Package Details: grub-improved-luks2-git 2.06.r456.g65bc45963-1

Git Clone URL: https://aur.archlinux.org/grub-improved-luks2-git.git (read-only, click to copy)
Package Base: grub-improved-luks2-git
Description: GNU GRand Unified Bootloader (2) with Argon2 and better LUKS2 support
Upstream URL: https://www.gnu.org/software/grub/
Licenses: GPL3, CC0
Conflicts: grub
Provides: grub
Submitter: Ax333l
Maintainer: Ax333l
Last Packager: Ax333l
Votes: 8
Popularity: 1.39
First Submitted: 2022-01-02 14:06 (UTC)
Last Updated: 2023-02-05 00:03 (UTC)

Dependencies (18)

Required by (214)

Sources (12)

Pinned Comments

Ax333l commented on 2022-02-17 18:58 (UTC) (edited on 2022-03-27 07:31 (UTC) by Ax333l)

I have disabled translations because they have been the cause of build failures in both this package and grub-git. If you want to re-enable them, check the PKGBUILD.

Also, make sure you have installed base-devel.

Latest Comments

1 2 3 Next › Last »

Ax333l commented on 2023-02-05 00:05 (UTC)

Finally got time to update it. The patches are now much less likely to break in the future, so I have unpinned it.

randomxusr commented on 2023-01-03 11:30 (UTC)

Any chance this could go to the main repos? As it's quite useful

Menelkir commented on 2022-11-28 22:53 (UTC)

Hi. Isn't exactly a bug or something that compromises the usability, but the license shouldn't use commas (that's also making expac report a wrong license). Like this: license=('GPL3' 'CC0')

Ax333l commented on 2022-11-27 12:33 (UTC)

Thank you for notifying me. I will see how much needs to be done to update it, but I am not sure if I have time to do so this week. It depends on how much I need to change the patch.

mca2 commented on 2022-11-26 00:03 (UTC) (edited on 2022-11-26 00:15 (UTC) by mca2)

The build fails with the upstream commit that the grub package in the core repository is currently based on (1514678888595ef41a968a0c69b7ff769edd1e9c). Two hunks in grub-install_luks2.patch fail because there have been small modifications in grub-core/disk/luks2.c upstream (see below).

Rejected hunks:

--- grub-core/disk/luks2.c
+++ grub-core/disk/luks2.c
@@ -353,8 +353,16 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
 {
   grub_cryptodisk_t cryptodisk;
   grub_luks2_header_t header;
+  grub_luks2_keyslot_t keyslot;
+  grub_luks2_digest_t digest;
+  grub_luks2_segment_t segment;
+  char cipher[32], *json_header = NULL, *ptr;
+  grub_size_t candidate_key_len = 0, json_idx, size;
   char uuid[sizeof (header.uuid) + 1];
   grub_size_t i, j;
+  grub_err_t ret;
+  gcry_md_spec_t *hash = NULL;
+  grub_json_t *json = NULL, keyslots;

   if (cargs->check_boot)
     return NULL;
@@ -545,15 +722,39 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
       return NULL;
     }

-  cryptodisk = grub_zalloc (sizeof (*cryptodisk));
-  if (!cryptodisk)
-    return NULL;
-
   COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (uuid));
   grub_memcpy (cryptodisk->uuid, uuid, sizeof (uuid));

+  hash = grub_crypto_lookup_md_by_name (digest.hash);
+  if (cryptodisk->hash) {
+    if (grub_strcmp(hash->name, cryptodisk->hash->name)) {
+       ret = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "LUKS2 Module does not support using multiple SHA versions.");
+       goto err;
+    }
+  } else
+    cryptodisk->hash = hash;
+
+  /* Set up disk cipher. */
+  grub_strncpy (cipher, segment.encryption, sizeof (cipher));
+  ptr = grub_memchr (cipher, '-', grub_strlen (cipher));
+  if (!ptr) {
+      ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid encryption");
+      goto err;
+  }
+  *ptr = '\0';
+
+  ret = grub_cryptodisk_setcipher (cryptodisk, cipher, ptr + 1);
+  if (ret)
+    goto err;
+
+
   cryptodisk->modname = "luks2";
   return cryptodisk;
+err:
+  grub_free (json_header);
+  grub_json_free (json);
+  grub_errno = ret;
+  return NULL;
 }

 static grub_err_t

The upstream differences in grub-core/disk/luks2.c between the commit this package is based on (e43f3d93b28cce852c110c7a8e40d8311bcd8bb1) and the current commit (1514678888595ef41a968a0c69b7ff769edd1e9c) are:

diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index bf741d70f..d5106402f 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -350,8 +350,6 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
 {
   grub_cryptodisk_t cryptodisk;
   grub_luks2_header_t header;
-  char uuid[sizeof (header.uuid) + 1];
-  grub_size_t i, j;

   if (cargs->check_boot)
     return NULL;
@@ -362,14 +360,9 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
       return NULL;
     }

-  for (i = 0, j = 0; i < sizeof (header.uuid); i++)
-    if (header.uuid[i] != '-')
-      uuid[j++] = header.uuid[i];
-  uuid[j] = '\0';
-
-  if (cargs->search_uuid != NULL && grub_strcasecmp (cargs->search_uuid, uuid) != 0)
+  if (cargs->search_uuid != NULL && grub_uuidcasecmp (cargs->search_uuid, header.uuid, sizeof (header.uuid)) != 0)
     {
-      grub_dprintf ("luks2", "%s != %s\n", uuid, cargs->search_uuid);
+      grub_dprintf ("luks2", "%s != %s\n", header.uuid, cargs->search_uuid);
       return NULL;
     }

@@ -377,13 +370,31 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
   if (!cryptodisk)
     return NULL;

-  COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (uuid));
-  grub_memcpy (cryptodisk->uuid, uuid, sizeof (uuid));
+  COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (header.uuid));
+  grub_memcpy (cryptodisk->uuid, header.uuid, sizeof (header.uuid));

   cryptodisk->modname = "luks2";
   return cryptodisk;
 }

+static grub_err_t
+luks2_base64_decode (const char *in, grub_size_t inlen, grub_uint8_t *decoded, idx_t *decodedlen)
+{
+  grub_size_t unescaped_len = 0;
+  char *unescaped = NULL;
+  bool successful;
+
+  if (grub_json_unescape (&unescaped, &unescaped_len, in, inlen) != GRUB_ERR_NONE)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("could not unescape Base64 string"));
+
+  successful = base64_decode (unescaped, unescaped_len, (char *) decoded, decodedlen);
+  grub_free (unescaped);
+  if (!successful)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("could not decode Base64 string"));
+
+  return GRUB_ERR_NONE;
+}
+
 static grub_err_t
 luks2_verify_key (grub_luks2_digest_t *d, grub_uint8_t *candidate_key,
          grub_size_t candidate_key_len)
@@ -395,9 +406,11 @@ luks2_verify_key (grub_luks2_digest_t *d, grub_uint8_t *candidate_key,
   gcry_err_code_t gcry_ret;

   /* Decode both digest and salt */
-  if (!base64_decode (d->digest, grub_strlen (d->digest), (char *)digest, &digestlen))
+  if (luks2_base64_decode (d->digest, grub_strlen (d->digest),
+              digest, &digestlen) != GRUB_ERR_NONE)
     return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid digest");
-  if (!base64_decode (d->salt, grub_strlen (d->salt), (char *)salt, &saltlen))
+  if (luks2_base64_decode (d->salt, grub_strlen (d->salt),
+              salt, &saltlen) != GRUB_ERR_NONE)
     return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid digest salt");

   /* Configure the hash used for the digest. */
@@ -435,8 +448,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
   gcry_err_code_t gcry_ret;
   grub_err_t ret;

-  if (!base64_decode (k->kdf.salt, grub_strlen (k->kdf.salt),
-            (char *)salt, &saltlen))
+  if (luks2_base64_decode (k->kdf.salt, grub_strlen (k->kdf.salt),
+              salt, &saltlen) != GRUB_ERR_NONE)
     {
       ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid keyslot salt");
       goto err;
@@ -610,7 +623,15 @@ luks2_recover_key (grub_disk_t source,
       grub_errno = GRUB_ERR_NONE;
       ret = luks2_get_keyslot (&keyslot, &digest, &segment, json, json_idx);
       if (ret)
-   goto err;
+   {
+     /*
+      * luks2_get_keyslot() can fail for a variety of reasons that do not
+      * necessarily mean the next keyslot should not be tried (e.g. a new
+      * kdf type). So always try the next slot.
+      */
+     grub_dprintf ("luks2", "Failed to get keyslot %" PRIuGRUB_UINT64_T "\n", keyslot.idx);
+     continue;
+   }
       if (grub_errno != GRUB_ERR_NONE)
      grub_dprintf ("luks2", "Ignoring unhandled error %d from luks2_get_keyslot\n", grub_errno);

So patching the current upstream commit with grub-install_luks2.patch fails because of these minor changes:

@@ -350,8 +350,6 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)

@@ -362,14 +360,9 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)

@@ -377,13 +370,31 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)

Can you update grub-install_luks2.patch accordingly please, Ax333l? (There may be more issues to fix after these ones are taken care of.)

Ax333l commented on 2022-09-02 05:23 (UTC)

randomxusr I found the Argon2 implementation patches from the grub-devel but I also had to write my own patch to make grub-install work with luks2

randomxusr commented on 2022-07-31 21:29 (UTC)

Curious.

Have you added your own changes to grub in order to make this work?

Or is this simply the latest git build just working with Luks2 and Argon2?

Ax333l commented on 2022-07-29 10:26 (UTC) (edited on 2022-07-29 10:27 (UTC) by Ax333l)

I am not sure how I managed to mess up the source list but I have updated grub to the latest version.

Try deleting the grub-improved-luks2-git folder in your yay/paru cache directory if you still can't build it.