Bug#1053559: Feature: argon2id support

Fri, 06 Oct 2023 02:57:18 -0700 

Package: grub-efi-amd64-bin

Dear Maintainer,

I managed to install argon2i patches from Arch repo and it works!
But argon2 may fail on some system due to lack of memory error and
makes some systems unbootable.

In short: grub2 by default on x64 machines only allocates memory only
from first 4GB (0x10000000) physical address to avoid EFI bugs (which
are very common, when programmers EFI using 32bit register for pointers,
which as result causing EFI to crash when system sends x64 bit pointers
during IO proc calls). As result not every machines has enough (1GB continuous) memory for argon2id keys. So we need allocate memory from higher regions >4gb. I wrote a smartmem.patch (hack, since it need more work). 

You need argon_*.patch:

* https://aur.archlinux.org/packages/grub-improved-luks2-git

smartmem.patch (allow to allocate >4gb if original allocation <4gb
fails)

This is my original conversation (about smartmem.patch >4gb patch):

* https://savannah.gnu.org/bugs/index.php?64471

-- Package-specific info:

*********************** BEGIN /proc/mounts
/dev/mapper/luks / btrfs rw,noatime,ssd,discard,space_cache=v2,subvolid=5,subvol=/ 0 0 /dev/nvme0n1p2 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/sdb1 /media/axet/4GB btrfs rw,nosuid,nodev,relatime,space_cache=v2,subvolid=5,subvol=/ 0 0 /dev/sda1 /media/axet/1TB btrfs rw,nosuid,nodev,relatime,space_cache,subvolid=5,subvol=/ 0 0 
*********************** END /proc/mounts

*********************** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
set have_grubenv=true
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi

function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}

if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod btrfs
cryptomount -u 9aa58ce3e29149ccaa3ceb12a9f0af1c
set root='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c' 92475bc2-c978-4f26-9e6b-7bc1dde85cd4 
else
search --no-floppy --fs-uuid --set=root 92475bc2-c978-4f26-9e6b-7bc1dde85cd4
fi
font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
set timeout=30
else
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_debian_theme ###
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod btrfs
cryptomount -u 9aa58ce3e29149ccaa3ceb12a9f0af1c
set root='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c' 92475bc2-c978-4f26-9e6b-7bc1dde85cd4 
else
search --no-floppy --fs-uuid --set=root 92475bc2-c978-4f26-9e6b-7bc1dde85cd4
fi
insmod png
if background_image /usr/share/desktop-base/emerald-theme/grub/grub-16x9.png; then 
set color_normal=white/black
set color_highlight=black/white
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-92475bc2-c978-4f26-9e6b-7bc1dde85cd4' { 
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod btrfs
cryptomount -u 9aa58ce3e29149ccaa3ceb12a9f0af1c
set root='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c' 92475bc2-c978-4f26-9e6b-7bc1dde85cd4 
else
search --no-floppy --fs-uuid --set=root 92475bc2-c978-4f26-9e6b-7bc1dde85cd4
fi
echo 'Loading Linux 6.1.0-10-amd64 ...'
linux /boot/vmlinuz-6.1.0-10-amd64 root=UUID=92475bc2-c978-4f26-9e6b-7bc1dde85cd4 ro mitigations=off 
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-6.1.0-10-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-92475bc2-c978-4f26-9e6b-7bc1dde85cd4' { menuentry 'Debian GNU/Linux, with Linux 6.1.0-10-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-10-amd64-advanced-92475bc2-c978-4f26-9e6b-7bc1dde85cd4' { 
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod btrfs
cryptomount -u 9aa58ce3e29149ccaa3ceb12a9f0af1c
set root='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c' 92475bc2-c978-4f26-9e6b-7bc1dde85cd4 
else
search --no-floppy --fs-uuid --set=root 92475bc2-c978-4f26-9e6b-7bc1dde85cd4
fi
echo 'Loading Linux 6.1.0-10-amd64 ...'
linux /boot/vmlinuz-6.1.0-10-amd64 root=UUID=92475bc2-c978-4f26-9e6b-7bc1dde85cd4 ro mitigations=off 
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-6.1.0-10-amd64
}
menuentry 'Debian GNU/Linux, with Linux 6.1.0-10-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-10-amd64-recovery-92475bc2-c978-4f26-9e6b-7bc1dde85cd4' { 
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod btrfs
cryptomount -u 9aa58ce3e29149ccaa3ceb12a9f0af1c
set root='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c' 92475bc2-c978-4f26-9e6b-7bc1dde85cd4 
else
search --no-floppy --fs-uuid --set=root 92475bc2-c978-4f26-9e6b-7bc1dde85cd4
fi
echo 'Loading Linux 6.1.0-10-amd64 ...'
linux /boot/vmlinuz-6.1.0-10-amd64 root=UUID=92475bc2-c978-4f26-9e6b-7bc1dde85cd4 ro single echo 'Loading initial ramdisk ...' 
initrd /boot/initrd.img-6.1.0-10-amd64
}
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###

### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/20_memtest86+ ###
menuentry "Memory test (memtest86+x64.efi)" {
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod btrfs
cryptomount -u 9aa58ce3e29149ccaa3ceb12a9f0af1c
set root='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c' 92475bc2-c978-4f26-9e6b-7bc1dde85cd4 
else
search --no-floppy --fs-uuid --set=root 92475bc2-c978-4f26-9e6b-7bc1dde85cd4
fi
linuxefi /boot/memtest86+x64.efi
}
menuentry 'Memory test (memtest86+x64.efi, serial console)' {
insmod part_gpt
insmod cryptodisk
insmod luks2
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod btrfs
cryptomount -u 9aa58ce3e29149ccaa3ceb12a9f0af1c
set root='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='cryptouuid/9aa58ce3e29149ccaa3ceb12a9f0af1c' 92475bc2-c978-4f26-9e6b-7bc1dde85cd4 
else
search --no-floppy --fs-uuid --set=root 92475bc2-c978-4f26-9e6b-7bc1dde85cd4
fi
linuxefi /boot/memtest86+x64.efi console=ttyS0,115200
}
### END /etc/grub.d/20_memtest86+ ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/30_uefi-firmware ###
menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' {
fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###

### BEGIN /etc/grub.d/35_fwupd ###
### END /etc/grub.d/35_fwupd ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg
fi
### END /etc/grub.d/41_custom ###
*********************** END /boot/grub/grub.cfg

*********************** BEGIN /proc/mdstat
cat: /proc/mdstat: No such file or directory
*********************** END /proc/mdstat

*********************** BEGIN /dev/disk/by-id
total 0
lrwxrwxrwx 1 root root 9 Oct 6 11:52 ata-ST2000DM001-1CH164_Z1E267DB -> ../../sda lrwxrwxrwx 1 root root 10 Oct 6 11:53 ata-ST2000DM001-1CH164_Z1E267DB-part1 -> ../../sda1 lrwxrwxrwx 1 root root 10 Oct 6 11:52 ata-ST2000DM001-1CH164_Z1E267DB-part2 -> ../../sda2 lrwxrwxrwx 1 root root 10 Oct 6 11:52 ata-ST2000DM001-1CH164_Z1E267DB-part3 -> ../../sda3 
lrwxrwxrwx 1 root root 10 Oct 6 11:52 dm-name-luks -> ../../dm-0
lrwxrwxrwx 1 root root 10 Oct 6 11:52 dm-uuid-CRYPT-LUKS2-9aa58ce3e29149ccaa3ceb12a9f0af1c-luks -> ../../dm-0 lrwxrwxrwx 1 root root 13 Oct 6 11:52 nvme-HFM512GD3JX013N_FYA9N059910509U18 -> ../../nvme0n1 lrwxrwxrwx 1 root root 15 Oct 6 11:52 nvme-HFM512GD3JX013N_FYA9N059910509U18-part1 -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 15 Oct 6 11:52 nvme-HFM512GD3JX013N_FYA9N059910509U18-part2 -> ../../nvme0n1p2 lrwxrwxrwx 1 root root 13 Oct 6 11:52 nvme-HFM512GD3JX013N_FYA9N059910509U18_1 -> ../../nvme0n1 lrwxrwxrwx 1 root root 15 Oct 6 11:52 nvme-HFM512GD3JX013N_FYA9N059910509U18_1-part1 -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 15 Oct 6 11:52 nvme-HFM512GD3JX013N_FYA9N059910509U18_1-part2 -> ../../nvme0n1p2 lrwxrwxrwx 1 root root 13 Oct 6 11:52 nvme-nvme.1c5c-465941394e303539393130353039553138-48464d3531324744334a583031334e-00000001 -> ../../nvme0n1 lrwxrwxrwx 1 root root 15 Oct 6 11:52 nvme-nvme.1c5c-465941394e303539393130353039553138-48464d3531324744334a583031334e-00000001-part1 -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 15 Oct 6 11:52 nvme-nvme.1c5c-465941394e303539393130353039553138-48464d3531324744334a583031334e-00000001-part2 -> ../../nvme0n1p2 lrwxrwxrwx 1 root root 9 Oct 6 11:52 usb-Generic-_Compact_Flash_058F63646476-0:1 -> ../../sdd lrwxrwxrwx 1 root root 9 Oct 6 11:52 usb-Generic-_MS_MS-Pro_058F63646476-0:3 -> ../../sdf lrwxrwxrwx 1 root root 9 Oct 6 11:52 usb-Generic-_SD_MMC_058F63646476-0:0 -> ../../sdc lrwxrwxrwx 1 root root 9 Oct 6 11:52 usb-Generic-_SM_xD-Picture_058F63646476-0:2 -> ../../sde lrwxrwxrwx 1 root root 9 Oct 6 11:52 usb-JetFlash_TS4GJF130_9a8344903070cc-0:0 -> ../../sdb lrwxrwxrwx 1 root root 10 Oct 6 11:52 usb-JetFlash_TS4GJF130_9a8344903070cc-0:0-part1 -> ../../sdb1 lrwxrwxrwx 1 root root 10 Oct 6 11:52 usb-JetFlash_TS4GJF130_9a8344903070cc-0:0-part2 -> ../../sdb2 
lrwxrwxrwx 1 root root 9 Oct 6 11:52 wwn-0x5000c5004f11d2bb -> ../../sda
lrwxrwxrwx 1 root root 10 Oct 6 11:53 wwn-0x5000c5004f11d2bb-part1 -> ../../sda1 lrwxrwxrwx 1 root root 10 Oct 6 11:52 wwn-0x5000c5004f11d2bb-part2 -> ../../sda2 lrwxrwxrwx 1 root root 10 Oct 6 11:52 wwn-0x5000c5004f11d2bb-part3 -> ../../sda3 
*********************** END /dev/disk/by-id

*********************** BEGIN /dev/disk/by-uuid
total 0
lrwxrwxrwx 1 root root 15 Oct 6 11:52 5B1D-D3A9 -> ../../nvme0n1p2
lrwxrwxrwx 1 root root 10 Oct 6 11:53 85852b85-6d99-438f-8d5a-7681c839b31f -> ../../sda1 lrwxrwxrwx 1 root root 10 Oct 6 11:52 92475bc2-c978-4f26-9e6b-7bc1dde85cd4 -> ../../dm-0 lrwxrwxrwx 1 root root 15 Oct 6 11:52 9aa58ce3-e291-49cc-aa3c-eb12a9f0af1c -> ../../nvme0n1p1 
lrwxrwxrwx 1 root root 10 Oct 6 11:52 B612-FBA7 -> ../../sda3
lrwxrwxrwx 1 root root 10 Oct 6 11:52 F997-C974 -> ../../sdb2
lrwxrwxrwx 1 root root 10 Oct 6 11:52 b727abc6-29a6-4d4c-9d6c-bd8adf440190 -> ../../sdb1 
*********************** END /dev/disk/by-uuid

-- System Information:
Debian Release: 12.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-10-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en 
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages grub-efi-amd64-bin depends on:
ii grub-common 2.06-13

Versions of packages grub-efi-amd64-bin recommends:
ii efibootmgr 17-2
pn grub-efi-amd64-signed <none>

grub-efi-amd64-bin suggests no packages.

-- debconf-show failed
Report will be sent to Debian Bug Tracking System <sub...@bugs.debian.org>


We need semi-automatic GRUB_EFI_MAX_USABLE_ADDRESS variable.

If we have enough memory from low memory segment (<4GB), then use it. If we have no memory and grub about to return out of memory error, instead crashing, why not to try allocate from upper address region (4GB+) and hope for the best?

Basically we need new allocation algorithm, grub_efi_allocate_pages_real and grub_efi_mm_add_regions should be smart to allocate from different regions low and high (when low failed).

(a) Disk routines should use memory under 4GiB either always or after failing. Some EFI disk routines fail with memory above 4 GiB. (if they are using 64bit registers as 32bit).
(b) Need to check paging map. Need to read cr3 and parse page mapping and if needed error out or add missing mapping. Some EFI don't map regions above 4 GiBs contrary to the spec.

https://savannah.gnu.org/bugs/index.php?64471

diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
index c673f43..bc9133a 100644
--- a/grub-core/kern/efi/mm.c
+++ b/grub-core/kern/efi/mm.c
@@ -658,8 +658,14 @@ grub_efi_mm_add_regions (grub_size_t required_bytes, unsigned int flags)
 			    filtered_memory_map_end,
 			    BYTES_TO_PAGES (required_bytes),
 			    flags);
-  if (err != GRUB_ERR_NONE)
-    return err;
+  if (err != GRUB_ERR_NONE) {
+    grub_efi_physical_address_t address = 0xffffffffffffULL;
+    grub_efi_boot_services_t *b = grub_efi_system_table->boot_services;
+    grub_efi_status_t status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_MAX_ADDRESS, GRUB_EFI_LOADER_DATA, BYTES_TO_PAGES (required_bytes), &address);
+    if (status != GRUB_EFI_SUCCESS)
+      return err;
+    grub_mm_init_region ((void *) ((grub_addr_t) address), required_bytes);
+  }
 
 #if 0
   /* For debug.  */

Reply via email to