When you cryptsetup luksFormat, LUKS2 cryptography defaults to argon2id, a competition-winning gpu-resistant multi-core memory-hard algorithm thingy. Only problem is everyone only supports pbkdf2 instead :3

  • GRUB had an argon2id support patch in the works. Buuut it stopped because a version-pinned dependency added argon2id support, and GRUB wants to update lib x to update lib y to update lib z to update said dependency (2 years later… I’m here D: )
  • systemd-boot is simple and doesn’t support argon2id
  • efistub, i.e. making the kernel boot itself (i think?), necessitates secure boot and I’m not sure that’s the best way to do this (Ventoy can bypass secure boot with MOKMANAGER funkin’ anyway, can’t it?)
  • Raspberry Pi’s bootloader might support argon2id? idk

Not to be deterred, I tried manually patching GRUB (tried with aur on a usb, then with portage) but I don’t think these are supported with the latest GRUB. (Attempted with whatever the aur package uses, then Gentoo’s grub-2.12-r4, then Gentoo’s grub-2.12-r5, then git cloning and checking out older versions manually, then picking the earliest 2.12 archive.org tarball to patch lol. All failed with “couldn’t find disk”-esque issues)

Does anyone have this working at or after Nov 2024? And better yet, am I missing something obvious ¯\_(ᵕ—ᴗ—)_/¯

Threat model: Avoiding a twopointfouristan prank, but also just screwing around for fun (◡‿◡✿)

  • Scoopta@programming.dev
    link
    fedilink
    arrow-up
    1
    ·
    2 days ago

    By that statement I take it then without TPM you basically can’t have truly secure secure boot? Since the password is your protection from secure boot tampering but the TPM is your protection from password tampering

    • Laser@feddit.org
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      2 days ago

      Realistically, no.

      Theoretically, if you enable Secure Boot and a boot password through UEFI, it might be OK for some purposes, as an attacker clearing your Secure Boot settings would also reset the boot password, which you’d probably notice.

      If you’re concerned about Evil Maid attacks, use Secure Boot with a TPM. If your only concern is getting the device stolen with you losing access, Secure Boot from my point of view is only a convenience feature for stuff like easier unlocking

      EDIT: it should be mentioned that technically, Secure Boot doesn’t require the TPM and just checks the signatures. However, you’d need to check on each boot whether it’s actually enabled with the correct settings and that your device has not been reset. The automation of this is sometimes called Measured Boot, which the TPM is used for. Secure Boot by itself doesn’t protect you against sophisticated physical attackers. But the boot measurement gets thrown into the term because it makes sense.

      At least that’s my understanding.

      • Scoopta@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 day ago

        I am aware secure boot doesn’t require a TPM, but I’ve always been confused by its purpose since it’s trivial to disable. Makes sense if you use it in conjunction with TPM measurements. I personally encrypt all my filesystems except my /boot which is also my ESP, I use the efistub and that’s good enough for loss of device. For a physical attacker with actual skills I’m SOL, it’s not that I don’t want to protect against it, I just couldn’t figure out a reliable way to.