Bug#1053559: Feature: argon2id support

Julian Andres Klode julian.klode at canonical.com
Fri Oct 6 11:19:29 BST 2023


Control: tag -1 wontfix upstream

On Fri, Oct 06, 2023 at 12:51:40PM +0300, Alexey Kuznetsov wrote:
> Package: grub-efi-amd64-bin
> 
> Dear Maintainer,
> 
> I managed to install argon2i patches from Arch repo and it works!
> But argon2 may fail on some system due to lack of memory error and
> makes some systems unbootable.
> 
> In short: grub2 by default on x64 machines only allocates memory only
> from first 4GB (0x10000000) physical address to avoid EFI bugs (which
> are very common, when programmers EFI using 32bit register for pointers,
> which as result causing EFI to crash when system sends x64 bit pointers
> during IO proc calls). As result not every machines has enough (1GB
> continuous) memory for argon2id keys. So we need allocate memory from higher
> regions >4gb. I wrote a smartmem.patch (hack, since it need more work).
> 
> You need argon_*.patch:
> 
> * https://aur.archlinux.org/packages/grub-improved-luks2-git
> 
> smartmem.patch (allow to allocate >4gb if original allocation <4gb
> fails)
> 
> This is my original conversation (about smartmem.patch >4gb patch):
> 
> * https://savannah.gnu.org/bugs/index.php?64471

Feel free to land the support upstream, but it's not something that
we should be shipping downstream.

Going forward, for secure boot, our focus is not on adding things, but on removing
existing things like f2fs file support again. It stands to reason
that encrypted /boot should not be supported either as there is no
practical use case (it is security by obscurity) and you are better
served by an unencrypted boot with a pre-built signed initrd or
a MOK-signed initrd (or really UKI), and decrypting untrusted data
hence is unnecessary danger.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en



More information about the Pkg-grub-devel mailing list