Arch Linux User Repository

Yes. The state of things with these patches is following. The 'crypto enhancement' patch series by John Lane adds following features:

• key files

• detached headers

• multiple passphrase attempts

• plain dm-crypt support

• using device as keyfile

• UUID hyphens

Key files were added recently by Glenn Washburn who rewrote some of these patches. Detached headers patch series will be also added soon to grub master.

Currently I am working on the third version of plain mode patch, but it will not be accepted as soon as detached headers support (according to my expectation).

Using device as a keyfile can be added as a fix to keyfiles patch series of Glen Washburn, but currently nobody is working on this. I have added support for this feature in plain mode, but it is not currently supported in LUKS mode.

Finally, supporting multiple passphrase attempts and UUID hyphens patches are not included into grub master and nobody is working on supporting them. When I started to support these patches I was interested only in plain mode. If I have spare time, I will rewrite these two minor patches (+ device as a keyfile), but they are not my priorities.

The 2nd patch in the series, the one which enables the key-file, keyfile-offset and keyfile-size parameters, was committed to the official GRUB repository and is included in the latest Arch GRUB package (grub 2:2.06.r261.g2f4430cc0-1).

So you may be able to switch to the official Arch package, as long as you only need the base keyfile support and not any of the extras (LUKS detached header, plain dm-crypt, whole device as keyfile, etc.).

PS: And if you switch to the official Arch package, also make sure to remove hyphens from the UUID in cryptomount (if this applies to you), that part is not in the official GRUB package yet and it will fail to find the disk unless you remove them.

Thank you for your work on this, the git version does not have the issue so I will use that for now.

No, it is not expected, because I follow arch Grub package pkgbuild, also these patches should not explode package size.

I will investigate this in next weekend.

Can you try git version of this package?

Is it expected for this package to have a Total Installed Size of 930.45 MiB? When I build it, the .img files are much larger than the base grub package.

# grub
$ ls -l /usr/lib/grub/i386-pc/*.img
-rw-r--r-- 1 root root   512 Feb 21 15:55 /usr/lib/grub/i386-pc/boot_hybrid.img
-rw-r--r-- 1 root root   512 Feb 21 15:55 /usr/lib/grub/i386-pc/boot.img
-rw-r--r-- 1 root root  2048 Feb 21 15:55 /usr/lib/grub/i386-pc/cdboot.img
-rw-r--r-- 1 root root   512 Feb 21 15:55 /usr/lib/grub/i386-pc/diskboot.img
-rw-r--r-- 1 root root 29276 Feb 21 15:55 /usr/lib/grub/i386-pc/kernel.img
-rw-r--r-- 1 root root  1024 Feb 21 15:55 /usr/lib/grub/i386-pc/lnxboot.img
-rw-r--r-- 1 root root  2848 Feb 21 15:55 /usr/lib/grub/i386-pc/lzma_decompress.img
-rw-r--r-- 1 root root  1024 Feb 21 15:55 /usr/lib/grub/i386-pc/pxeboot.img

# grub-luks-keyfile
$ ls -l /usr/lib/grub/i386-pc/*.img
-rw-r--r-- 1 root root 134481116 May 10 19:51 /usr/lib/grub/i386-pc/boot_hybrid.img
-rw-r--r-- 1 root root 134481116 May 10 19:51 /usr/lib/grub/i386-pc/boot.img
-rw-r--r-- 1 root root 134481116 May 10 19:51 /usr/lib/grub/i386-pc/cdboot.img
-rw-r--r-- 1 root root 134480092 May 10 19:51 /usr/lib/grub/i386-pc/diskboot.img
-rw-r--r-- 1 root root     29168 May 10 19:51 /usr/lib/grub/i386-pc/kernel.img
-rw-r--r-- 1 root root 134488284 May 10 19:51 /usr/lib/grub/i386-pc/lnxboot.img
-rw-r--r-- 1 root root 134479612 May 10 19:51 /usr/lib/grub/i386-pc/lzma_decompress.img
-rw-r--r-- 1 root root 134481116 May 10 19:51 /usr/lib/grub/i386-pc/pxeboot.img

@Martmists can you elaborate on the context of your comment? It seems you refer to some revealed bug/issue, however I do not see any links.

I use these patches in a following way. I don't have grub menu, I simply type necessary parameters upon each boot, so I don't know what happens when these patches are used together with grub menu.

Besides, these patches are developed by John Lane (https://github.com/johnlane/grub), so you can contact him to file a bug.

Grub seems to not use the -p and -k parameter BEFORE the grub menu, as they are not in the binary file on the EFI partition. The cause seems to be that in some parts of the patched code, simply cryptomount -u $uuid seems to be used, therefore not unlocking grub at boot.

Updated.

@gamezelda, I have already opened github issue https://github.com/johnlane/grub/issues/18

Thanks for digging compilation errors up. If the author (John Lane) does not fix within days, I will patch myself.

At the official repos Grub 2.04 is out, and has some features that may be interesting ( https://www.phoronix.com/scan.php?page=news_item&px=GRUB-2.04-Released ).

This package's patches don't work out of the box with the new version, but are easy to fix. The grub_file_open now has one second parameter GRUB_FILE_TYPE_...., I modified the patches to pass GRUB_FILE_TYPE_NONE and I was able to compile and get it to work for me. (From my naive inspection, I wasn't able to find any better GRUB_FILE_TYPE_... constant to use for the keyfiles other than GRUB_FILE_TYPE_NONE)

GRUB was updated to version 2.04 at 2019-07-05. Currently several patches cannot applied because of this. I has written to the author.

Updated.

Hi, thanks a lot. One thing: Could you change the weblinks to the patches to https instead of http? Like: "https://grub.johnlane.ie/assets/0001-Cryptomount-support-LUKS-detached-header.patch" Regards

Thanks for your work! I have been able to build and install GRUB successfully with the new release.

Update. It appears that patch mentioned in forum discussion (link in previous post) was actually a fix to the issue. After letter to Christian Hesse he added the patch (https://lists.archlinux.org/pipermail/arch-commits/2018-August/527094.html) to trunk, but currently grub package is not affected because no changes were made to repo. So, manual compilation from trunk sources works, compiled grub package is still 2018-06-27.

Meanwhile, 0010-relocation patch was added here, together with xfs patch from grub trunk (looks like kalbasit left maintaining this package before the patch was added to core grub). On my machine the relocation patch works. It would be helpful if someone tests current version.

@gamezelda, I was about to check when stock package was compiled (2018-06-27) and to write the same :)

So this may be something wrong with core package, not the way we compile ...

@mxfm Good to know it's definitely not a problem on my side! Not sure how I didn't find that link though.

The stock Arch package works because it was built in June, before the breakage ocurred.

@gamezelda I have just recompiled this package not in clean root - installation of x86-64_efi target failed with error you described. Then I recompiled the package in clean chroot - installation failed with the same error. So, indeed there is some problem either with the package (this patches) or with the grub.

P.S Compiled in clean chroot grub also fails upon installation. P.P.S Some explanation https://www.mail-archive.com/openembedded-core@lists.openembedded.org/msg112375.html Looks like some changes in binutils in July break grub. However, this does not explain why stock archlinux grub kernel.img is OK.

I've been banging my head for some hours trying to reinstall GRUB again after recompiling this package, because I was receiving an error message like 'relocation 0x4 is not implemented yet' when trying to install GRUB in EFI mode (BIOS worked file).

However, the source of the problem is not in this package, because if I recompile the original unchanged Arch GRUB package the same thing happens... it looks like there's something wrong going on with compilers/linkers/whatever and the resulting GRUB x86_64 EFI kernel binary is broken.

Anyway, I found a dirty workaround if anyone happens to stumble upon the same problem: - Build and install this package as usual - Download the compiled GRUB package binaries from https://www.archlinux.org/packages/core/x86_64/grub/ - Extract the ZIP file and replace /usr/lib/grub/x86_64-efi/kernel.img with the precompiled version from the ZIP (overwrite as root) - Now you should be able to run grub-install

DISCLAIMER: Make sure you have an alternative boot method (BIOS boot, Live Arch CD, backup, etc.) because as you may suspect, this method isn't too solid. Also check the versions, I copied the kernel of grub 2:2.02-7 over grub-luks-keyfile 2:2.02-6.

@mxfm if you have the time, why not! Please just claim the package and it's yours. I have already disowned it.

@kalbasit Perhaps me?

I switched to NixOS recently, so I won't be maintaining this package any further, can someone please adopt it? Thank you!

... but now it does not because of sha256 mismatch of file '0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch' (likely it was updated).

I use this package since January and did not have compilation errors. Just downloaded snapshot - it builds fine.

@kalbasit Sure, I’ll take a look at it tomorrow.

@gamezelda Care to submit a pull request with your fixes? I host this AUR package at https://github.com/kalbasit/aur_grub-luks-keyfile

The package does not build complaining about not finding freetype2 (despite being installed).

I have been able to install it by rebasing on the last PKGBUILD:

• Download https://git.archlinux.org/svntogit/packages.git/snapshot/packages-0c7d22e66884c85574eca8ce7df9571748aabb29.tar.gz and extract it
• Apply the changes in https://aur.archlinux.org/cgit/aur.git/plain/grub-PKGBUILD.patch?h=grub-luks-keyfile&id=1570924382c7 to the PKGBUILD in the trunk folder
• Actually that patch is obsolete as well, so you will have to diff the original GRUB PKGBUILD and the latest grub-luks-keyfile PKGBUILD and cherry-pick the changes.
• Switch to the trunk directory and build as usual with makepkg

@nils_92 You need to trust those GPG keys by adding them to your keyring before trying to build the package:

gpg --recv-keys 35A93B74E82E4209
gpg --recv-keys 1A09227B1F435A33

Unfortunately it does not build with the following error

==> Verifying source file signatures with gpg... grub-2.02.tar.xz ... FAILED (unknown public key 35A93B74E82E4209) unifont-10.0.06.bdf.gz ... FAILED (unknown public key 1A09227B1F435A33) ==> ERROR: One or more PGP signatures could not be verified! ==> ERROR: Makepkg was unable to build grub-luks-keyfile.

@mxfm I just pushed an update, thanks for the report!

@kalbasit

:) Sorry, pushed wrong button...

@mxfm I asked for a PR not an issue :). That's fine, I can push an update myself.

https://github.com/kalbasit/aur_grub-luks-keyfile/issues/1

However, I don't understand why I should write there. Github page appears to be exact clone of this page, which provides necessary infrastruction to deal with those problems.

@mxfm I pushed this repo to https://github.com/kalbasit/aur_grub-luks-keyfile would you be able to send me a PR? Thank you!

It seems John Lane updated patches (from http://grub.johnlane.ie/):

"Patches compatible with upstream HEAD (28b0d190) at time of writing, 2018/03/14. Patches 6 and 7 are contributed pull requests."

Unfortunately I cannot compile the package anymore because some patches fail source check. For example, for "0001-Crypmount..." my sha526sum is: f7790e7fd4641eed8347039ebb44b67a3f517f2bc4de213fe34d2ae887c03b92 0001-Cryptomount-support-LUKS-detached-header.patch

It is missing in sha256sums() function in PKGBUILD.

==> Validating source files with sha256sums...

grub-2.02.tar.xz ... Passed
grub-2.02.tar.xz.sig ... Skipped
grub-extras-f2a079441939eee7251bf141986cdd78946e1d20.tar.gz ... Passed
unifont-10.0.06.bdf.gz ... Passed
unifont-10.0.06.bdf.gz.sig ... Skipped
0002-intel-ucode.patch ... Passed
0003-10_linux-detect-archlinux-initramfs.patch ... Passed
0004-add-GRUB_COLOR_variables.patch ... Passed
0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch ... Passed
0006-tsc-Change-default-tsc-calibration-method-to-pmtimer-on-EFI-systems.patch ... Passed
0001-Cryptomount-support-LUKS-detached-header.patch ... FAILED
0002-Cryptomount-support-key-files.patch ... FAILED
0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch ... FAILED
0004-Cryptomount-support-plain-dm-crypt.patch ... FAILED
0005-Cryptomount-support-for-hyphens-in-UUID.patch ... FAILED
0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch ... Passed
grub.default ... Passed
grub.cfg ... Passed

==> ERROR: One or more files did not pass the validity check!

Hi!

First of all, I am glad to see this package because I am interested in having support plain dm-crypt, in particular support for dm-crypt options for 'cryptomount' command.

How old is grub in this version comparing with upstream? AFAIK, these patches are by John Lane written in 2015. Are they still revelant? 2-3 years ago I tried to apply them on upstream version and failed because grub was updated.

Since John is not working on new versions, it seems that either 1) one can use old version from 2015 with these patches 2) forget about these features and use upstream version or 3) update patches manually after (possibly) each new version.