[bug #55093] Add LUKS2 support

[MeganerdNL]

Follow-up Comment #17, bug#55093 (group grub):

According to
[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755
the original commit] on implementing (initial) LUKS2 support in GRUB, the
Argon2i(d) KDF's are *not* implemented because of lack of support in the
[https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git libcrypt] library.
So it seems to me, the real 'problem' is _this_ library.

Isn't it
[https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=4cbbd87e2af00c7b3f0236a56f12bd51e9295816
already implented] though?

Or what (else) is holding it back right now?


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[akallabeth]

Follow-up Comment #16, bug#55093 (group grub):

maybe worth mentioning, there are a few working patch sets for argon support
circulating for arch, like this here:
https://gitlab.com/mattz7/pkgbuild-public


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[Jernej Jakob]

Follow-up Comment #15, bug #55093 (project grub):

One thing that I haven't seen mentioned anywhere (not in the commit that added
LUKS2 support, not in ArchWiki or other places) is that not only does the
keyslot need to be PBKDF2, but it also needs to use a sha256 hash and/or the
keyslot hash has to be equal to the AF hash. Keyslot=sha512, AF=sha256 didn't
work. I didn't try with both as sha256, but someone reported it worked for
them: https://wiki.archlinux.org/title/Talk:GRUB#LUKS2_in_2.12rc1

When I tried converting to LUKS1 with "cryptsetup convert", cryptsetup also
refused to convert as it said the keyslot parameters were incompatible, but
didn't say which parameter exactly. I went and read the cryptsetup source and
found that it requires that the keyslot hash equals the AF hash. So after I
changed the keyslot to sha256 to be the same as the AF, I could convert to
LUKS1 and could boot from it. This was with grub 2.06-13+deb12u1. I didn't try
LUKS2 with sha256 and this grub version yet.


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

Re: [bug #55093] Add LUKS2 support

[Dalrymple, Joseph]

Agreed. Especially given the fact that many out there embed keys in their
initramfs, this effectively nullifies the security benefits of a LUKS2
setup.

On Wed, Aug 2, 2023, 08:42 dllud  wrote:

> Follow-up Comment #14, bug #55093 (project grub):
>
> Unfortunately I (as original submitter) am unable to change the bug title.
> "Add full LUKS2 support" would indeed be a proper title. If a maintainer
> comes
> by, please change the title.
>
> Argon2i and Argon2id (memory-hard functions for key derivation) are one of
> the
> two major advantages of LUKS2, as mentioned when this bug was opened.
> Without
> them I don't see how it could be marked as closed.
>
> I hope the maintainers can find some time to port the patches.
>
>
> ___
>
> Reply to this item at:
>
>   
>
> ___
> Message sent via Savannah
> https://savannah.gnu.org/
>
>

[bug #55093] Add LUKS2 support

[dllud]

Follow-up Comment #14, bug #55093 (project grub):

Unfortunately I (as original submitter) am unable to change the bug title.
"Add full LUKS2 support" would indeed be a proper title. If a maintainer comes
by, please change the title.

Argon2i and Argon2id (memory-hard functions for key derivation) are one of the
two major advantages of LUKS2, as mentioned when this bug was opened. Without
them I don't see how it could be marked as closed.

I hope the maintainers can find some time to port the patches.


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[GNUtoo]

Follow-up Comment #13, bug #55093 (project grub):

Maybe this bug report could be renamed to something like "Add full LUKS2
support", or "Add complete LUKS2 support".

Denis.


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[Joseph Dalrymple]

Follow-up Comment #12, bug #55093 (project grub):

[comment #11 comment #11:]

> comment #10
> > It seems that LUKS2 support has been implemented
> No it is not. Current version is limited to support LUKS2 with PBKDF2 (see
grub-core/disk/luks2.c 461)
> > case LUKS2_KDF_TYPE_ARGON2I:
> > ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
> 
> > My suggestion is to close this bug and open a new one to address the new
bugs
> Why create an additional page if the errors in this one are still not fully
resolved?

Argon2ID is the default for LUKS2. It supports pbkdf2 for backwards
compatibility, but that's it. It's pretty widely asserted that GRUB2 either
does not, or has *very limited* support for LUKS2. Without Argon2ID support,
GRUB2 will can't be considered to have proper LUKS2 support. That's like
saying that you serve sodas, but don't have the ability to serve it
carbonated. That's just syrup and water.

Friendly jokes aside, this shouldn't be closed until LUKS2 support is
completed.

As Medoo pointed out, there are patches out that have taken upon themselves to
introduce proper support, including the AUR package they referenced
(grub-improved-luks2-git). It may not be difficult to port these in.


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[Medoo]

Follow-up Comment #11, bug #55093 (project grub):

Found the package https://aur.archlinux.org/packages/grub-improved-luks2-git
in the AUR. There are patches for the master branch that add the necessary
algorithms, Argon2i and Argon2id.
Tried the latest version from 2023-02-09 and... it works!
Only noticed one problem: password is requested twice. But this behavior may
be due to some error in my configuration.

comment #10
> It seems that LUKS2 support has been implemented
No it is not. Current version is limited to support LUKS2 with PBKDF2 (see
grub-core/disk/luks2.c 461)
> case LUKS2_KDF_TYPE_ARGON2I:
> ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");

> My suggestion is to close this bug and open a new one to address the new
bugs
Why create an additional page if the errors in this one are still not fully
resolved?


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[Peter Willis]

Follow-up Comment #10, bug #55093 (project grub):

It seems that LUKS2 support has been implemented, but there also seems to be
bugs in the implementation
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945404). My suggestion is
to close this bug and open a new one to address the new bugs

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[Gabor Gombas]

Follow-up Comment #9, bug #55093 (project grub):

365e0cc3e7e44151c14dd29514c2f870b49f9755 did not update
grub_util_get_dm_abstraction() in grub-core/osdep/devmapper/getroot.c, so
"grub-probe -t abstraction" will still not recognize LUKS2 volumes, leading to
e.g. this Debian bug
.

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[INVALID.NOREPLY]

Follow-up Comment #8, bug #55093 (project grub):

[comment #5 comment #5:]
> Yay, this is implemented in
https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755

Awesome! Thanks to everyone involved in getting this implemented!

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[Eli Schwartz]

Follow-up Comment #7, bug #55093 (project grub):

So far we've had 2.00, 2.02, 2.4, so based on this trend I would expect it to
appear in a 2.06 release.

I've got no ideas about the developers' expected release timeframe, though.

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[Eli Schwartz]

Follow-up Comment #5, bug #55093 (project grub):

Yay, this is implemented in
https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[dllud]

Follow-up Comment #4, bug #55093 (project grub):

Thanks for the heads-up Graaskaeg! And thanks to Patrick Steinhardt for
putting in the effort. Much appreciated.

It's a pity that Argon2i support is still missing. Hopefully Patrick can have
a go at it once this major and necessary step is completed.

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

[Peter Passchier]

Follow-up Comment #2, bug #55093 (project grub):

For the crucial piece of infrastructure that Grub is to many distributions,
this should have a higher priority. Not having LUKS2 support is increasingly
going to reflect bad on Grub and GNU otherwise. (I know that cryptsetup isn't
a GNU project, but it is licensed under GPL. And it is the only GPL-ed
disk-encryption, LUKS is a gold standard.)

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/


___
Bug-grub mailing list
Bug-grub@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-grub

[bug #55093] Add LUKS2 support

[João Sousa]

Follow-up Comment #1, bug #55093 (project grub):

I second this request. Since cryptsetup now defaults to LUKS2 on all major
distributions, the current setup of full-disk encryption with
Calamares/cryptsetup/GRUB fails/breaks on all major distributions due to lack
of LUKS2 support by GRUB.

Please add LUKS2 support to GRUB. Thank you.

Reference:
https://gitlab.com/cryptsetup/cryptsetup/blob/master/docs/v2.1.0-ReleaseNotes
https://github.com/calamares/calamares/issues/1096
https://github.com/calamares/calamares/issues/1099



___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/


___
Bug-grub mailing list
Bug-grub@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-grub