grub 2.06 (luk2 support)

[bruts01]

Due to the fact that latest grub has included LUKS2 support, I think it might be time to update these patches for the newest version?
Or are most options, like detached header, possible with the new grub by default?

[reagentoo]

I have recently merged patches with the latest upstream revision. I fixed the build problems, but didn't have time to test. You can find them here https://github.com/reagentoo/grub/tree/cryptopatch_v5.

[reagentoo]

I've added a luks2 keyfiles/headers support to this branch:
reagentoo/grub@e3d9a2c

Known issues:

1. Grub2 does not support argon2i PBKDF (which is default on luks2 partitions).
   To use this branch you should create luks2 by the command:
   cryptsetup luksFormat --type luks2 -q -h sha512 -s 512 --pbkdf pbkdf2 --header /path/to/hdr /dev/sde3 /path/to/key

2. Decryption of the master key is very slow on big keyfiles (ab. 2 minutes on 8kb keyfile).

I am glad that work is underway for both problems, albeit slowly.

Related links:
https://savannah.gnu.org/bugs/?55093
https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755
https://lists.gnu.org/archive/html/grub-devel/2016-10/msg00018.html
https://lists.gnu.org/archive/html/grub-devel/2018-01/msg00026.html
https://lists.gnu.org/archive/html/grub-devel/2020-02/msg00040.html

Opened bugs:
https://savannah.gnu.org/bugs/index.php?59408
https://savannah.gnu.org/bugs/index.php?59409

UPD:
Since Patrick Steinhardt provided argon2 support for grub it is possible to mount luks2 argon2 partitions now. I've added his patches into this branch. To test it you should do next:

git clone https://github.com/reagentoo/grub.git
git checkout cryptopatch_v5
git format-patch HEAD~8
git checkout argon2_v2
git format-patch --start-number 1001 HEAD~5

But I can say cryptomount decryption still slow (ab. 30 seconds on 8kb keyfile).

Related links:
https://forums.gentoo.org/viewtopic-p-8524673.html

UPD:
This repository has been moved to gitlab

New branch was added: https://gitlab.com/reagentoo/grub/-/commits/cryptopatch_tiny/
Available options: --header | --key-file | --master-key-file

Request for merge:
https://lists.gnu.org/archive/html/grub-devel/2020-11/msg00039.html

FYI @johnlane @giddie @dkasak @xenithorb

[opk12]

In # 25 it is mentioned that GRUB 2.12, planned for the end of 2022, supports Argon2, detached headers, keyfiles. What else do these forks have that is not in 2.12?

[rnhmjoj]

Probably support for multiple password attemps and whole devices as keyfile.

[johnlane]

I think whole devices as keyfile still works but the way it's specified has changed (at least according to the documentation). I don't know about the multiple password attempts but that feature was added because it was asked for when the initial patch set was reviewed. I think the main missing thing is plain mode.

[opk12]

(As mentioned in # 25, a patch for plain mode is being worked on in the ML as of September 2022, not yet merged)

[johnlane]

Thank you for your interest in these Grub crypto extensions. Your issue here has been closed now that similar features have been implemented in Grub. Please direct your query to a Grub mailing list if your issue remains relevant.