Skip to content

Commit

Permalink
gentoo-config-luks-grub-systemd: Add GRUB disclaimers
Browse files Browse the repository at this point in the history 
Based on my personal experience following this tutorial, I ran into 2 issues: Needing to add `--modules=gcry_sha512` to `grub-install` and needing to lower the Argon2 memory cost.
  • Loading branch information
@jasyip
jasyip authored Jan 4, 2025
1 parent 24e77bc commit 89a0a9b
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions ...ections/gentoo-config-luks2-grub-systemd/setup-process/configure-gentoo/grub.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,3 +136,27 @@ Now, GRUB is ready to be installed/reinstalled as normal:

Once GRUB has been successfully installed, the system is ready to reboot into
the Gentoo installation on the new LUKS partition.

If you are using SHA-512 for your partition (or a hash algorithm that is not
SHA-256), you must append `--modules=gcry_sha512` to the `grub-install` command,
as GRUB automatically adds `gcry_sha256` without checking the actual hash algorithm
in use.
{.notice--info}

In some cases, depending on your machine, the bootloader may
immediately fail trying to decrypt your Argon2-encrypted partition. It will immediately
claim "Invalid passphrase" after submitting your password. This error is most likely
due to the EFI binary being unable to allocate the default Argon2 memory cost of 1 GiB and
GRUB emitting a misleading error message as a result. To confirm, type `set debug=all`
then `cryptomount -a` to retry with debugging messages enabled and see if it has
trouble allocating the requisite memory for the desired LUKS2 keyslot (not the other
keyslots not meant for your passphrase). You can lower the amount of memory via
`cryptsetup luksChangeKey -S <key-slot> --pbkdf-memory <memory-in-KiB>
<other params copied from original> /dev/sda2`. This will require you to input your
password thrice (once to decrypt and gain the ability to make modifications, twice
to confirm a "new" password that you do not need to necessarily change, yet it still
asks you anways). Lower memory cost is not necessarily harmful to your security as
`cryptsetup` automatically adjusts the time cost factor upon recognizing your desired
lesser memory cost amount, but you can always binary search for the maximum memory cost
amount that GRUB can work with in 20 steps (since the default memory cost is 2^20).
{.notice--info}

0 comments on commit 89a0a9b

Please sign in to comment.