[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU Boot patches: update to GRUB 2.12 with various fixes
|
From: |
Denis 'GNUtoo' Carikli |
|
Subject: |
Re: GNU Boot patches: update to GRUB 2.12 with various fixes |
|
Date: |
Wed, 13 Nov 2024 20:16:40 -0000 |
On Sat, 13 Jan 2024 02:01:06 +0000
Leah Rowe <info@minifree.org> wrote:
> Hi Denis, Adrien,
Hi,
Thanks for the patches. Updating to GRUB 2.12 is indeed important. I've
started to test and review that patch. I'll get back to you when this
is done. As for the grub configuration patches, they are interesting too
so I'll start to review them after the grub update one.
As for the out of tree GRUB patches, we want to avoid as much as
possible having to use out of tree patches in general (unless the
patches are backports of things that are already upstream).
So we're more interested in contributions that reduce the number of out
of tree patches we depend on rather than increasing them:
- For the patches to support Argon 2, having Argon2 is very important as
it fixes a very serious security issue[1], but fixing it only in
distributions like GNU Boot, Libreboot, etc doesn't really make sense.
For instance there are also people using GRUB with
'GRUB_ENABLE_CRYPTODISK=y' in various ways (with free or nonfree BIOS
or UEFI) so that also leaves these people vulnerable.
And if we apply the Argon2 patches in GNU Boot, we still have an
issue as it doesn't fix the problem for people that use
GRUB_ENABLE_CRYPTODISK=y with SeaBIOS.
So the way forward here is to upstream that patch in GRUB. There is
also already a bug report about that upstream[2] in case that helps.
In addition if the Argon 2 patch is upstreamed, it will be reviewed so
there would be less probability to have memory safety issues in it
(like buffer overflow etc). Since the GRUB crypto subsystem was
reworked when merging support for detached keys, nowadays it should be
faster to have patches reviewed and merged.
- As for the other GRUB patches (for keyboard related issues) it would
also be a good idea to upstream them in GRUB for instance for people
building GRUB outside of GNU Boot, Libreboot, etc. For the
patch that supports half-broken keyboards, if it somehow enables not
to trash laptops, upstreaming it would be very beneficial as many
more laptops could continue to work and not just laptops using GNU
Boot, Libreboot, etc.
References:
-----------
[1]Some states are able to decrypt LUKS volumes with passphrases of 20+
characters (that probably have low entropy) and Argon2 protects
way better against theses type of attacks when users use low
quality passphrases. So nowadays it's advised to use Argon2 or
Argon2i and 7 random words for the passphrase.
[2]https://savannah.gnu.org/bugs/?55093
Denis.
pgpnZ6pxTR68C.pgp
Description: OpenPGP digital signature
- Re: GNU Boot patches: update to GRUB 2.12 with various fixes,
Denis 'GNUtoo' Carikli <=