR, sdl-nokbgrabAUR, sdl-openglhq-nokbgrabAUR, sdl-gitAUR, sdl12-compat-gitAUR, sdl12-compat)
- autogen (make)
- bdf-unifontAUR (make)
- git (git-gitAUR, git-glAUR) (make)
- help2man (help2man-gitAUR, python-help2manAUR) (make)
- libusb (libusb-gitAUR) (make)
- python (python37AUR, python311AUR, python310AUR) (make)
- rsync (rsync-gitAUR, rsync-reflinkAUR, rsync-reflink-gitAUR) (make)
- texinfo (texinfo-gitAUR) (make)
- ttf-dejavu (ttf-dejavu-ibAUR, ttf-dejavu-emojilessAUR) (make)
- dosfstools (dosfstools-gitAUR) (optional) – For grub-mkrescue FAT FS and EFI support
- efibootmgr (efibootmgr-gitAUR) (optional) – For grub-install EFI support
- libisoburn (libisoburn-gitAUR) (optional) – Provides xorriso for generating grub rescue iso using grub-mkrescue
- libusb (libusb-gitAUR) (optional) – For grub-emu USB support
- lzop (optional) – For grub-mkrescue LZO support
- mtools (mtools-svnAUR) (optional) – For grub-mkrescue FAT FS support
- os-prober (os-prober-gitAUR, os-prober-btrfsAUR) (optional) – To detect other OSes when generating grub.cfg in BIOS systems
Required by (315)
- apple_set_os (requires grub) (optional)
- arch-grub2-theme (requires grub)
- arch-matrix-grub-theme-git (requires grub)
- archiso-git (requires grub) (optional)
- archiso-grub-themes (requires grub)
- archuseriso (requires grub)
- bieaz (requires grub)
- bieaz-git (requires grub)
- boo-grub-git (requires grub)
- booty-git (requires grub)
- cryptboot (requires grub)
- cyberpunk-grub-theme-git (requires grub)
- dedsec-grub2-theme (requires grub)
- diabos-base (requires grub)
- distro-grub-themes-arch (requires grub)
- distro-grub-themes-endeavouros (requires grub)
- distro-grub-themes-meta (requires grub)
- dracula-grub-theme-git (requires grub)
- endeavouros-galleon-grub (requires grub)
- graphite-grub-theme-default-1080p (requires grub)
- Show 295 more...
Latest Comments
« First ‹ Previous 1 2 3 4 5 6 7 8 .. 18 Next › Last »
rushaur commented on 2020-10-07 11:19 (UTC) (edited on 2020-10-07 11:39 (UTC) by rushaur)
I finally could boot from a LUKS2 encrypted root (not converted). If someone is interested, here the steps With help from @air-g4p comments: By the way thank you!
1- As usual, partition/format the disk. I had only two partitions:
sda1 ------> /boot/efi
sda2 ------> /
2- Encryption:
AFAIK --allow-discards --persistent are LUKS2 only:
3- Make the filesystem and mount it to /mnt:
Steps to create/mount subvolumes skipped here to keep things short
4- Install the new system: the usual pacstrap /mnt pkg1 pkg2 pkgn...
5- Tweaks: Replace xxxxx with the uuid of your root: You can get it by running:
Edit (/mnt)/etc/default/grub to reflect this:
If you plan to unlock with a keyfile, luksAddKey accepts --pbkdf pbkdf2 cmdline parameter
For later reuse, let's make the script provided by @air-g4p locally available. Modified for own use case. Because I had created a subvolume @grub to be later mounted at /boot/grub; you will see the @grub notation:
It might be useless; but at least it will create the directory structure :)
Create the "new" bootloader which will include the modules/instructions needed to unlock our luks2 container:
If all goes well, you will be hopefully greeted by grub asking for enc. passphrase :)
yangsheng6810 commented on 2020-10-02 00:15 (UTC)
In case someone like me who do not know how to modify an existing LUKS2 partition with argon2 keys to make it work, here is how I did it. You may need to remove every argon2 keys to make GRUB unlocking work. (For me, those argon2 keys that uses a keyfile instead of a passphrase can be kept)
air-g4p commented on 2020-09-29 07:53 (UTC) (edited on 2020-09-29 08:20 (UTC) by air-g4p)
@drgr33n - Noted, however, if you parse through the grub-devel archives you will see there are numerous argon2 threads.
https://lists.gnu.org/archive/html/grub-devel/2020-03/msg00106.html is but one example.
From what I can discern, the devs believe that future support for argon2 will not be all that difficult to incorporate. That being said, it appears that the window for including argon2 support in 2.06 has already closed. So, we'll just have to be patient and continue our LUKS2 grub /boot unlocking with pbkdf2 until then.
Personally, I remain thankful that we now have a documented, working LUKS2 grub /boot unlocking procedure well ahead of schedule! I boot from LUKS2 /boot on both of my laptops without issue.
Cheers
drgr33n commented on 2020-09-25 22:39 (UTC)
luks2 works fine as long as you use pbkdf2. I have just set it up on my new laptop and it works great. Pitty about the argon2 support though. Hopefully that will come soon enough.
air-g4p commented on 2020-09-03 22:48 (UTC) (edited on 2021-04-17 18:02 (UTC) by air-g4p)
If anyone desires to automate their LUKS2 GRUB encrypted /boot unlocking process, Patrick Steinhardt (of grub-dev) was kind enough to develop and share with me a generic
grub-mkimage
unlocking script, which obviously needs to be modified in accordance with the specifics of your system.The following script includes the modifications I made to unlock my system, remaining consistent with my prior system setup comments.
That script when executed, generates a GRUB executable image file stored at: /tmp/image.
Finally, you need to overwrite your existing grubx64.efi file. Run something similar to:
cp /tmp/image /efi/EFI/Luks2Testing/grubx64.efi
Reboot, and enjoy automated unlocking of your LUKS2 encrypted /boot, / and swap!
air-g4p commented on 2020-08-30 09:52 (UTC) (edited on 2021-05-04 07:45 (UTC) by air-g4p)
FINALLY! The correct procedure to unlock a LUKS2 encrypted /boot:
I have been working with the fine folks on the grub-devel mailing list. Following MANY hours of testing, I have identified a process to successfully unlock a LUKS2 encrypted /boot.
This process still requires manual intervention following reboot, but the important part is that IT WORKS!
Carefully Note: I originally encrypted my partition with:
cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random --type luks1 luksFormat /dev/sdXZ
You may have run cryptsetup luksFormat with different options - and how you set up encryption will become important in the
grub-install
(Step 5, below). Adapt to your requirements.Then I set up two LVs: swap (512M) and / (remaining partition space). That encrypted swap LV is assigned as
dm-1
and encrypted / is assigned asdm-2
. I happen to rundm-2
with BTRFS, but any sane filesystem should also work.GRUB has always booted my LUKS1 encrypted: /boot, / and swap system without issue.
The process I used to successfully unlock my LUKS2 encrypted /boot:
UEFI boot from any reasonably recent arch iso, and run:
cryptsetup convert --type luks2 /dev/sdXZ
. That command will succeed, andluksDump
will show PBKDF: pbkdf2 for both Keyslot 0 and 1.Run
cryptsetup open /dev/sdXY <something>
Mount everything and
arch-chroot
into /Run
mkinitcpio -P linux
Run
grub-install --target=x86_64-efi --efi-directory=/efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512" --bootloader-id=<some-id>
. That installation command completes without error, ASSUMING you are actually running grub-git! If you are running Arch GRUB (version 2.04) from the mainline repos, you WILL GET a luks2.modnot found
error! Also note my use ofgcry_sha512
given my cryptsetup luksFormat options, shown above.Run
grub-mkconfig -o /boot/grub/grub.cfg
Exit, umount and reboot.
Immediately following power on: you are greeted by the dreaded: error: disk 'lvmid/some-lengthy-UUID' not found. Entering rescue mode. That lengthy UUID is the exact UUID of my
dm-2
which is my encrypted / LV.At the
grub rescue>
prompt: typels
. There I see (proc) (hd0) and (hd0,gpt1)...(hd0,gpt7) where gpt7 is my last partition and where my encrypted / and /boot reside.Still at
grub rescue>
type:cryptomount (hd0,gpt7)
which then requires my passphrase. After CORRECT passphrase entry, and hitting Enter: You should see 'Slot 0 opened' and then you are immediately returned to thegrub rescue>
prompt.From
grub rescue>
type:ls
. Unlike before, you will now see something similar to: (proc) (hd0) and (hd0,gpt1)...(hd0,gpt7) where gpt7 is my last partition and where my encrypted / resides. ADDITIONALLY, you should now also see your LVs similar to: (/lvm/ArchSDD-root) and (lvm/ArchSSD-swap) depending upon your local LV naming convention decisions. This is important PROGRESS as it demonstrates that GRUB has successfully decrypted your LUKS2 encrypted /boot using your LUKS2 key from Keyslot 1!!!From
grub rescue>
type:insmod normal
From
grub rescue>
type:normal
That should launch your typical/welcome Arch Linux and Advanced options for Arch Linux screen as controlled by /etc/default/grub and by X.
After you select the kernel to boot, GRUB hands over control to your initramfs and the corresponding kernel which uses your LUKS2 key from Keyslot 0 to decrypt your encrypted swap (
dm-1
) and your encrypted / (dm-2
).My launcher (with multiple Arch kernels, and several multi-booting OSes) works perfectly...hope yours does also!
Cheers!
trialuser commented on 2020-07-10 04:52 (UTC) (edited on 2020-07-10 05:09 (UTC) by trialuser)
i have not gotten this to work with luks2, however once in grub rescue you might try:
set debug=all
ls #find your hd and partition
cryptomount hd0,gpt2
I've noticed that using sha256 as the hash results in a failed to parse digest error, switching to sha1 results in an invalid passphrase error. Hope this helps... if you make a working setup please post here...
DDoSolitary commented on 2020-07-09 14:04 (UTC)
I'm having the same problem as @air-g4p
« First ‹ Previous 1 2 3 4 5 6 7 8 .. 18 Next › Last »