Nothing Special   »   [go: up one dir, main page]

bugGNU GRUB - Bugs: bug #55093, Add LUKS2 support

 
 

You are not allowed to post comments on this tracker with your current authentication level.

bug #55093: Add LUKS2 support

Submitter:  dllud <dllud>
Submitted:  Sun 25 Nov 2018 01:32:49 PM UTC
Votes: 1628
 
Category:  Security Severity:  Major
Priority:  5 - Normal Item Group:  Feature Request
Status:  None Privacy:  Public
Assigned to:  None Originator Name: 
Open/Closed:  Open Release:  Git master
Release:  Reproducibility:  None
Planned Release:  None

Discussion

Jump to the original submission

Tue 25 Jun 2024 11:58:06 AM UTC, comment #19: 

Raphaël, that particular patchset was sent upstream several times now.
It has not been merged because it brings its own implementation of Argon2. The maintainers would rather keep all hash functions coming from libgcrypt.

As MeganerdNL mentioned, Argon2 is already implemented in libgcrypt. The issue though, is that GRUB is pinned to an old version of libgcrypt (1.5.3 ?). Updating to a new version seems to be a large undertaking.

There is some hope, though, as a patch series to update libgcrypt to 1.10.3 was sent in May. Let's hope it gets the deserved attention.

 dllud <dllud>
Mon 24 Jun 2024 02:52:31 PM UTC, comment #18: 

Dears Grub developers:

There is a patchset at https://aur.archlinux.org/packages/grub-improved-luks2-git mentioned last year.

This is
- an essential feature
- ... resolving the main weakness in today's Linux encryption ecosystem
- requested since 2018
- for which a patch exist and is used by some distributions (since ~2022 AFAICT): Arch, Manjaro, Gentoo


But it still fails to find its way into an official release. Why?


For ref
- https://leo3418.github.io/collections/gentoo-config-luks2-grub-systemd/packages.html
- https://unix.stackexchange.com/a/753903/160185

 Raphaël Droz <drzraf>
Sun 18 Feb 2024 10:25:10 AM UTC, comment #17: 

According to the original commit on implementing (initial) LUKS2 support in GRUB, the Argon2i(d) KDF's are not implemented because of lack of support in the libcrypt library. So it seems to me, the real 'problem' is this library.

Isn't it already implented though?

Or what (else) is holding it back right now?

 MeganerdNL <meganerdnl>
Mon 25 Dec 2023 11:58:05 AM UTC, comment #16: 

maybe worth mentioning, there are a few working patch sets for argon support circulating for arch, like this here:
https://gitlab.com/mattz7/pkgbuild-public

 akallabeth <akallabeth>
Mon 27 Nov 2023 12:29:15 AM UTC, comment #15: 

One thing that I haven't seen mentioned anywhere (not in the commit that added LUKS2 support, not in ArchWiki or other places) is that not only does the keyslot need to be PBKDF2, but it also needs to use a sha256 hash and/or the keyslot hash has to be equal to the AF hash. Keyslot=sha512, AF=sha256 didn't work. I didn't try with both as sha256, but someone reported it worked for them: https://wiki.archlinux.org/title/Talk:GRUB#LUKS2_in_2.12rc1

When I tried converting to LUKS1 with "cryptsetup convert", cryptsetup also refused to convert as it said the keyslot parameters were incompatible, but didn't say which parameter exactly. I went and read the cryptsetup source and found that it requires that the keyslot hash equals the AF hash. So after I changed the keyslot to sha256 to be the same as the AF, I could convert to LUKS1 and could boot from it. This was with grub 2.06-13+deb12u1. I didn't try LUKS2 with sha256 and this grub version yet.

 Jernej Jakob <jjakob>
Wed 02 Aug 2023 01:42:04 PM UTC, comment #14: 

Unfortunately I (as original submitter) am unable to change the bug title. "Add full LUKS2 support" would indeed be a proper title. If a maintainer comes by, please change the title.

Argon2i and Argon2id (memory-hard functions for key derivation) are one of the two major advantages of LUKS2, as mentioned when this bug was opened. Without them I don't see how it could be marked as closed.

I hope the maintainers can find some time to port the patches.

 dllud <dllud>
Wed 02 Aug 2023 12:40:21 PM UTC, comment #13: 

Maybe this bug report could be renamed to something like "Add full LUKS2 support", or "Add complete LUKS2 support".

Denis.

 GNUtoo <gnutoo>
Sat 29 Jul 2023 01:42:43 AM UTC, comment #12: 

comment #11:

> comment #10
> > It seems that LUKS2 support has been implemented
> No it is not. Current version is limited to support LUKS2 with PBKDF2 (see grub-core/disk/luks2.c 461)
> > case LUKS2_KDF_TYPE_ARGON2I:
> > ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
>
> > My suggestion is to close this bug and open a new one to address the new bugs
> Why create an additional page if the errors in this one are still not fully resolved?


Argon2ID is the default for LUKS2. It supports pbkdf2 for backwards compatibility, but that's it. It's pretty widely asserted that GRUB2 either does not, or has very limited support for LUKS2. Without Argon2ID support, GRUB2 will can't be considered to have proper LUKS2 support. That's like saying that you serve sodas, but don't have the ability to serve it carbonated. That's just syrup and water.

Friendly jokes aside, this shouldn't be closed until LUKS2 support is completed.

As Medoo pointed out, there are patches out that have taken upon themselves to introduce proper support, including the AUR package they referenced (grub-improved-luks2-git). It may not be difficult to port these in.

 Joseph Dalrymple <swivel>
Sun 12 Feb 2023 12:54:20 PM UTC, comment #11: 

Found the package https://aur.archlinux.org/packages/grub-improved-luks2-git in the AUR. There are patches for the master branch that add the necessary algorithms, Argon2i and Argon2id.
Tried the latest version from 2023-02-09 and... it works!
Only noticed one problem: password is requested twice. But this behavior may be due to some error in my configuration.

comment #10

> It seems that LUKS2 support has been implemented

No it is not. Current version is limited to support LUKS2 with PBKDF2 (see grub-core/disk/luks2.c 461)

> case LUKS2_KDF_TYPE_ARGON2I:
> ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");


> My suggestion is to close this bug and open a new one to address the new bugs

Why create an additional page if the errors in this one are still not fully resolved?

 Medoo <medoo>
Sun 16 Jan 2022 06:32:39 PM UTC, comment #10: 

It seems that LUKS2 support has been implemented, but there also seems to be bugs in the implementation (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945404). My suggestion is to close this bug and open a new one to address the new bugs

 Peter Willis <peterww>
Wed 12 Aug 2020 10:51:01 AM UTC, comment #9: 

365e0cc3e7e44151c14dd29514c2f870b49f9755 did not update grub_util_get_dm_abstraction() in grub-core/osdep/devmapper/getroot.c, so "grub-probe -t abstraction" will still not recognize LUKS2 volumes, leading to e.g. this Debian bug.

 Gabor Gombas <gombasg>
Fri 10 Jan 2020 07:05:13 PM UTC, comment #8: 

comment #5:

> Yay, this is implemented in https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755


Awesome! Thanks to everyone involved in getting this implemented!

 nickb
Fri 10 Jan 2020 05:11:01 PM UTC, comment #7: 

So far we've had 2.00, 2.02, 2.4, so based on this trend I would expect it to appear in a 2.06 release.

I've got no ideas about the developers' expected release timeframe, though.

 Eli Schwartz <eschwartz>
Fri 10 Jan 2020 04:47:54 PM UTC, comment #6: 

Great news! Any idea about which GRUB version will include that patch, as well as the approximate release date of such version?

 dllud <dllud>
Fri 10 Jan 2020 02:49:08 PM UTC, comment #5: 

Yay, this is implemented in https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755

 Eli Schwartz <eschwartz>
Mon 04 Nov 2019 09:41:02 PM UTC, comment #4: 

Thanks for the heads-up Graaskaeg! And thanks to Patrick Steinhardt for putting in the effort. Much appreciated.

It's a pity that Argon2i support is still missing. Hopefully Patrick can have a go at it once this major and necessary step is completed.

 dllud <dllud>
Mon 04 Nov 2019 09:07:11 PM UTC, comment #3: 

For those following this bug, there looks to be good news on the GRUB-devel mailing list.

https://lists.gnu.org/archive/html/grub-devel/2019-11/msg00000.html

Patrick Steinhardt has prepared some patches to support LUKS2 disc encryption.

Thank you Patrick.

Graaskaeg

 Pontus Gråskæg <graaskaegp>
Wed 29 May 2019 08:43:03 PM UTC, comment #2: 

For the crucial piece of infrastructure that Grub is to many distributions, this should have a higher priority. Not having LUKS2 support is increasingly going to reflect bad on Grub and GNU otherwise. (I know that cryptsetup isn't a GNU project, but it is licensed under GPL. And it is the only GPL-ed disk-encryption, LUKS is a gold standard.)

 Peter Passchier <pepa65>
Fri 29 Mar 2019 08:58:21 AM UTC, comment #1: 

I second this request. Since cryptsetup now defaults to LUKS2 on all major distributions, the current setup of full-disk encryption with Calamares/cryptsetup/GRUB fails/breaks on all major distributions due to lack of LUKS2 support by GRUB.

Please add LUKS2 support to GRUB. Thank you.

Reference:
https://gitlab.com/cryptsetup/cryptsetup/blob/master/docs/v2.1.0-ReleaseNotes
https://github.com/calamares/calamares/issues/1096
https://github.com/calamares/calamares/issues/1099


João Sousa <jotapesse>
Sun 25 Nov 2018 01:32:49 PM UTC, original submission:  

The LUKS2 format brings several advantages over the original LUKS format. Some of the most important are (1) data integrity protection and (2) memory-hard functions for key derivation.

GRUB supports the original LUKS format, allowing the setup of full-disk encryption (FDE) schemes where GRUB decrypts an encrypted /boot partition.
Adding support for LUKS2 on GRUB would improve the security on these FDE schemes, specially due to the two new LUKS2 advantages mentioned above.

I found several references online (Arch Wiki, Stackoverflow, etc.) to the lack of LUKS2 support on GRUB. I decided to open this feature request since I could find no mention of LUKS2 on both the bug tracker and the mailing lists.

 dllud <dllud>

 

Attached Files

(Note: upload size limit is set to 16384 kB, after insertion of the required escape characters.)

No files currently attached

 

Dependencies

Depends on the following items: None found

Items that depend on this one: None found

 

Mail Notification Carbon-Copy List

Carbon-Copy List
  • -email is unavailable- added by totallycomplete (Voted in favor of this item)
  • -email is unavailable- added by alexoid1linuxoid (Voted in favor of this item)
  • -email is unavailable- added by drzraf (Posted a comment)
  • -email is unavailable- added by meganerdnl (Voted in favor of this item)
  • -email is unavailable- added by meganerdnl (Posted a comment)
  • -email is unavailable- added by rodolfoser (Voted in favor of this item)
  • -email is unavailable- added by akallabeth (Posted a comment)
  • -email is unavailable- added by jjakob (Posted a comment)
  • -email is unavailable- added by brittlepatch (Voted in favor of this item)
  • -email is unavailable- added by gray_wolf (Voted in favor of this item)
  • -email is unavailable- added by hvhaugwitz (Voted in favor of this item)
  • -email is unavailable- added by dllud (Voted in favor of this item)
  • -email is unavailable- added by gnutoo (Posted a comment)
  • -email is unavailable- added by swivel (Posted a comment)
  • -email is unavailable- added by medoo (Posted a comment)
  • -email is unavailable- added by peterww (Posted a comment)
  • -email is unavailable- added by calestyo
  • -email is unavailable- added by je_vv
  • -email is unavailable- added by ayers
  • -email is unavailable- added by vaso (Voted in favor of this item)
  • -email is unavailable- added by gombasg (Posted a comment)
  • -email is unavailable- added by nickb (Posted a comment)
  • -email is unavailable- added by eschwartz (Posted a comment)
  • -email is unavailable- added by stigok (Voted in favor of this item)
  • -email is unavailable- added by zlima12 (Voted in favor of this item)
  • -email is unavailable- added by ynakao
  • -email is unavailable- added by graaskaegp (Posted a comment)
  • -email is unavailable- added by graaskaegp (Voted in favor of this item)
  • -email is unavailable- added by nickb (Voted in favor of this item)
  • -email is unavailable- added by grub_luks2 (Voted in favor of this item)
  • -email is unavailable- added by danij3l
  • -email is unavailable- added by danij3l (Voted in favor of this item)
  • -email is unavailable- added by archont (Voted in favor of this item)
  • -email is unavailable- added by astein58 (Voted in favor of this item)
  • -email is unavailable- added by _78879
  • -email is unavailable- added by toddward (Voted in favor of this item)
  • -email is unavailable- added by sascha_silbe
  • -email is unavailable- added by safocl (Voted in favor of this item)
  • -email is unavailable- added by vdanjean (Voted in favor of this item)
  • -email is unavailable- added by pepa65 (Posted a comment)
  • -email is unavailable- added by nckx (Voted in favor of this item)
  • -email is unavailable- added by deathtrip (Voted in favor of this item)
  • -email is unavailable- added by jotapesse (Posted a comment)
  • -email is unavailable- added by jotapesse (Voted in favor of this item)
  • -email is unavailable- added by arshin (Voted in favor of this item)
  • -email is unavailable- added by trautwein (Voted in favor of this item)
  • -email is unavailable- added by eschwartz
  • -email is unavailable- added by pfactum (Voted in favor of this item)
  • -email is unavailable- added by dllud (Submitted the item)

    •  

    Votes

    There are 1628 votes so far. Votes easily highlight which items people would like to see resolved in priority, independently of the priority of the item set by tracker managers.

     

    History

    Follow 34 latest changes.

    Date Changed by Updated Field Previous Value => Replaced by
    2024-08-24 totallycomplete Carbon-Copy- Added totallycomplete
    2024-06-29 alexoid1linuxoid Carbon-Copy- Added alexoid1linuxoid
    2024-02-18 meganerdnl Carbon-Copy- Added meganerdnl
    2024-01-18 rodolfoser Carbon-Copy- Added rodolfoser
    2023-11-13 brittlepatch Carbon-Copy- Added brittlepatch
    2023-09-25 gray_wolf Carbon-Copy- Added gray_wolf
    2023-09-09 hvhaugwitz Carbon-Copy- Added hvhaugwitz
    2023-08-02 dllud Carbon-Copy- Added dllud
    2021-06-29 calestyo Carbon-Copy- Added calestyo
    2021-03-22 je_vv Carbon-Copy- Added je_vv
    2020-11-16 ayers Carbon-Copy- Added -email is unavailable-
    2020-08-12 vaso Carbon-Copy- Added vaso
    2019-11-25 stigok Carbon-Copy- Added stigok
    2019-11-06 zlima12 Carbon-Copy- Added zlima12
    2019-11-05 ynakao Carbon-Copy- Added ynakao
    2019-11-04 graaskaegp Carbon-Copy- Added graaskaegp
    2019-10-18 nickb Carbon-Copy- Added nickb
    2019-09-27 grub_luks2 Carbon-Copy- Added grub_luks2
    2019-09-17 danij3l Carbon-Copy- Added -email is unavailable-
        Carbon-Copy- Added danij3l
    2019-08-25 archont Carbon-Copy- Added archont
    2019-08-23 astein58 Carbon-Copy- Added astein58
    2019-08-11 _78879 Carbon-Copy- Added fturco
    2019-08-10 toddward Carbon-Copy- Added toddward
    2019-07-28 sascha_silbe Carbon-Copy- Added sascha_silbe

    Back to the top

    Copyright © 2024 Free Software Foundation, Inc.
    Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.
    The Levitating, Meditating, Flute-playing Gnu logo is a GNU GPL'ed image provided by the Nevrax Design Team.
    Page source code

    Powered by Savane 3.14-8aba.
    Corresponding source code