On Sun, Nov 05, 2023 at 01:40:57AM -0500, Oskari Pirhonen wrote: > On Tue, Oct 31, 2023 at 14:57:58 +0100, Daniel Kiper wrote: > > Adding a few folks who were working on this... > > > > On Tue, Oct 31, 2023 at 11:39:36AM +0000, Leah Rowe via Grub-devel wrote: > > > i'm not sure if the grub devs have seen this or not. anyway, see > > > attached patches. i didn't make these myself but i'm sending them here. > > > it's the PHC (password hash competition) implementation of argon2, > > > adapted for the grub source code. i've been using this in libreboot and > > > it works very well, allows use of cryptomount on modern LUKS2 with > > > argon2 key deriv, so you don't need to downgrade to luks1 or pbkdf2 > > > anymore. i wrote about it here: https://libreboot.org/news/argon2.html > > > > > > one thing to note is that though the code is free software, it's a > > > permissive non-copyleft license; i still think grub should make use of > > > it, regardless. grub has lacked argon2 for years now, and re-writing it > > > will probably be a lot of wasted effort if the phc one works. > > > > > > the phc implementation was originally adapted by someone named Axel, to > > > the archlinux aur for grub 2.06: > > > https://aur.archlinux.org/cgit/aur.git/tree/?h=grub-improved-luks2-git&id=1c7932d90f1f62d0fd5485c5eb8ad79fa4c2f50d > > > > > > nicholas johnson (https://nicholasjohnson.ch/) contacted me telling me > > > he'd re-adapted the code for grub 2.12, on top of the rc1 tag. i then > > > started using it in libreboot's grub. > > > > > > it would be nice if this could make it into the grub 2.12 release! the > > > patches are attached. > > > > > > PS: the original PHC code is here: > > > https://github.com/P-H-C/phc-winner-argon2 > > > > It seems to me this is based on Patrick Steinhardt work. AFAICT Patrick > > is going to repost new version of the patch set after the release. So, > > I hope it will be included in the GRUB 2.14. We are not able to take this > > patch set into upcoming release in this stage of development. Sorry > > about that... > > > > Patrick also mentioned that he'd prefer it if the bundled gcrypt was > updated to a version with Argon2 support rather than adapting the > reference implementation, but that it is "a _major_ effort". [1] > > - Oskari > > [1]: https://lore.kernel.org/grub-devel/Y3xs82f11kZSSi5I@ncase/
Indeed. I had several tries at updating the vendored libgcrypt, but doing this is quite a frustrating experience to say the least. Every time I started I eventually gave up. So in the end I'm of two minds: yes, it would be great to pull in Argon2 via an updated libgcrypt instead of using the reference implementation. But to be frank, I do not feel like I have the time or the motivation to do the update myself given that it is such a huge task. So in the end, we may just be pragmatic and use the reference implementation for the time being until somebody steps up and does the update of libgcrypt. I also wouldn't mind if somebody else wants to step up and build on top of the work that I already did, but in that case I'd appreciate a "Based-on-patch-by:" trailer in the commits. But if nobody does, and if Daniel thinks that the reference implementation is okay for now, then I will resubmit the patches once GRUB 2.12 is out of the door. Patrick
signature.asc
Description: PGP signature
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
