Re: State of Argon2 support

From: Patrick Steinhardt <ps@pks.im>
To: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>, grub-devel@gnu.org
Cc: Daniel Kiper <daniel.kiper@oracle.com>
Subject: Re: State of Argon2 support
Date: Mon, 1 Jan 2024 20:48:21 +0100	[thread overview]
Message-ID: <ZZMXBae7ZDiHwcN6@framework> (raw)
In-Reply-To: <ZYZXZ5QHcEoEGCKK@dj3ntoo>

[-- Attachment #1.1: Type: text/plain, Size: 2606 bytes --]

On Fri, Dec 22, 2023 at 09:43:35PM -0600, Oskari Pirhonen wrote:
> On Fri, Dec 22, 2023 at 12:29:22 -0500, Nikolaos Chatzikonstantinou wrote:
> > 2. libgcrypt does not have support for Argon2. Possible solution is to
> > use the reference implementation, licensed under CC0. This is bringing
> > up issues (that I don't fully understand), would be preferable if the
> > authors released under GPLv3. Has there been a follow-up on this?
> > <https://lists.gnu.org/archive/html/grub-devel/2020-03/msg00170.html>
> > 
> 
> Libgcrypt supports Argon2 as of 1.10 (March 2022). The version of
> libgcrypt that is bundled with GRUB is older than that.
> 
> - Oskari

Indeed. There are two different ways to implement Argon2 support in
GRUB:

  - Use the reference implementation of Argon2.

  - Update libgcrypt to a newer version.

I have sent patches that bundles the reference implementation in [1]
quite a while ago. Back then there was the problem that we couldn't
allocate required memory on UEFI-based systems, but we improved the
memory allocator with GRUB 2.12 to support this usecase now.

Still, I consider it to be the inferior option. Back when I posted the
patches (February 2020 originally) there was no Argon2 support in
libgcrypt yet, so it was the obvious choice. But now that libgcrypt does
have support it's a no-brainer to use its version of libgcrypt instead.

Problem is that upgrading the bundled libgcrypt library is not trivial
at all. I've tried multiple times, and every single time I quickly gave
up. There's simply too many things that have changed, and GRUB does have
quite a lot of patches on top of the current bundled version of the
library. Regardless of that it would be the right thing to do, because
in the long run we do want an up-to-date version of libgrcypt regardless
of Argon2 support anyway.

That being said, I do not see myself updating it given that it's such a
huge and frustrating endeavour to update it. If anybody else wants to
take up this task I'd be more than happy and would definitely want to
rebase my own patches on top of this work. But until somebody steps up
to handle this task it's not going to happen.

The alternative would be to just live with the current state of my patch
series, where we use the reference implementation until libgcrypt gets
updated. But I'm not sure whether Daniel would consider pulling this
version (Cc'd him so that he can post his opinion). If he would then I'd
be happy to re-send a rebased version of my patch series.

Patrick

[1]: <cover.1628430731.git.ps@pks.im>

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 141 bytes --]

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel