Article published by: Leah Rowe
Date of publication: 20 August 2023
The GRUB payload has supported LUKSv2 for a long time, but only with the old-school PBKDF2 key derivation method; most Linux dm-crypt setups on LUKSv2 use argon2-based key derivation, which GRUB did not support. This mean either: use LUKSv2 with PBKDF2 (less secure), or LUKSv1 (ditto), in GRUB.
Today, Libreboot now supports argon2 key derivation in its version of GRUB, which is offered as a coreboot payload within the Libreboot build system, and in Libreboot releases.
Libreboot’s argon2 patches are based on this AUR repository which patched GRUB 2.06, and the patches were rebased for use with GRUB 2.12 which Libreboot uses; the rebase was performed by Nicholas Johnson. Nicholas emailed me to tell me that this had been done, and I then merged Nicholas’s work into Libreboot. Thank you, Nicholas! Thanks also go to Axel who is the author of the original work that Nicholas imported from Archlinux AUR.
Libreboot previously documented how to boot distros from encrypted
/boot, which is a boon for security because it’s harder to compromise a machine that has encrypted
/boot (containing the linux kernel) than if it were unencrypted like on most LUKS setups. In addition to this, you may consider GRUB hardening steps such as GPG signature checking of your installed Linux kernel.
These patches import the PHC argon2 implementation into Libreboot’s version of GRUB:
Argon2 is the newer key derivation preferred on modern LUKSv2 setups. It is strongly recommended that you upgrade to argon2id, specifically, for your setup.
This is unavailable in the current Libreboot 20230625 release, but will be available in the next Libreboot release. For now, you can compile a ROM image yourself from the Libreboot build system, lbmk, like so:
This is the reference argon2 implementation, now used by Libreboot, and the upstream project for that is hosted here:
PSA: upgrade your LUKS key derivation function by Matthew Garrett, talks further about the importance of secure key derivation (specifically argon2id) on encrypted Linux setups.
Always use encryption!
Markdown file for this page: https://libreboot.org/news/argon2.md
This HTML page was generated by the untitled static site generator.