Re: Can grub-git be used to decrypt a LUKS2 encrypted partition? Testing Results

[HardenedArray]

Hi Patrick,

Thank you for taking the time to have a look and if that LUKS2 unlocking 
process seems useful, please feel free to copypasta it, as needed.

Surely, I understand on the changing partitions part, which is why I attempted 
to keep `/dev/sdXYZ` as generic as possible.

Furthermore, I am locked onto your 'it's not a replacement' section of your 
comments.

Patrick: when/if you think you can crack this puzzle, please let me know.

Only waiting upon the receipt of the game 'rules' ;p

Cheers!


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, August 30, 2020 6:19 PM, Patrick Steinhardt <ps@pks.im> wrote:

> On Sun, Aug 30, 2020 at 03:30:39PM +0000, HardenedArray via Grub-devel wrote:
>
> > As a direct consequence of your valuable `--modules=` input, I have
> > taken the time and attempted to carefully document my entire LUKS2
> > unlocking encrypted /boot process for the benefit of others, similarly
> > situated.
>
> Great to have some documentation of the process, thanks!
>
> > My procedure and comments are posted at:
> > https://aur.archlinux.org/packages/grub-git/ under an intentionally
> > Five Eyes 'unlinked' nick. I know you understand.
> > Please take a moment to review my boot sequence comments within Step
> > 11 and following Step 13, both of which are in concordance with my
> > understanding of the GRUB encrypted /boot unlocking sequence.
> > If either statement needs modification, please let me know, as I do
> > not want others to adopt an incorrect understanding of how both GRUB,
> change between installation, but I guess people can figure that out on
> their own.
>
> > Patrick, I've also noted Eli's further input, immediately below.
> > Given that you now know exactly how I've encrypted / and how I unlock
> > my encrypted: /boot, swap and /, if you can indeed 'hack' a suitable
> > `grub-mkimage` command for me to test, I would be happy to test it.
>
> I currently don't have any available, sorry. I never did the custom
> config thing yet, even though it shouldn't be too hard. I hope to find
> some time in the next few days to give it a test and will report back.
>
> > However, please be sure to tell me whether you intend any such
> > `grub-mkimage` directive to be a REPLACEMENT for `grub-mkconfig` or as
> > a supplemental command.
>
> It's not a replacement of`grub-mkconfig`, but is part of what
> `grub-install` does. `grub-mkimage` will create the executable loaded by
> your bootloader, which includes any pre-loaded modules as well as the
> early boot config. `grub-mkconfig` will create the configuration that's
> used after this early boot step and is loaded when you execute `normal`.
>
> Patrick
>
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel