When you cryptsetup luksFormat, LUKS2 cryptography defaults to argon2id, a competition-winning gpu-resistant multi-core memory-hard algorithm thingy. Only problem is everyone only supports pbkdf2 instead :3

  • GRUB had an argon2id support patch in the works. Buuut it stopped because a version-pinned dependency added argon2id support, and GRUB wants to update lib x to update lib y to update lib z to update said dependency (2 years later… I’m here D: )
  • systemd-boot is simple and doesn’t support argon2id
  • efistub, i.e. making the kernel boot itself (i think?), necessitates secure boot and I’m not sure that’s the best way to do this (Ventoy can bypass secure boot with MOKMANAGER funkin’ anyway, can’t it?)
  • Raspberry Pi’s bootloader might support argon2id? idk

Not to be deterred, I tried manually patching GRUB (tried with aur on a usb, then with portage) but I don’t think these are supported with the latest GRUB. (Attempted with whatever the aur package uses, then Gentoo’s grub-2.12-r4, then Gentoo’s grub-2.12-r5, then git cloning and checking out older versions manually, then picking the earliest 2.12 archive.org tarball to patch lol. All failed with “couldn’t find disk”-esque issues)

Does anyone have this working at or after Nov 2024? And better yet, am I missing something obvious ¯\_(ᵕ—ᴗ—)_/¯

Threat model: Avoiding a twopointfouristan prank, but also just screwing around for fun (◡‿◡✿)

  • Marmaduke@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    8 days ago

    The way I do it is I use a UKI. It’s an approach similar to efistub, you pack the kernel and initramfs into a single EFI file, then sign it with custom Secure Boot keys generated with sbctl.

    • fool@programming.devOP
      link
      fedilink
      arrow-up
      1
      ·
      8 days ago

      Can’t Ventoy bypass secure boot with the shim thing? i.e. ENROLL_THIS_KEY_IN_MOKMANAGER.cer

      Or is secure boot just to ensure that “this kernel uki hasn’t been tampered with”?

      Furthermore, if it’s secure boot autounlocked by TPM, won’t I have to password protect my bootloader too to avoid kernel parameter oopsies? (Lol changing kernel parameters right then and there reminds me of the windows utilman trick)

      The secure boot route seems fraught but perhaps I’m looking at it wrong

      • Marmaduke@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        8 days ago

        The simplified way of how Secure Boot works is you have a bunch of public keys stored in the UEFI, and you can sign .efi executables with the private key. If the signature of an executable is invalid or the file has been tampered with, UEFI refuses to run it.

        Now, every computer sold nowadays comes with Microsoft’s keys pre-installed, one for Windows and one for stuff that Microsoft deems worthy of signing.

        One of those things is shim, it’s signed with one of Microsoft keys and it looks for the MOK database to see what it can boot or not.

        But you don’t have to use Microsoft keys, you can make your own, put it in your UEFI and sign your stuff. That’s why UKI is useful, it’s a single EFI file you can sign. You can even sign your bootloader, like systemd-boot. The Secure Boot Arch Linux Wiki link contains information of how to do it easily with sbctl.

        TPM is completely independent of Secure Boot, it can be used with or without it.