Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results

[HardenedArray]

Hi Patrick,

As a direct consequence of your valuable `--modules=` input, I have taken the 
time and attempted to carefully document my entire LUKS2 unlocking encrypted 
/boot process for the benefit of others, similarly situated.

My procedure and comments are posted at:  
https://aur.archlinux.org/packages/grub-git/ under an intentionally Five Eyes 
'unlinked' nick.  I know you understand.

Please take a moment to review my boot sequence comments within Step 11 and 
following Step 13, both of which are in concordance with my understanding of 
the GRUB encrypted /boot unlocking sequence.

If either statement needs modification, please let me know, as I do not want 
others to adopt an incorrect understanding of how both GRUB and the kernel go 
about unlocking Keyslot 1, then Keyslot 0.

Patrick, I've also noted Eli's further input, immediately below.

Given that you now know exactly how I've encrypted / and how I unlock my 
encrypted:  /boot, swap and /, if you can indeed 'hack' a suitable 
`grub-mkimage` command for me to test, I would be happy to test it.

However, please be sure to tell me whether you intend any such `grub-mkimage` 
directive to be a REPLACEMENT for `grub-mkconfig` or as a supplemental command.

All the best...Patrick

Cheers!


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, August 30, 2020 1:38 AM, Eli Schwartz <eschwartz@archlinux.org> 
wrote:

> On 8/29/20 1u47 PM, Patrick Steinhardt wrote:
>
> > This is usually done automatically by GRUB when starting. But as it'll
> > not know to first decrypt the volume, it fails executing both of those
> > commands just to show you the rescue prompt afterwards. So they are left
> > to you now after manually decrypting. I could've added a note up-front
> > to spare you the hours-long research, but it got so natural to me that I
> > completely forgot.
> > You should be able to manually create a bootable image with GRUB with
> > `grub-mkimage`. The upside of this is that you can add your own early
> > configuration to automatically decrypt and do the `normal` dance. I
> > didn't care enought to do that myself yet, though, so I can't provide a
> > working invocation of that.
>
> Is grub-install failing to add the relevant cryptomount invocation in
> the embedded stub, due to not realizing luks2 can be decrypted like that?
>
> I wonder if you could hack this to work by relying on autodetection with
> grub-install --modules="..." to force luks2 modules to be included, but
> with a luks1 "/" root partition. Then after, convert the partition
> from luks1 to luks2. The grubx64.efi image should both support luks2 due
> to manually added modules, AND automatically Do The Right Thing with the
> generic cryptomount command.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Eli Schwartz
> Arch Linux Bug Wrangler and Trusted User
>
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel