Follow-up Comment #17, bug#55093 (group grub):
According to
[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755
the original commit] on implementing (initial) LUKS2 support in GRUB, the
Argon2i(d) KDF's are *not* implemented because of lack of support
Follow-up Comment #16, bug#55093 (group grub):
maybe worth mentioning, there are a few working patch sets for argon support
circulating for arch, like this here:
https://gitlab.com/mattz7/pkgbuild-public
___
Reply to this item at:
Follow-up Comment #15, bug #55093 (project grub):
One thing that I haven't seen mentioned anywhere (not in the commit that added
LUKS2 support, not in ArchWiki or other places) is that not only does the
keyslot need to be PBKDF2, but it also needs to use a sha256 hash and/or the
keyslot hash has
Agreed. Especially given the fact that many out there embed keys in their
initramfs, this effectively nullifies the security benefits of a LUKS2
setup.
On Wed, Aug 2, 2023, 08:42 dllud wrote:
> Follow-up Comment #14, bug #55093 (project grub):
>
> Unfortunately I (as original submitter) am
Follow-up Comment #14, bug #55093 (project grub):
Unfortunately I (as original submitter) am unable to change the bug title.
"Add full LUKS2 support" would indeed be a proper title. If a maintainer comes
by, please change the title.
Argon2i and Argon2id (memory-hard functions for key derivation)
Follow-up Comment #13, bug #55093 (project grub):
Maybe this bug report could be renamed to something like "Add full LUKS2
support", or "Add complete LUKS2 support".
Denis.
___
Reply to this item at:
Follow-up Comment #12, bug #55093 (project grub):
[comment #11 comment #11:]
> comment #10
> > It seems that LUKS2 support has been implemented
> No it is not. Current version is limited to support LUKS2 with PBKDF2 (see
grub-core/disk/luks2.c 461)
> > case LUKS2_KDF_TYPE_ARGON2I:
> > ret =
Follow-up Comment #11, bug #55093 (project grub):
Found the package https://aur.archlinux.org/packages/grub-improved-luks2-git
in the AUR. There are patches for the master branch that add the necessary
algorithms, Argon2i and Argon2id.
Tried the latest version from 2023-02-09 and... it works!
Follow-up Comment #10, bug #55093 (project grub):
It seems that LUKS2 support has been implemented, but there also seems to be
bugs in the implementation
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945404). My suggestion is
to close this bug and open a new one to address the new bugs
Follow-up Comment #9, bug #55093 (project grub):
365e0cc3e7e44151c14dd29514c2f870b49f9755 did not update
grub_util_get_dm_abstraction() in grub-core/osdep/devmapper/getroot.c, so
"grub-probe -t abstraction" will still not recognize LUKS2 volumes, leading to
e.g. this Debian bug
Follow-up Comment #8, bug #55093 (project grub):
[comment #5 comment #5:]
> Yay, this is implemented in
https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755
Awesome! Thanks to everyone involved in getting this implemented!
Follow-up Comment #7, bug #55093 (project grub):
So far we've had 2.00, 2.02, 2.4, so based on this trend I would expect it to
appear in a 2.06 release.
I've got no ideas about the developers' expected release timeframe, though.
___
Reply
Follow-up Comment #5, bug #55093 (project grub):
Yay, this is implemented in
https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755
___
Reply to this item at:
Follow-up Comment #4, bug #55093 (project grub):
Thanks for the heads-up Graaskaeg! And thanks to Patrick Steinhardt for
putting in the effort. Much appreciated.
It's a pity that Argon2i support is still missing. Hopefully Patrick can have
a go at it once this major and necessary step is
Follow-up Comment #2, bug #55093 (project grub):
For the crucial piece of infrastructure that Grub is to many distributions,
this should have a higher priority. Not having LUKS2 support is increasingly
going to reflect bad on Grub and GNU otherwise. (I know that cryptsetup isn't
a GNU project,
Follow-up Comment #1, bug #55093 (project grub):
I second this request. Since cryptsetup now defaults to LUKS2 on all major
distributions, the current setup of full-disk encryption with
Calamares/cryptsetup/GRUB fails/breaks on all major distributions due to lack
of LUKS2 support by GRUB.
Please
16 matches
Mail list logo