| Git Clone URL: | https://aur.archlinux.org/grub-improved-luks2-git.git (read-only, click to copy) |
|---|---|
| Package Base: | grub-improved-luks2-git |
| Description: | GNU GRand Unified Bootloader (2) with Argon2 support. Patch made by Patrick Steinhardt |
| Upstream URL: | https://www.gnu.org/software/grub/ |
| Licenses: | GPL3, CC0 |
| Conflicts: | grub |
| Provides: | grub |
| Submitter: | Ax333l |
| Maintainer: | Ax333l |
| Last Packager: | Ax333l |
| Votes: | 24 |
| Popularity: | 2.43 |
| First Submitted: | 2022-01-02 14:06 (UTC) |
| Last Updated: | 2024-03-09 00:19 (UTC) |
Hi, I'm having trouble with this package
Since updating to latest version, it doesn't want to unlock luks partition with the error: error: Invalid passphrase even when entered correctly
My configuration is as follows
/etc/default/grub:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<UUID_HERE>:root"
GRUB_ENABLE_CRYPTODISK=y
And I installed it with command:
sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --removable
Any help would be appreciated. Thanks
All argon2 variants are supported. A UEFI installation is required due to the memory usage of argon2. An MBR installation on a UEFI system will not work.
grub-install --target=x86_64-efi should work. Check the arch wiki for more info regarding how to install grub with UEFI.
If it fails to unlock at runtime, let me know.
Wow, thanks for this package! Amazing work.
I'm trying to set up this with Argon2id, but I just had the thought that maybe that one isn't supported? Edit: or maybe it is uefi? Can't get it to work..
Would you mind posting instructions for how you set this up yourself, maybe a blogpost or a gist?
Finally got time to update it. The patches are now much less likely to break in the future, so I have unpinned it.
Any chance this could go to the main repos? As it's quite useful
Hi. Isn't exactly a bug or something that compromises the usability, but the license shouldn't use commas (that's also making expac report a wrong license). Like this: license=('GPL3' 'CC0')
Thank you for notifying me. I will see how much needs to be done to update it, but I am not sure if I have time to do so this week. It depends on how much I need to change the patch.
The build fails with the upstream commit that the grub package in the core repository is currently based on (1514678888595ef41a968a0c69b7ff769edd1e9c). Two hunks in grub-install_luks2.patch fail because there have been small modifications in grub-core/disk/luks2.c upstream (see below).
Rejected hunks:
--- grub-core/disk/luks2.c
+++ grub-core/disk/luks2.c
@@ -353,8 +353,16 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
{
grub_cryptodisk_t cryptodisk;
grub_luks2_header_t header;
+ grub_luks2_keyslot_t keyslot;
+ grub_luks2_digest_t digest;
+ grub_luks2_segment_t segment;
+ char cipher[32], *json_header = NULL, *ptr;
+ grub_size_t candidate_key_len = 0, json_idx, size;
char uuid[sizeof (header.uuid) + 1];
grub_size_t i, j;
+ grub_err_t ret;
+ gcry_md_spec_t *hash = NULL;
+ grub_json_t *json = NULL, keyslots;
if (cargs->check_boot)
return NULL;
@@ -545,15 +722,39 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
return NULL;
}
- cryptodisk = grub_zalloc (sizeof (*cryptodisk));
- if (!cryptodisk)
- return NULL;
-
COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (uuid));
grub_memcpy (cryptodisk->uuid, uuid, sizeof (uuid));
+ hash = grub_crypto_lookup_md_by_name (digest.hash);
+ if (cryptodisk->hash) {
+ if (grub_strcmp(hash->name, cryptodisk->hash->name)) {
+ ret = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "LUKS2 Module does not support using multiple SHA versions.");
+ goto err;
+ }
+ } else
+ cryptodisk->hash = hash;
+
+ /* Set up disk cipher. */
+ grub_strncpy (cipher, segment.encryption, sizeof (cipher));
+ ptr = grub_memchr (cipher, '-', grub_strlen (cipher));
+ if (!ptr) {
+ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid encryption");
+ goto err;
+ }
+ *ptr = '\0';
+
+ ret = grub_cryptodisk_setcipher (cryptodisk, cipher, ptr + 1);
+ if (ret)
+ goto err;
+
+
cryptodisk->modname = "luks2";
return cryptodisk;
+err:
+ grub_free (json_header);
+ grub_json_free (json);
+ grub_errno = ret;
+ return NULL;
}
static grub_err_t
The upstream differences in grub-core/disk/luks2.c between the commit this package is based on (e43f3d93b28cce852c110c7a8e40d8311bcd8bb1) and the current commit (1514678888595ef41a968a0c69b7ff769edd1e9c) are:
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index bf741d70f..d5106402f 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -350,8 +350,6 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
{
grub_cryptodisk_t cryptodisk;
grub_luks2_header_t header;
- char uuid[sizeof (header.uuid) + 1];
- grub_size_t i, j;
if (cargs->check_boot)
return NULL;
@@ -362,14 +360,9 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
return NULL;
}
- for (i = 0, j = 0; i < sizeof (header.uuid); i++)
- if (header.uuid[i] != '-')
- uuid[j++] = header.uuid[i];
- uuid[j] = '\0';
-
- if (cargs->search_uuid != NULL && grub_strcasecmp (cargs->search_uuid, uuid) != 0)
+ if (cargs->search_uuid != NULL && grub_uuidcasecmp (cargs->search_uuid, header.uuid, sizeof (header.uuid)) != 0)
{
- grub_dprintf ("luks2", "%s != %s\n", uuid, cargs->search_uuid);
+ grub_dprintf ("luks2", "%s != %s\n", header.uuid, cargs->search_uuid);
return NULL;
}
@@ -377,13 +370,31 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
if (!cryptodisk)
return NULL;
- COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (uuid));
- grub_memcpy (cryptodisk->uuid, uuid, sizeof (uuid));
+ COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (header.uuid));
+ grub_memcpy (cryptodisk->uuid, header.uuid, sizeof (header.uuid));
cryptodisk->modname = "luks2";
return cryptodisk;
}
+static grub_err_t
+luks2_base64_decode (const char *in, grub_size_t inlen, grub_uint8_t *decoded, idx_t *decodedlen)
+{
+ grub_size_t unescaped_len = 0;
+ char *unescaped = NULL;
+ bool successful;
+
+ if (grub_json_unescape (&unescaped, &unescaped_len, in, inlen) != GRUB_ERR_NONE)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("could not unescape Base64 string"));
+
+ successful = base64_decode (unescaped, unescaped_len, (char *) decoded, decodedlen);
+ grub_free (unescaped);
+ if (!successful)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("could not decode Base64 string"));
+
+ return GRUB_ERR_NONE;
+}
+
static grub_err_t
luks2_verify_key (grub_luks2_digest_t *d, grub_uint8_t *candidate_key,
grub_size_t candidate_key_len)
@@ -395,9 +406,11 @@ luks2_verify_key (grub_luks2_digest_t *d, grub_uint8_t *candidate_key,
gcry_err_code_t gcry_ret;
/* Decode both digest and salt */
- if (!base64_decode (d->digest, grub_strlen (d->digest), (char *)digest, &digestlen))
+ if (luks2_base64_decode (d->digest, grub_strlen (d->digest),
+ digest, &digestlen) != GRUB_ERR_NONE)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid digest");
- if (!base64_decode (d->salt, grub_strlen (d->salt), (char *)salt, &saltlen))
+ if (luks2_base64_decode (d->salt, grub_strlen (d->salt),
+ salt, &saltlen) != GRUB_ERR_NONE)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid digest salt");
/* Configure the hash used for the digest. */
@@ -435,8 +448,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
gcry_err_code_t gcry_ret;
grub_err_t ret;
- if (!base64_decode (k->kdf.salt, grub_strlen (k->kdf.salt),
- (char *)salt, &saltlen))
+ if (luks2_base64_decode (k->kdf.salt, grub_strlen (k->kdf.salt),
+ salt, &saltlen) != GRUB_ERR_NONE)
{
ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid keyslot salt");
goto err;
@@ -610,7 +623,15 @@ luks2_recover_key (grub_disk_t source,
grub_errno = GRUB_ERR_NONE;
ret = luks2_get_keyslot (&keyslot, &digest, &segment, json, json_idx);
if (ret)
- goto err;
+ {
+ /*
+ * luks2_get_keyslot() can fail for a variety of reasons that do not
+ * necessarily mean the next keyslot should not be tried (e.g. a new
+ * kdf type). So always try the next slot.
+ */
+ grub_dprintf ("luks2", "Failed to get keyslot %" PRIuGRUB_UINT64_T "\n", keyslot.idx);
+ continue;
+ }
if (grub_errno != GRUB_ERR_NONE)
grub_dprintf ("luks2", "Ignoring unhandled error %d from luks2_get_keyslot\n", grub_errno);
So patching the current upstream commit with grub-install_luks2.patch fails because of these minor changes:
@@ -350,8 +350,6 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
@@ -362,14 +360,9 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
@@ -377,13 +370,31 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
Can you update grub-install_luks2.patch accordingly please, Ax333l? (There may be more issues to fix after these ones are taken care of.)
randomxusr I found the Argon2 implementation patches from the grub-devel but I also had to write my own patch to make grub-install work with luks2
Pinned Comments
Ax333l commented on 2022-02-17 18:58 (UTC) (edited on 2023-06-16 14:24 (UTC) by Ax333l)
I have disabled translations because they have been the cause of build failures in both this package and
grub-git. If you want to re-enable them, check the PKGBUILD.Also, make sure you have installed
base-devel.Argon2 might not work on some devices due to issues with the memory allocator