Package Details: grub-improved-luks2-git 2.12.r10.g04d2a50f3-1

Git Clone URL: https://aur.archlinux.org/grub-improved-luks2-git.git (read-only, click to copy)
Package Base: grub-improved-luks2-git
Description: GNU GRand Unified Bootloader (2) with Argon2 support. Patch made by Patrick Steinhardt
Upstream URL: https://www.gnu.org/software/grub/
Licenses: GPL3, CC0
Conflicts: grub
Provides: grub
Submitter: Ax333l
Maintainer: Ax333l
Last Packager: Ax333l
Votes: 27
Popularity: 1.49
First Submitted: 2022-01-02 14:06 (UTC)
Last Updated: 2024-03-09 00:19 (UTC)

Dependencies (18)

Required by (314)

Sources (12)

Pinned Comments

Ax333l commented on 2022-02-17 18:58 (UTC) (edited on 2023-06-16 14:24 (UTC) by Ax333l)

I have disabled translations because they have been the cause of build failures in both this package and grub-git. If you want to re-enable them, check the PKGBUILD.

Also, make sure you have installed base-devel.

Argon2 might not work on some devices due to issues with the memory allocator

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 8 Next › Last »

Ax333l commented on 2023-04-23 18:00 (UTC)

jroovy, I was also having problems on my laptop with this patch, but I was never able to figure out the cause. What device are you running it on?

jroovy commented on 2023-04-23 15:31 (UTC)

Hi, I'm having trouble with this package Since updating to latest version, it doesn't want to unlock luks partition with the error: error: Invalid passphrase even when entered correctly

My configuration is as follows

/etc/default/grub:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<UUID_HERE>:root"
GRUB_ENABLE_CRYPTODISK=y

And I installed it with command: sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --removable

Any help would be appreciated. Thanks

Ax333l commented on 2023-04-20 16:57 (UTC) (edited on 2023-04-20 16:59 (UTC) by Ax333l)

All argon2 variants are supported. A UEFI installation is required due to the memory usage of argon2. An MBR installation on a UEFI system will not work.

grub-install --target=x86_64-efi should work. Check the arch wiki for more info regarding how to install grub with UEFI. If it fails to unlock at runtime, let me know.

necklace commented on 2023-04-19 07:57 (UTC) (edited on 2023-04-19 09:55 (UTC) by necklace)

Wow, thanks for this package! Amazing work.

I'm trying to set up this with Argon2id, but I just had the thought that maybe that one isn't supported? Edit: or maybe it is uefi? Can't get it to work..

Would you mind posting instructions for how you set this up yourself, maybe a blogpost or a gist?

Ax333l commented on 2023-02-05 00:05 (UTC)

Finally got time to update it. The patches are now much less likely to break in the future, so I have unpinned it.

randomxusr commented on 2023-01-03 11:30 (UTC)

Any chance this could go to the main repos? As it's quite useful

<deleted-account> commented on 2022-11-28 22:53 (UTC)

Hi. Isn't exactly a bug or something that compromises the usability, but the license shouldn't use commas (that's also making expac report a wrong license). Like this: license=('GPL3' 'CC0')

Ax333l commented on 2022-11-27 12:33 (UTC)

Thank you for notifying me. I will see how much needs to be done to update it, but I am not sure if I have time to do so this week. It depends on how much I need to change the patch.

mca2 commented on 2022-11-26 00:03 (UTC) (edited on 2022-11-26 00:15 (UTC) by mca2)

The build fails with the upstream commit that the grub package in the core repository is currently based on (1514678888595ef41a968a0c69b7ff769edd1e9c). Two hunks in grub-install_luks2.patch fail because there have been small modifications in grub-core/disk/luks2.c upstream (see below).

Rejected hunks:

--- grub-core/disk/luks2.c
+++ grub-core/disk/luks2.c
@@ -353,8 +353,16 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
 {
   grub_cryptodisk_t cryptodisk;
   grub_luks2_header_t header;
+  grub_luks2_keyslot_t keyslot;
+  grub_luks2_digest_t digest;
+  grub_luks2_segment_t segment;
+  char cipher[32], *json_header = NULL, *ptr;
+  grub_size_t candidate_key_len = 0, json_idx, size;
   char uuid[sizeof (header.uuid) + 1];
   grub_size_t i, j;
+  grub_err_t ret;
+  gcry_md_spec_t *hash = NULL;
+  grub_json_t *json = NULL, keyslots;

   if (cargs->check_boot)
     return NULL;
@@ -545,15 +722,39 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
       return NULL;
     }

-  cryptodisk = grub_zalloc (sizeof (*cryptodisk));
-  if (!cryptodisk)
-    return NULL;
-
   COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (uuid));
   grub_memcpy (cryptodisk->uuid, uuid, sizeof (uuid));

+  hash = grub_crypto_lookup_md_by_name (digest.hash);
+  if (cryptodisk->hash) {
+    if (grub_strcmp(hash->name, cryptodisk->hash->name)) {
+       ret = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "LUKS2 Module does not support using multiple SHA versions.");
+       goto err;
+    }
+  } else
+    cryptodisk->hash = hash;
+
+  /* Set up disk cipher. */
+  grub_strncpy (cipher, segment.encryption, sizeof (cipher));
+  ptr = grub_memchr (cipher, '-', grub_strlen (cipher));
+  if (!ptr) {
+      ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid encryption");
+      goto err;
+  }
+  *ptr = '\0';
+
+  ret = grub_cryptodisk_setcipher (cryptodisk, cipher, ptr + 1);
+  if (ret)
+    goto err;
+
+
   cryptodisk->modname = "luks2";
   return cryptodisk;
+err:
+  grub_free (json_header);
+  grub_json_free (json);
+  grub_errno = ret;
+  return NULL;
 }

 static grub_err_t

The upstream differences in grub-core/disk/luks2.c between the commit this package is based on (e43f3d93b28cce852c110c7a8e40d8311bcd8bb1) and the current commit (1514678888595ef41a968a0c69b7ff769edd1e9c) are:

diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index bf741d70f..d5106402f 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -350,8 +350,6 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
 {
   grub_cryptodisk_t cryptodisk;
   grub_luks2_header_t header;
-  char uuid[sizeof (header.uuid) + 1];
-  grub_size_t i, j;

   if (cargs->check_boot)
     return NULL;
@@ -362,14 +360,9 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
       return NULL;
     }

-  for (i = 0, j = 0; i < sizeof (header.uuid); i++)
-    if (header.uuid[i] != '-')
-      uuid[j++] = header.uuid[i];
-  uuid[j] = '\0';
-
-  if (cargs->search_uuid != NULL && grub_strcasecmp (cargs->search_uuid, uuid) != 0)
+  if (cargs->search_uuid != NULL && grub_uuidcasecmp (cargs->search_uuid, header.uuid, sizeof (header.uuid)) != 0)
     {
-      grub_dprintf ("luks2", "%s != %s\n", uuid, cargs->search_uuid);
+      grub_dprintf ("luks2", "%s != %s\n", header.uuid, cargs->search_uuid);
       return NULL;
     }

@@ -377,13 +370,31 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
   if (!cryptodisk)
     return NULL;

-  COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (uuid));
-  grub_memcpy (cryptodisk->uuid, uuid, sizeof (uuid));
+  COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (header.uuid));
+  grub_memcpy (cryptodisk->uuid, header.uuid, sizeof (header.uuid));

   cryptodisk->modname = "luks2";
   return cryptodisk;
 }

+static grub_err_t
+luks2_base64_decode (const char *in, grub_size_t inlen, grub_uint8_t *decoded, idx_t *decodedlen)
+{
+  grub_size_t unescaped_len = 0;
+  char *unescaped = NULL;
+  bool successful;
+
+  if (grub_json_unescape (&unescaped, &unescaped_len, in, inlen) != GRUB_ERR_NONE)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("could not unescape Base64 string"));
+
+  successful = base64_decode (unescaped, unescaped_len, (char *) decoded, decodedlen);
+  grub_free (unescaped);
+  if (!successful)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("could not decode Base64 string"));
+
+  return GRUB_ERR_NONE;
+}
+
 static grub_err_t
 luks2_verify_key (grub_luks2_digest_t *d, grub_uint8_t *candidate_key,
          grub_size_t candidate_key_len)
@@ -395,9 +406,11 @@ luks2_verify_key (grub_luks2_digest_t *d, grub_uint8_t *candidate_key,
   gcry_err_code_t gcry_ret;

   /* Decode both digest and salt */
-  if (!base64_decode (d->digest, grub_strlen (d->digest), (char *)digest, &digestlen))
+  if (luks2_base64_decode (d->digest, grub_strlen (d->digest),
+              digest, &digestlen) != GRUB_ERR_NONE)
     return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid digest");
-  if (!base64_decode (d->salt, grub_strlen (d->salt), (char *)salt, &saltlen))
+  if (luks2_base64_decode (d->salt, grub_strlen (d->salt),
+              salt, &saltlen) != GRUB_ERR_NONE)
     return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid digest salt");

   /* Configure the hash used for the digest. */
@@ -435,8 +448,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
   gcry_err_code_t gcry_ret;
   grub_err_t ret;

-  if (!base64_decode (k->kdf.salt, grub_strlen (k->kdf.salt),
-            (char *)salt, &saltlen))
+  if (luks2_base64_decode (k->kdf.salt, grub_strlen (k->kdf.salt),
+              salt, &saltlen) != GRUB_ERR_NONE)
     {
       ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid keyslot salt");
       goto err;
@@ -610,7 +623,15 @@ luks2_recover_key (grub_disk_t source,
       grub_errno = GRUB_ERR_NONE;
       ret = luks2_get_keyslot (&keyslot, &digest, &segment, json, json_idx);
       if (ret)
-   goto err;
+   {
+     /*
+      * luks2_get_keyslot() can fail for a variety of reasons that do not
+      * necessarily mean the next keyslot should not be tried (e.g. a new
+      * kdf type). So always try the next slot.
+      */
+     grub_dprintf ("luks2", "Failed to get keyslot %" PRIuGRUB_UINT64_T "\n", keyslot.idx);
+     continue;
+   }
       if (grub_errno != GRUB_ERR_NONE)
      grub_dprintf ("luks2", "Ignoring unhandled error %d from luks2_get_keyslot\n", grub_errno);

So patching the current upstream commit with grub-install_luks2.patch fails because of these minor changes:

@@ -350,8 +350,6 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)

@@ -362,14 +360,9 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)

@@ -377,13 +370,31 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)

Can you update grub-install_luks2.patch accordingly please, Ax333l? (There may be more issues to fix after these ones are taken care of.)

« First ‹ Previous 1 2 3 4 5 6 7 8 Next › Last »