Package Details: grub-git 2.06.rc1.r0.ga53e530f8-1

Git Clone URL: https://aur.archlinux.org/grub-git.git (read-only, click to copy)
Package Base: grub-git
Description: GNU GRand Unified Bootloader (2)
Upstream URL: https://www.gnu.org/software/grub/
Licenses: GPL3
Conflicts: grub
Provides: grub
Submitter: ridikulusrat
Maintainer: WoefulDerelict
Last Packager: WoefulDerelict
Votes: 15
Popularity: 0.88
First Submitted: 2013-10-22 18:55
Last Updated: 2021-03-25 00:55

Dependencies (20)

Required by (122)

Sources (6)

Latest Comments

1 2 3 4 5 6 ... Next › Last »

dani0854 commented on 2021-04-30 15:52

I am trying to setup lvm on luks2 with boot inside lvm.

NAME                 FSTYPE       FSVER      FSAVAIL    FSUSE%  MOUNTPOINT
nvme0n1
├─nvme0n1p1          vfat         FAT32      510.7M     0%      /mnt/efi
└─nvme0n1p2          crypto_LUKS  2
  └─cryptlvm         LVM2_member  LVM2 001
    ├─ArchNVMe-swap  swap         1                             [SWAP]
    ├─ArchNVMe-root  ext4         1.0        27G        8%      /mnt
    └─ArchNVMe-home  ext4         1.0        395.5G     0%      /mnt/home

cryptomount works, and ls in grub rescue shows all the volumes, but it can't identify their filesystem (error: unknown filesystem), including ArchNVMe-root and nvme0n1p2. On wiki it says that it can happen if BIOS boot partition outside of the first 2TiB. But I didn't create BIOS boot partition because it also says that UEFI systems don't need one. Anyone has seen errors like that? Thanks in advance.

EDIT: I have tried with BIOS boot partition, it didn't change anything, still getting that error.

EDIT2: The issue was that I didn't install ext2 module

air-g4p commented on 2021-04-20 15:37

@rushaur - You're welcome, but thank you for testing the with and without 'crypto modules' cases, both without the modified grub-mkimage script!

No surprises here, but now we know for a for a fact that having the correct grub-install --modules="...." statement AND a correct grub-mkimage script (both adapted for each user's system) are mandatory for successful LUKS2 /boot unlocking!

Hopefully, this will save others wasting time speculating and to immediately begin efficiently implementing the correct grub 2.06 LUKS2 encrypted /boot upgrade procedure as documented below.

Cheers!

trumee commented on 2021-04-20 03:47

Anybody used this with ZFS (ZFS on LUKS), with /boot in the pool or outside the pool?

rushaur commented on 2021-04-20 00:35

@air-g4p: I tested in a VM and here my results so far:
grub-install without --modules=".." and without auto unlock script --> grub rescue.

grub-install with --modules=".." and without auto unlock script --> grub rescue.

grub-install with --modules=".." and with auto unlock script --> success!

So, seems both are required for grub 2.06-rc to successfully unlock a LUKS2 container. Thanks for your reply and your effort!

air-g4p commented on 2021-04-19 15:09

@rushaur: I am not sure, because I have not tested grub-install under grub 2.06 without adding the modules.

You are correct that 2.06 does not yet support Argon2. In fact, a grub developer told me, today, he is actively working on this problem, but that Argon2 support will not become available until a subsequent version is released.

I do KNOW the modules="...." were required under grub-git - and the cryptographic modules I listed (specific for my system) were very likely also required for successful grub 2.06 installation, thereby enabling support for grub's subsequent encrypted LUKS2 /boot (Keyslot 1) unlocking.

As you may know, once grub unlocks Keyslot 1 (encrypted /boot), initramfs and the kernel then unlock Keyslot 0 (your LUKS2 encrypted / and any underlying LVs).

If you want to answer your own query, please have a go and document your results for the benefit of others.

Cheers

rushaur commented on 2021-04-19 12:00

@air-g4p: With grub 2.06 is it really required to include/specify the modules to unlock a LUKS2 container? If grub 2.06 "supports" LUKS2, doesn't this "support" include auto detection of the modules? I thought, the only thing that is not yet supported is argon2. I might be confusing something :-)

air-g4p commented on 2021-04-17 17:40

As a heads up to all who are interested in native grub LUKS2 automated encrypted /boot, /, and swap unlocking:

grub 2:2.06rc1-1 - is now available from the Arch TESTING repo - and 2.06 DOES support native LUKS2 unlocking. I know that because I am using it to boot from both my LUKS2 laptops.

If that is the package you want, this is the correct upgrade process:

A. Replace grub-git with grub (2.06). This will overwrite your existing /etc/default/grub, so you might want to make a backup, first.

B. Reinstall grub, depending on your cryptsetup options and / filesystem choice, with something like:

grub-install --target=x86_64-efi --efi-directory=/efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512 btrfs" --bootloader-id=<some-ID>

C. For those desiring to automate their LUKS2 GRUB encrypted /boot unlocking process, Patrick Steinhardt (of grub-dev) was kind enough to develop and share with me a generic grub-mkimage unlocking script, which obviously needs to be modified in accordance with the specifics of your system.

The following script includes the modifications I made to unlock my system with grub 2.06, while remaining consistent with my prior system setup comments, which are now a few pages back within these grub-git comments.

#!/bin/bash

CONFIG=$(mktemp /tmp/grub-config.XXXXX) 
cat >"$CONFIG" <<EOF
cryptomount -u XYZ 

#(Where XYZ=the UUID of your Arch encrypted / partition, in my case:  /dev/nvmen0n1p21).#  

#Also note, unlike the previous iteration of grub-git, this UUID string must NOT contain ANY hyphens ('-')!!#

set prefix=(lvm/ArchNVMe-root)/boot/grub
set root=lvm/ArchNVMe-root

insmod normal
normal
EOF

grub-mkimage \
    -p '(lvm/ArchNVMe-root)/boot/grub' \
    -O x86_64-efi \
    -c "$CONFIG" \
    -o /tmp/image \
    luks2 lvm btrfs part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512

rm "$CONFIG"

D. Save your correctly modified script to a file. I call mine luks2.sh.

E. Run:

./luks2.sh

F. Ensure your /etc/default/grub is correct.

G. We need to overwrite our existing grubx64.efi payload with the image created by our luks2.sh script. Run something like:

cp /tmp/image /efi/EFI/<your bootloader-id>/grubx64.efi

H. Generate and write your final grub configuration with:

grub-mkconfig -o /boot/grub/grub.cfg

I. Finally, run:

reboot

Cheers, and enjoy native grub LUKS2 automated encrypted /boot, /, and swap unlocking!!!

Dylan14 commented on 2021-03-14 05:08

The section of util/grub-mkconfig.in that the add-GRUB_COLOR_variables.patch references has shifted up a few lines in recent commits. It now starts at line 214 instead of 218. This is causing the build to fail.

Edit: Fixed patch here: https://github.com/Dylan1496/aur-pkgbuilds/blob/master/add-GRUB_COLOR_variables.patch Note, it appears by default os-prober is disabled. Another patch will probably be needed to fix that.

miffi commented on 2021-02-13 04:26

For the other space cadets out there...

cryptomount will only detect your luks2 partition UUID if there is no dashes in the identifier otherwise you will be greeted with no such cryptodisk found.

Thanks for making this accessible everybody.

archabuser commented on 2021-01-31 16:55

@ceri This is due to grub-install not correctly configuring your grub EFI-Image. It seems to be one of the limitations of upstream LUKS2 support. I ran into the same issue and then followed air-g4p's comment to add the right early config. I created a file /boot/grub/init.cfg with the following contents:

cryptomount -u <uuid-of-luks2-partition>
set root='lvmid/<vg-uuid>/<lv-uuid>'
set prefix=($root)/grub

insmod normal
normal

Where <vg-uuid> and <vl-uuid> point to the lvm volume that contains your /boot directory (use vgdisplay and lvdisplay for lookup). Then i ran grub-mkimage with all the required modules and added the config with -c /boot/grub/init.cfg.