Most recent, working, tested, and recommended source?

[Shellcat-Zero]

I'm having trouble getting any posted version of grub to work that features johnlane's patches. I had tried a highly updated fork from @giddie that I was able to get compiled after downgrading gcc to version 9, but it failed to install to the partition with Decompressor is too big. I then tried the argon2_v2 fork from @reagentoo, but I got the same compilation error encountered in @giddie's branch but downgrading gcc did not resolve it. I've been working off of an Ubuntu 22.04 live system to do the compile & grub-install. Apologies in advance if I'm missing something basic in all of this. Here is that compilation error in case it helps:

grub-core/lib/argon2/core.c: In function ‘secure_wipe_memory’:
grub-core/lib/argon2/core.c:135:5: error: implicit declaration of function ‘explicit_bzero’ [-Werror=implicit-function-declaration]
  135 |     explicit_bzero(v, n);
      |     ^~~~~~~~~~~~~~
grub-core/lib/argon2/core.c:135:5: error: nested extern declaration of ‘explicit_bzero’ [-Werror=nested-externs]
cc1: all warnings being treated as errors
make[2]: *** [Makefile:6768: grub-core/lib/argon2/libgrubkern_a-core.o] Error 1
make[2]: *** Waiting for unfinished jobs....
mv -f grub-core/lib/argon2/blake2/.deps-util/libgrubkern_a-blake2b.Tpo grub-core/lib/argon2/blake2/.deps-util/libgrubkern_a-blake2b.Po
mv -f grub-core/lib/json/.deps-util/libgrubkern_a-json.Tpo grub-core/lib/json/.deps-util/libgrubkern_a-json.Po
mv -f grub-core/lib/argon2/.deps-util/libgrubkern_a-ref.Tpo grub-core/lib/argon2/.deps-util/libgrubkern_a-ref.Po
make[2]: Leaving directory '/home/xubuntu/updgrub'
make[1]: *** [Makefile:12021: all-recursive] Error 1
make[1]: Leaving directory '/home/xubuntu/updgrub'
make: *** [Makefile:3787: all] Error 2

For giddie's fork that successfully compiled, the install command that I had run was:

./grub-install --directory=./grub-core --no-floppy --boot-directory=/mnt /dev/sdj

[giddie]

I'm afraid I haven't updated my grub in several years 🤦 It could well be that there's been some bitrot. I assume you have no trouble compiling standard grub?

[Shellcat-Zero]

That is correct @giddie. I just cloned the official repo (grub 2.11), git clone https://git.savannah.gnu.org/git/grub.git, compiled it with gcc 11 (the default gcc version), and grub-install succeeded just fine onto the flash drive.

For anyone else interested, @reagentoo has also done a lot of work on this as described in this issue for grub 2.06.

[opk12]

The GRUB 2.12 release is planned for the end of 2022, with support for Argon2, detached headers, keyfiles. LUKS2 is supported since 2.06.

Sources

• slide 4 of the FOSDEM 2022 Project Status Update (link is under Attachments)
• some ML messages, in particular GRUB 2.12 release, etc.

I am going to release GRUB 2.12 around October 2022. I will publish
exact dates closer to the release and at least month before freeze date.
If you think some features and fixes should land in the GRUB 2.12 please
replay to this email.

Sorry for the newbie question - what else do these forks have that is not in 2.12?

[giddie]

Sorry for the newbie question - what else do these forks have that is not in 2.12?

My setup includes a LUKS-formatted keyfile that I use as a simple 2FA: I boot from a USB drive containing the keyfile. I enter a password, which unlocks the LUKS-formatted keyfile. The whole resulting device is my plaintext keyfile (just some random data), which is used to unlock /boot and load the main boot menu.

If this (or a similar 2FA mechanism to boot into an encrypted /boot) is possible upstream, then I'm happy :)

[johnlane]

I have not looked at this for quite some time, I am pleased to see that it looks like it's going to make it upstream in the next release later this year. I want to say thanks to those that helped make that happen.

I haven't tried to build with the patch set in a while but it failed the last time I tried to and, unfortunately, other priorities meant that's where I left it. I'm still using this daily but will hold out for the official release

I took a quick look at the source and documentation and I think the main feature that is not in upstream is support for plain mode. My -p option for plain mode has been replaced with one to specify a passphrase on the command-line. It looks like the support for using a device as a keyfile/header is implemented differently so there is a slight change to the syntax for that. On the upside, it looks like LUKS2 is supported.

[opk12]

Ah, for plain encryption mode, there is a patch in the ML to add plainmount. It is v7 as of September 2022 here but discussed in the ML since January 2022.

[johnlane]

I really don't understand why the plain mode wasn't liked. It was basically a shift of the dmcrypt code out of the luks module into the cryptodisk module (on which the luks module depends), the result being that the luks module continued working as it did but the cryptodisk module also had code that could be used in plain mode. None of the crypto code was new, it all pre-existed.
I'm not using plain mode so it doesn't really matter to me howver it was a good win to get some extra functionality at practically no cost.

[Shellcat-Zero]

Does it appear that @giddie's device-as-keyfile functionality will be possible in the 2.12 release?

If anyone can provide details for compiling some working source with johnlane's patches (like maybe the gcc version used for your source), I would still greatly appreciate it as opposed to waiting for months longer to get these functionalities. All of the work done by johnlane, giddie, and reagentoo looks great and I'm sad I can't use any of it right now (and I haven't touched C/C++ in so many years that I'd never trust editing the grub source myself). If I must wait though, then I guess I will.

[giddie]

@Shellcat-Zero Are you sure you need 2.12? I actually haven't got around to rebuilding my bootloader since 2.04. You could just check out an old tag and build from there?

[Shellcat-Zero]

@giddie that is what I am requesting actually. I've been checking out old sources but they are failing, presumably due to newer gcc.

[giddie]

So, it turns out that Grub 2.06 (maybe even earlier?) already can use a device as a keyfile using a slightly obscure syntax. It's been added to the documentation for cryptomount on master, but works just fine in 2.06. So it seems my usecase is covered by stock Grub as of 2.06 already:

loopback keyfile /path/to/keyfile.luks
cryptomount (keyfile)
cryptomount -u <BOOT-LUKS-UUID> -k (crypto0)0+

[johnlane]

Support for most of the crypto features added by these patches are now in upstream (have been for some time now). I'll be archiving this fork once they are released (2.06 is still the latest; it doesn't include the new functionality).