* State of Argon2 support @ 2023-12-22 17:29 Nikolaos Chatzikonstantinou 2023-12-23 3:43 ` Oskari Pirhonen 0 siblings, 1 reply; 17+ messages in thread From: Nikolaos Chatzikonstantinou @ 2023-12-22 17:29 UTC (permalink / raw) To: grub-devel Hello list, I was wondering what the state of Argon2 support is. From some searches online I found patches by Patrick Steinhardt that experimentally add support for it. I skimmed through the discussions on this list to understand what some of the issues are: 1. Argon2 requires a lot of memory. How to allocate without breaking backward-compat? <https://lists.gnu.org/archive/html/grub-devel/2020-03/msg00180.html> 2. libgcrypt does not have support for Argon2. Possible solution is to use the reference implementation, licensed under CC0. This is bringing up issues (that I don't fully understand), would be preferable if the authors released under GPLv3. Has there been a follow-up on this? <https://lists.gnu.org/archive/html/grub-devel/2020-03/msg00170.html> I don't know if there are more issues. I would appreciate some clarity on this. If I can help in any way please let me know. Even if you'd just like me to read the mailing lists and patches and describe a good summary of the state of the issue, I can do it. The interest in getting this done comes from the Guix System project https://guix.gnu.org/>. In this distribution, the kernel lies under /gnu/store and the usual (for me?) plain-boot encrypted-rest setup cannot work unless using PBKDF. Regards, Nikolaos Chatzikonstantinou _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2023-12-22 17:29 State of Argon2 support Nikolaos Chatzikonstantinou @ 2023-12-23 3:43 ` Oskari Pirhonen 2024-01-01 19:48 ` Patrick Steinhardt 0 siblings, 1 reply; 17+ messages in thread From: Oskari Pirhonen @ 2023-12-23 3:43 UTC (permalink / raw) To: Nikolaos Chatzikonstantinou; +Cc: grub-devel [-- Attachment #1.1: Type: text/plain, Size: 581 bytes --] On Fri, Dec 22, 2023 at 12:29:22 -0500, Nikolaos Chatzikonstantinou wrote: > 2. libgcrypt does not have support for Argon2. Possible solution is to > use the reference implementation, licensed under CC0. This is bringing > up issues (that I don't fully understand), would be preferable if the > authors released under GPLv3. Has there been a follow-up on this? > <https://lists.gnu.org/archive/html/grub-devel/2020-03/msg00170.html> > Libgcrypt supports Argon2 as of 1.10 (March 2022). The version of libgcrypt that is bundled with GRUB is older than that. - Oskari [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 228 bytes --] [-- Attachment #2: Type: text/plain, Size: 141 bytes --] _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2023-12-23 3:43 ` Oskari Pirhonen @ 2024-01-01 19:48 ` Patrick Steinhardt 2024-01-04 15:49 ` Nikolaos Chatzikonstantinou 0 siblings, 1 reply; 17+ messages in thread From: Patrick Steinhardt @ 2024-01-01 19:48 UTC (permalink / raw) To: Nikolaos Chatzikonstantinou, grub-devel; +Cc: Daniel Kiper [-- Attachment #1.1: Type: text/plain, Size: 2606 bytes --] On Fri, Dec 22, 2023 at 09:43:35PM -0600, Oskari Pirhonen wrote: > On Fri, Dec 22, 2023 at 12:29:22 -0500, Nikolaos Chatzikonstantinou wrote: > > 2. libgcrypt does not have support for Argon2. Possible solution is to > > use the reference implementation, licensed under CC0. This is bringing > > up issues (that I don't fully understand), would be preferable if the > > authors released under GPLv3. Has there been a follow-up on this? > > <https://lists.gnu.org/archive/html/grub-devel/2020-03/msg00170.html> > > > > Libgcrypt supports Argon2 as of 1.10 (March 2022). The version of > libgcrypt that is bundled with GRUB is older than that. > > - Oskari Indeed. There are two different ways to implement Argon2 support in GRUB: - Use the reference implementation of Argon2. - Update libgcrypt to a newer version. I have sent patches that bundles the reference implementation in [1] quite a while ago. Back then there was the problem that we couldn't allocate required memory on UEFI-based systems, but we improved the memory allocator with GRUB 2.12 to support this usecase now. Still, I consider it to be the inferior option. Back when I posted the patches (February 2020 originally) there was no Argon2 support in libgcrypt yet, so it was the obvious choice. But now that libgcrypt does have support it's a no-brainer to use its version of libgcrypt instead. Problem is that upgrading the bundled libgcrypt library is not trivial at all. I've tried multiple times, and every single time I quickly gave up. There's simply too many things that have changed, and GRUB does have quite a lot of patches on top of the current bundled version of the library. Regardless of that it would be the right thing to do, because in the long run we do want an up-to-date version of libgrcypt regardless of Argon2 support anyway. That being said, I do not see myself updating it given that it's such a huge and frustrating endeavour to update it. If anybody else wants to take up this task I'd be more than happy and would definitely want to rebase my own patches on top of this work. But until somebody steps up to handle this task it's not going to happen. The alternative would be to just live with the current state of my patch series, where we use the reference implementation until libgcrypt gets updated. But I'm not sure whether Daniel would consider pulling this version (Cc'd him so that he can post his opinion). If he would then I'd be happy to re-send a rebased version of my patch series. Patrick [1]: <cover.1628430731.git.ps@pks.im> [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 141 bytes --] _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-01 19:48 ` Patrick Steinhardt @ 2024-01-04 15:49 ` Nikolaos Chatzikonstantinou 2024-01-23 16:57 ` Daniel Kiper 0 siblings, 1 reply; 17+ messages in thread From: Nikolaos Chatzikonstantinou @ 2024-01-04 15:49 UTC (permalink / raw) To: Patrick Steinhardt; +Cc: grub-devel, Daniel Kiper On Mon, Jan 1, 2024 at 2:48 PM Patrick Steinhardt <ps@pks.im> wrote: > > On Fri, Dec 22, 2023 at 09:43:35PM -0600, Oskari Pirhonen wrote: > > On Fri, Dec 22, 2023 at 12:29:22 -0500, Nikolaos Chatzikonstantinou wrote: > > > 2. libgcrypt does not have support for Argon2. Possible solution is to > > > use the reference implementation, licensed under CC0. This is bringing > > > up issues (that I don't fully understand), would be preferable if the > > > authors released under GPLv3. Has there been a follow-up on this? > > > <https://lists.gnu.org/archive/html/grub-devel/2020-03/msg00170.html> > > > > > > > Libgcrypt supports Argon2 as of 1.10 (March 2022). The version of > > libgcrypt that is bundled with GRUB is older than that. > > Indeed. There are two different ways to implement Argon2 support in > GRUB: > > - Use the reference implementation of Argon2. > > - Update libgcrypt to a newer version. > > Problem is that upgrading the bundled libgcrypt library is not trivial > at all. I've tried multiple times, and every single time I quickly gave > up. There's simply too many things that have changed, and GRUB does have > quite a lot of patches on top of the current bundled version of the > library. Regardless of that it would be the right thing to do, because > in the long run we do want an up-to-date version of libgrcypt regardless > of Argon2 support anyway. That is interesting! Maybe I can give it a try. It seems to me that my game plan is to find the two versions of libgcrypt (old and new) and read the NEWS file carefully for how to migrate. Regards, Nikolaos Chatzikonstantinou _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-04 15:49 ` Nikolaos Chatzikonstantinou @ 2024-01-23 16:57 ` Daniel Kiper 2024-01-24 5:05 ` Nikolaos Chatzikonstantinou 0 siblings, 1 reply; 17+ messages in thread From: Daniel Kiper @ 2024-01-23 16:57 UTC (permalink / raw) To: Nikolaos Chatzikonstantinou; +Cc: Patrick Steinhardt, grub-devel, Daniel Kiper On Thu, Jan 04, 2024 at 10:49:06AM -0500, Nikolaos Chatzikonstantinou wrote: > On Mon, Jan 1, 2024 at 2:48 PM Patrick Steinhardt <ps@pks.im> wrote: > > On Fri, Dec 22, 2023 at 09:43:35PM -0600, Oskari Pirhonen wrote: > > > On Fri, Dec 22, 2023 at 12:29:22 -0500, Nikolaos Chatzikonstantinou wrote: > > > > 2. libgcrypt does not have support for Argon2. Possible solution is to > > > > use the reference implementation, licensed under CC0. This is bringing > > > > up issues (that I don't fully understand), would be preferable if the > > > > authors released under GPLv3. Has there been a follow-up on this? > > > > <https://lists.gnu.org/archive/html/grub-devel/2020-03/msg00170.html> > > > > > > > > > > Libgcrypt supports Argon2 as of 1.10 (March 2022). The version of > > > libgcrypt that is bundled with GRUB is older than that. > > > > Indeed. There are two different ways to implement Argon2 support in > > GRUB: > > > > - Use the reference implementation of Argon2. > > > > - Update libgcrypt to a newer version. > > > > Problem is that upgrading the bundled libgcrypt library is not trivial > > at all. I've tried multiple times, and every single time I quickly gave > > up. There's simply too many things that have changed, and GRUB does have > > quite a lot of patches on top of the current bundled version of the > > library. Regardless of that it would be the right thing to do, because > > in the long run we do want an up-to-date version of libgrcypt regardless > > of Argon2 support anyway. > > That is interesting! Maybe I can give it a try. > > It seems to me that my game plan is to find the two versions of > libgcrypt (old and new) and read the NEWS file carefully for how to > migrate. If you manage to do that it would be perfect... If you have any questions or need help drop me a line. Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-23 16:57 ` Daniel Kiper @ 2024-01-24 5:05 ` Nikolaos Chatzikonstantinou 2024-01-24 5:46 ` Nikolaos Chatzikonstantinou 0 siblings, 1 reply; 17+ messages in thread From: Nikolaos Chatzikonstantinou @ 2024-01-24 5:05 UTC (permalink / raw) To: Daniel Kiper; +Cc: Patrick Steinhardt, grub-devel, Daniel Kiper On Tue, Jan 23, 2024 at 11:58 AM Daniel Kiper <dkiper@net-space.pl> wrote: > > On Thu, Jan 04, 2024 at 10:49:06AM -0500, Nikolaos Chatzikonstantinou wrote: > > On Mon, Jan 1, 2024 at 2:48 PM Patrick Steinhardt <ps@pks.im> wrote: > > > > > > Indeed. There are two different ways to implement Argon2 support in > > > GRUB: > > > > > > - Use the reference implementation of Argon2. > > > > > > - Update libgcrypt to a newer version. > > > > > > Problem is that upgrading the bundled libgcrypt library is not trivial > > > at all. I've tried multiple times, and every single time I quickly gave > > > up. There's simply too many things that have changed, and GRUB does have > > > quite a lot of patches on top of the current bundled version of the > > > library. Regardless of that it would be the right thing to do, because > > > in the long run we do want an up-to-date version of libgrcypt regardless > > > of Argon2 support anyway. > > > > That is interesting! Maybe I can give it a try. > > > > It seems to me that my game plan is to find the two versions of > > libgcrypt (old and new) and read the NEWS file carefully for how to > > migrate. > > If you manage to do that it would be perfect... > > If you have any questions or need help drop me a line. Dear Daniel, Thank you for offering your help, you motivated me to look into this. I would like to ask, where is the libgcrypt source code bundled with grub from? I checked that the files are not from the libgcrypt repository in <git://git.gnupg.org/libgcrypt.git>. My method was to search for the sha-1 sums with `git rev-list` and `git rev-parse`. I automated the task by writing a python script which I called "gitsearchdigest" (you can grab it from <https://github.com/createyourpersonalaccount/gitsearchdigest>.) What I did was run this command: cd grub-core/lib/libgcrypt/src find . -print0 | gitsearchdigest -C /path/to/libgcrypt_repo However it came out blank, which, if my script is correct, means that the files under grub-core/lib/libgcrypt/src do not ever appear in their exact form in the git repository of libgcrypt. I made a manual visual check on ChangeLog-2011 and it appeared to be modified. Thus my conclusion is that grub has files that never appeared in the libgcrypt repository, and it makes my attempt to upgrade it much harder unless I can find out where they came from. Regards, Nikolaos Chatzikonstantinou _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-24 5:05 ` Nikolaos Chatzikonstantinou @ 2024-01-24 5:46 ` Nikolaos Chatzikonstantinou 2024-01-24 6:23 ` Nikolaos Chatzikonstantinou 0 siblings, 1 reply; 17+ messages in thread From: Nikolaos Chatzikonstantinou @ 2024-01-24 5:46 UTC (permalink / raw) To: Daniel Kiper; +Cc: Patrick Steinhardt, grub-devel, Daniel Kiper On Wed, Jan 24, 2024 at 12:05 AM Nikolaos Chatzikonstantinou <nchatz314@gmail.com> wrote: > > On Tue, Jan 23, 2024 at 11:58 AM Daniel Kiper <dkiper@net-space.pl> wrote: > > > > On Thu, Jan 04, 2024 at 10:49:06AM -0500, Nikolaos Chatzikonstantinou wrote: > > > On Mon, Jan 1, 2024 at 2:48 PM Patrick Steinhardt <ps@pks.im> wrote: > > > > > > > > Indeed. There are two different ways to implement Argon2 support in > > > > GRUB: > > > > > > > > - Use the reference implementation of Argon2. > > > > > > > > - Update libgcrypt to a newer version. > > > > > > > > Problem is that upgrading the bundled libgcrypt library is not trivial > > > > at all. I've tried multiple times, and every single time I quickly gave > > > > up. There's simply too many things that have changed, and GRUB does have > > > > quite a lot of patches on top of the current bundled version of the > > > > library. Regardless of that it would be the right thing to do, because > > > > in the long run we do want an up-to-date version of libgrcypt regardless > > > > of Argon2 support anyway. > > > > > > That is interesting! Maybe I can give it a try. > > > > > > It seems to me that my game plan is to find the two versions of > > > libgcrypt (old and new) and read the NEWS file carefully for how to > > > migrate. > > > > If you manage to do that it would be perfect... > > > > If you have any questions or need help drop me a line. > > > Dear Daniel, > > Thank you for offering your help, you motivated me to look into this. > I would like to ask, where is the libgcrypt source code bundled with > grub from? I checked that the files are not from the libgcrypt > repository in <git://git.gnupg.org/libgcrypt.git>. Of course I misused my own tool by using it under the wrong CWD. This works: cd grub-core/lib/libgcrypt && find . print0 | gitsearchdigest -C /path/to/libgcrypt_repo With some fiddling via `git log $commit --pretty="tformat:%H %ct" -1` and sorting on the unix timestamp I got the libgcrypt commit 897ccd2 from March of 2016 . I have a decent starting point now. Regards, Nikolaos Chatzikonstantinou _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-24 5:46 ` Nikolaos Chatzikonstantinou @ 2024-01-24 6:23 ` Nikolaos Chatzikonstantinou 2024-01-25 18:15 ` Daniel Kiper 0 siblings, 1 reply; 17+ messages in thread From: Nikolaos Chatzikonstantinou @ 2024-01-24 6:23 UTC (permalink / raw) To: Daniel Kiper; +Cc: Patrick Steinhardt, grub-devel, Daniel Kiper On Wed, Jan 24, 2024 at 12:46 AM Nikolaos Chatzikonstantinou <nchatz314@gmail.com> wrote: > > On Wed, Jan 24, 2024 at 12:05 AM Nikolaos Chatzikonstantinou > <nchatz314@gmail.com> wrote: > > > > On Tue, Jan 23, 2024 at 11:58 AM Daniel Kiper <dkiper@net-space.pl> wrote: > > > > > > On Thu, Jan 04, 2024 at 10:49:06AM -0500, Nikolaos Chatzikonstantinou wrote: > > > > On Mon, Jan 1, 2024 at 2:48 PM Patrick Steinhardt <ps@pks.im> wrote: > > > > > > > > > > Indeed. There are two different ways to implement Argon2 support in > > > > > GRUB: > > > > > > > > > > - Use the reference implementation of Argon2. > > > > > > > > > > - Update libgcrypt to a newer version. > > > > > > > > > > Problem is that upgrading the bundled libgcrypt library is not trivial > > > > > at all. I've tried multiple times, and every single time I quickly gave > > > > > up. There's simply too many things that have changed, and GRUB does have > > > > > quite a lot of patches on top of the current bundled version of the > > > > > library. Regardless of that it would be the right thing to do, because > > > > > in the long run we do want an up-to-date version of libgrcypt regardless > > > > > of Argon2 support anyway. > > > > > > > > That is interesting! Maybe I can give it a try. > > > > > > > > It seems to me that my game plan is to find the two versions of > > > > libgcrypt (old and new) and read the NEWS file carefully for how to > > > > migrate. > > > > > > If you manage to do that it would be perfect... > > > > > > If you have any questions or need help drop me a line. > > > > > > Dear Daniel, > > > > Thank you for offering your help, you motivated me to look into this. > > I would like to ask, where is the libgcrypt source code bundled with > > grub from? I checked that the files are not from the libgcrypt > > repository in <git://git.gnupg.org/libgcrypt.git>. > > Of course I misused my own tool by using it under the wrong CWD. This works: > > cd grub-core/lib/libgcrypt && find . print0 | gitsearchdigest -C > /path/to/libgcrypt_repo > > With some fiddling via `git log $commit --pretty="tformat:%H %ct" -1` > and sorting on the unix timestamp I got the libgcrypt commit 897ccd2 > from March of 2016 . I have a decent starting point now. My apologies for the repeated messages, but I came up with just one more question that I'm curious about. To summarize my questions: 1. Where is the libgcrypt bundle from grub from? I think my investigation has led me around version 1.7.0 of libgcrypt, but if I can get a precise commit or version, that would be useful. ... and now to my new question: 2. What is the reason libgcrypt is bundled as opposed to a regular dependency? Thank you, Nikolaos Chatzikonstantinou _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-24 6:23 ` Nikolaos Chatzikonstantinou @ 2024-01-25 18:15 ` Daniel Kiper 2024-01-26 8:18 ` Nikolaos Chatzikonstantinou 0 siblings, 1 reply; 17+ messages in thread From: Daniel Kiper @ 2024-01-25 18:15 UTC (permalink / raw) To: Nikolaos Chatzikonstantinou, phcoder; +Cc: Patrick Steinhardt, grub-devel Adding Vladimir who knows GRUB history better than I... On Wed, Jan 24, 2024 at 01:23:55AM -0500, Nikolaos Chatzikonstantinou wrote: [...] > My apologies for the repeated messages, but I came up with just one > more question that I'm curious about. To summarize my questions: > > 1. Where is the libgcrypt bundle from grub from? I think my > investigation has led me around version 1.7.0 of libgcrypt, but if I > can get a precise commit or version, that would be useful. > > ... and now to my new question: Vladimir, could you help with that? > 2. What is the reason libgcrypt is bundled as opposed to a regular dependency? I am not entirely sure I understand the question. Could you elaborate? Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-25 18:15 ` Daniel Kiper @ 2024-01-26 8:18 ` Nikolaos Chatzikonstantinou 2024-01-26 9:55 ` Patrick Steinhardt 2024-01-26 17:50 ` Daniel Kiper 0 siblings, 2 replies; 17+ messages in thread From: Nikolaos Chatzikonstantinou @ 2024-01-26 8:18 UTC (permalink / raw) To: Daniel Kiper; +Cc: phcoder, Patrick Steinhardt, grub-devel On Thu, Jan 25, 2024 at 1:15 PM Daniel Kiper <dkiper@net-space.pl> wrote: > > Adding Vladimir who knows GRUB history better than I... > > On Wed, Jan 24, 2024 at 01:23:55AM -0500, Nikolaos Chatzikonstantinou wrote: > > [...] > > > My apologies for the repeated messages, but I came up with just one > > more question that I'm curious about. To summarize my questions: > > > > 1. Where is the libgcrypt bundle from grub from? I think my > > investigation has led me around version 1.7.0 of libgcrypt, but if I > > can get a precise commit or version, that would be useful. > > > > ... and now to my new question: > > Vladimir, could you help with that? > > > 2. What is the reason libgcrypt is bundled as opposed to a regular dependency? > > I am not entirely sure I understand the question. Could you elaborate? By bundling, I mean that someone copied libgcrypt files into the GRUB project. To elaborate further, regular programs (not like GRUB which is a bootloader) can link statically or dynamically to libraries; but also, there's a third option, to dump the source code of a library directly into the source tree of the project. To my understanding this third option (which is not really a third linker option as it is not related to the linker) is chosen when the project needs to include its own patch set to the library. I am curious if GRUB has patched libgcrypt for some reason, and is that why libgcrypt is bundled with GRUB? Regards, Nikolaos Chatzikonstantinou _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-26 8:18 ` Nikolaos Chatzikonstantinou @ 2024-01-26 9:55 ` Patrick Steinhardt 2024-01-26 18:00 ` Daniel Kiper 2024-01-26 17:50 ` Daniel Kiper 1 sibling, 1 reply; 17+ messages in thread From: Patrick Steinhardt @ 2024-01-26 9:55 UTC (permalink / raw) To: Nikolaos Chatzikonstantinou; +Cc: Daniel Kiper, phcoder, grub-devel [-- Attachment #1.1: Type: text/plain, Size: 2218 bytes --] On Fri, Jan 26, 2024 at 03:18:57AM -0500, Nikolaos Chatzikonstantinou wrote: > On Thu, Jan 25, 2024 at 1:15 PM Daniel Kiper <dkiper@net-space.pl> wrote: > > > > Adding Vladimir who knows GRUB history better than I... > > > > On Wed, Jan 24, 2024 at 01:23:55AM -0500, Nikolaos Chatzikonstantinou wrote: > > > > [...] > > > > > My apologies for the repeated messages, but I came up with just one > > > more question that I'm curious about. To summarize my questions: > > > > > > 1. Where is the libgcrypt bundle from grub from? I think my > > > investigation has led me around version 1.7.0 of libgcrypt, but if I > > > can get a precise commit or version, that would be useful. > > > > > > ... and now to my new question: > > > > Vladimir, could you help with that? > > > > > 2. What is the reason libgcrypt is bundled as opposed to a regular dependency? > > > > I am not entirely sure I understand the question. Could you elaborate? > > By bundling, I mean that someone copied libgcrypt files into the GRUB project. > > To elaborate further, regular programs (not like GRUB which is a > bootloader) can link statically or dynamically to libraries; but also, > there's a third option, to dump the source code of a library directly > into the source tree of the project. To my understanding this third > option (which is not really a third linker option as it is not related > to the linker) is chosen when the project needs to include its own > patch set to the library. I am curious if GRUB has patched libgcrypt > for some reason, and is that why libgcrypt is bundled with GRUB? Yeah, the libgcrypt version carried by GRUB is heavily patched so that it compiles within the non-libc environment that GRUB uses. That is the whole crux of this topic -- if libgcrypt was simply a vanilla version then it shouldn't be all that hard to update. I think in the long term it would be great indeed if we could refrain from patching libgcrypt to the widest extent possible so that future updates become easier. I guess that would require something of a "shim" header that makes available all of the prerequisites that are currently missing for libgcrypt to compile. Patrick [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 141 bytes --] _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-26 9:55 ` Patrick Steinhardt @ 2024-01-26 18:00 ` Daniel Kiper 0 siblings, 0 replies; 17+ messages in thread From: Daniel Kiper @ 2024-01-26 18:00 UTC (permalink / raw) To: Patrick Steinhardt; +Cc: Nikolaos Chatzikonstantinou, phcoder, grub-devel On Fri, Jan 26, 2024 at 10:55:21AM +0100, Patrick Steinhardt wrote: > On Fri, Jan 26, 2024 at 03:18:57AM -0500, Nikolaos Chatzikonstantinou wrote: > > On Thu, Jan 25, 2024 at 1:15 PM Daniel Kiper <dkiper@net-space.pl> wrote: > > > > > > Adding Vladimir who knows GRUB history better than I... > > > > > > On Wed, Jan 24, 2024 at 01:23:55AM -0500, Nikolaos Chatzikonstantinou wrote: > > > > > > [...] > > > > > > > My apologies for the repeated messages, but I came up with just one > > > > more question that I'm curious about. To summarize my questions: > > > > > > > > 1. Where is the libgcrypt bundle from grub from? I think my > > > > investigation has led me around version 1.7.0 of libgcrypt, but if I > > > > can get a precise commit or version, that would be useful. > > > > > > > > ... and now to my new question: > > > > > > Vladimir, could you help with that? > > > > > > > 2. What is the reason libgcrypt is bundled as opposed to a regular dependency? > > > > > > I am not entirely sure I understand the question. Could you elaborate? > > > > By bundling, I mean that someone copied libgcrypt files into the GRUB project. > > > > To elaborate further, regular programs (not like GRUB which is a > > bootloader) can link statically or dynamically to libraries; but also, > > there's a third option, to dump the source code of a library directly > > into the source tree of the project. To my understanding this third > > option (which is not really a third linker option as it is not related > > to the linker) is chosen when the project needs to include its own > > patch set to the library. I am curious if GRUB has patched libgcrypt > > for some reason, and is that why libgcrypt is bundled with GRUB? > > Yeah, the libgcrypt version carried by GRUB is heavily patched so that > it compiles within the non-libc environment that GRUB uses. That is the > whole crux of this topic -- if libgcrypt was simply a vanilla version > then it shouldn't be all that hard to update. > > I think in the long term it would be great indeed if we could refrain > from patching libgcrypt to the widest extent possible so that future > updates become easier. I guess that would require something of a "shim" > header that makes available all of the prerequisites that are currently > missing for libgcrypt to compile. I concur! However, it would be nice to have simple mechanism which allow us to disable unused features. I am not sure it will be possible without patching libgcrypt heavily. Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-26 8:18 ` Nikolaos Chatzikonstantinou 2024-01-26 9:55 ` Patrick Steinhardt @ 2024-01-26 17:50 ` Daniel Kiper 2024-01-26 20:31 ` Vladimir 'phcoder' Serbinenko 1 sibling, 1 reply; 17+ messages in thread From: Daniel Kiper @ 2024-01-26 17:50 UTC (permalink / raw) To: Nikolaos Chatzikonstantinou; +Cc: phcoder, Patrick Steinhardt, grub-devel On Fri, Jan 26, 2024 at 03:18:57AM -0500, Nikolaos Chatzikonstantinou wrote: > On Thu, Jan 25, 2024 at 1:15 PM Daniel Kiper <dkiper@net-space.pl> wrote: > > > > Adding Vladimir who knows GRUB history better than I... > > > > On Wed, Jan 24, 2024 at 01:23:55AM -0500, Nikolaos Chatzikonstantinou wrote: > > > > [...] > > > > > My apologies for the repeated messages, but I came up with just one > > > more question that I'm curious about. To summarize my questions: > > > > > > 1. Where is the libgcrypt bundle from grub from? I think my > > > investigation has led me around version 1.7.0 of libgcrypt, but if I > > > can get a precise commit or version, that would be useful. > > > > > > ... and now to my new question: > > > > Vladimir, could you help with that? > > > > > 2. What is the reason libgcrypt is bundled as opposed to a regular dependency? > > > > I am not entirely sure I understand the question. Could you elaborate? > > By bundling, I mean that someone copied libgcrypt files into the GRUB project. > > To elaborate further, regular programs (not like GRUB which is a > bootloader) can link statically or dynamically to libraries; but also, > there's a third option, to dump the source code of a library directly > into the source tree of the project. To my understanding this third > option (which is not really a third linker option as it is not related > to the linker) is chosen when the project needs to include its own > patch set to the library. I am curious if GRUB has patched libgcrypt > for some reason, and is that why libgcrypt is bundled with GRUB? I think Vladimir could tell us more here... Anyway, I think we should avoid patching libgcrypt, or any given library merged with GRUB source, as much as possible. Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-26 17:50 ` Daniel Kiper @ 2024-01-26 20:31 ` Vladimir 'phcoder' Serbinenko 2024-01-30 15:18 ` Nikolaos Chatzikonstantinou 0 siblings, 1 reply; 17+ messages in thread From: Vladimir 'phcoder' Serbinenko @ 2024-01-26 20:31 UTC (permalink / raw) To: Daniel Kiper Cc: Nikolaos Chatzikonstantinou, Patrick Steinhardt, The development of GRUB 2 [-- Attachment #1.1: Type: text/plain, Size: 2218 bytes --] Le ven. 26 janv. 2024, 20:50, Daniel Kiper <dkiper@net-space.pl> a écrit : > On Fri, Jan 26, 2024 at 03:18:57AM -0500, Nikolaos Chatzikonstantinou > wrote: > > On Thu, Jan 25, 2024 at 1:15 PM Daniel Kiper <dkiper@net-space.pl> > wrote: > > > > > > Adding Vladimir who knows GRUB history better than I... > > > > > > On Wed, Jan 24, 2024 at 01:23:55AM -0500, Nikolaos Chatzikonstantinou > wrote: > > > > > > [...] > > > > > > > My apologies for the repeated messages, but I came up with just one > > > > more question that I'm curious about. To summarize my questions: > > > > > > > > 1. Where is the libgcrypt bundle from grub from? I think my > > > > investigation has led me around version 1.7.0 of libgcrypt, but if I > > > > can get a precise commit or version, that would be useful. > > > > > > > > ... and now to my new question: > > > > > > Vladimir, could you help with that? > > > > > > > 2. What is the reason libgcrypt is bundled as opposed to a regular > dependency? > > > > > > I am not entirely sure I understand the question. Could you elaborate? > > > > By bundling, I mean that someone copied libgcrypt files into the GRUB > project. > > > > To elaborate further, regular programs (not like GRUB which is a > > bootloader) can link statically or dynamically to libraries; but also, > > there's a third option, to dump the source code of a library directly > > into the source tree of the project. To my understanding this third > > option (which is not really a third linker option as it is not related > > to the linker) is chosen when the project needs to include its own > > patch set to the library. I am curious if GRUB has patched libgcrypt > > for some reason, and is that why libgcrypt is bundled with GRUB? > > I think Vladimir could tell us more here... > > Anyway, I think we should avoid patching libgcrypt, or any given library > merged with GRUB source, as much as possible. > This was my goal as well. Almost all the changes are difficult to avoid. But at least they are automated in most cases. See import_gcry script. I'm not on my computer now. I hope to find a time to have a look until the end of next week. > > Daniel > [-- Attachment #1.2: Type: text/html, Size: 3023 bytes --] [-- Attachment #2: Type: text/plain, Size: 141 bytes --] _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-26 20:31 ` Vladimir 'phcoder' Serbinenko @ 2024-01-30 15:18 ` Nikolaos Chatzikonstantinou 2024-02-02 14:10 ` Daniel Kiper 0 siblings, 1 reply; 17+ messages in thread From: Nikolaos Chatzikonstantinou @ 2024-01-30 15:18 UTC (permalink / raw) To: Vladimir 'phcoder' Serbinenko Cc: Daniel Kiper, Patrick Steinhardt, The development of GRUB 2 I want to share a small update: I'm reading the GRUB source code for the memory manager to get a bit acclimated. I was surprised to see libgcrypt depend on <stdio.h>. Asking around, the monocypher library was brought to my attention, <https://monocypher.org/>. No external dependencies, the license is compatible, just two files monocypher.c and .h that can be bundled, supports argon2, and it's already used by some bootloaders/firmware (ArduPilot Project, Joulescope). It is however written in pure C99; it seems to me that it supports architectures that a C99 compiler can target. While the goal of upgrading libgcrypt is noble, it is a bit scary as libgcrypt seems difficult to navigate for me, the import_gcry.py script also being hard to read. So I have the following questions: 1) What are the cryptographic requirements of GRUB? I.e. which features and algorithms does GRUB require right now? 2) Can we include monocypher just for the purpose of unlocking argon2-configured luks2 partitions? 3) Is it of interest to replace libgcrypt entirely (if possible, with monocypher e.g.?) If the best plan to go ahead with is to upgrade libgcrypt, as I've said before, it would be good to know the version currently bundled with GRUB (I'm just reiterating this point.) But from my viewpoint, libgcrypt is a userland library with a wide range of features; perhaps not the most appropriate for a bootloader. I'm wondering if the reasons that led to choosing libgcrypt in the past for GRUB can be reevaluated now that there are more options for cryptographic libraries. Regards, Nikolaos Chatzikonstantinou On Fri, Jan 26, 2024 at 3:31 PM Vladimir 'phcoder' Serbinenko <phcoder@gmail.com> wrote: > > > > Le ven. 26 janv. 2024, 20:50, Daniel Kiper <dkiper@net-space.pl> a écrit : >> >> On Fri, Jan 26, 2024 at 03:18:57AM -0500, Nikolaos Chatzikonstantinou wrote: >> > On Thu, Jan 25, 2024 at 1:15 PM Daniel Kiper <dkiper@net-space.pl> wrote: >> > > >> > > Adding Vladimir who knows GRUB history better than I... >> > > >> > > On Wed, Jan 24, 2024 at 01:23:55AM -0500, Nikolaos Chatzikonstantinou wrote: >> > > >> > > [...] >> > > >> > > > My apologies for the repeated messages, but I came up with just one >> > > > more question that I'm curious about. To summarize my questions: >> > > > >> > > > 1. Where is the libgcrypt bundle from grub from? I think my >> > > > investigation has led me around version 1.7.0 of libgcrypt, but if I >> > > > can get a precise commit or version, that would be useful. >> > > > >> > > > ... and now to my new question: >> > > >> > > Vladimir, could you help with that? >> > > >> > > > 2. What is the reason libgcrypt is bundled as opposed to a regular dependency? >> > > >> > > I am not entirely sure I understand the question. Could you elaborate? >> > >> > By bundling, I mean that someone copied libgcrypt files into the GRUB project. >> > >> > To elaborate further, regular programs (not like GRUB which is a >> > bootloader) can link statically or dynamically to libraries; but also, >> > there's a third option, to dump the source code of a library directly >> > into the source tree of the project. To my understanding this third >> > option (which is not really a third linker option as it is not related >> > to the linker) is chosen when the project needs to include its own >> > patch set to the library. I am curious if GRUB has patched libgcrypt >> > for some reason, and is that why libgcrypt is bundled with GRUB? >> >> I think Vladimir could tell us more here... >> >> Anyway, I think we should avoid patching libgcrypt, or any given library >> merged with GRUB source, as much as possible. > > This was my goal as well. Almost all the changes are difficult to avoid. But at least they are automated in most cases. See import_gcry script. I'm not on my computer now. I hope to find a time to have a look until the end of next week. >> >> >> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-01-30 15:18 ` Nikolaos Chatzikonstantinou @ 2024-02-02 14:10 ` Daniel Kiper 2024-02-11 21:01 ` Nikolaos Chatzikonstantinou 0 siblings, 1 reply; 17+ messages in thread From: Daniel Kiper @ 2024-02-02 14:10 UTC (permalink / raw) To: Nikolaos Chatzikonstantinou Cc: Vladimir 'phcoder' Serbinenko, Patrick Steinhardt, The development of GRUB 2 On Tue, Jan 30, 2024 at 10:18:20AM -0500, Nikolaos Chatzikonstantinou wrote: > I want to share a small update: > > I'm reading the GRUB source code for the memory manager to get a bit > acclimated. I was surprised to see libgcrypt depend on <stdio.h>. Hmmm... > Asking around, the monocypher library was brought to my attention, > <https://monocypher.org/>. No external dependencies, the license is > compatible, just two files monocypher.c and .h that can be bundled, > supports argon2, and it's already used by some bootloaders/firmware > (ArduPilot Project, Joulescope). It is however written in pure C99; it > seems to me that it supports architectures that a C99 compiler can > target. > > While the goal of upgrading libgcrypt is noble, it is a bit scary as > libgcrypt seems difficult to navigate for me, the import_gcry.py > script also being hard to read. So I have the following questions: > > 1) What are the cryptographic requirements of GRUB? I.e. which > features and algorithms does GRUB require right now? > 2) Can we include monocypher just for the purpose of unlocking > argon2-configured luks2 partitions? > 3) Is it of interest to replace libgcrypt entirely (if possible, with > monocypher e.g.?) If this change will not break (much) currently existing features and simplify the code I am OK with doing this experiment. > If the best plan to go ahead with is to upgrade libgcrypt, as I've > said before, it would be good to know the version currently bundled > with GRUB (I'm just reiterating this point.) But from my viewpoint, Let me poke Vladimir once again... > libgcrypt is a userland library with a wide range of features; perhaps > not the most appropriate for a bootloader. I'm wondering if the > reasons that led to choosing libgcrypt in the past for GRUB can be > reevaluated now that there are more options for cryptographic > libraries. As I said above, I am OK with reevaluating current libgcrypt approach. Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: State of Argon2 support 2024-02-02 14:10 ` Daniel Kiper @ 2024-02-11 21:01 ` Nikolaos Chatzikonstantinou 0 siblings, 0 replies; 17+ messages in thread From: Nikolaos Chatzikonstantinou @ 2024-02-11 21:01 UTC (permalink / raw) To: Daniel Kiper Cc: Vladimir 'phcoder' Serbinenko, Patrick Steinhardt, The development of GRUB 2 On Fri, Feb 2, 2024 at 9:10 AM Daniel Kiper <dkiper@net-space.pl> wrote: > > On Tue, Jan 30, 2024 at 10:18:20AM -0500, Nikolaos Chatzikonstantinou wrote: > > I want to share a small update: > > > > I'm reading the GRUB source code for the memory manager to get a bit > > acclimated. I was surprised to see libgcrypt depend on <stdio.h>. > > Hmmm... > > > Asking around, the monocypher library was brought to my attention, > > <https://monocypher.org/>. No external dependencies, the license is > > compatible, just two files monocypher.c and .h that can be bundled, > > supports argon2, and it's already used by some bootloaders/firmware > > (ArduPilot Project, Joulescope). It is however written in pure C99; it > > seems to me that it supports architectures that a C99 compiler can > > target. > > > > While the goal of upgrading libgcrypt is noble, it is a bit scary as > > libgcrypt seems difficult to navigate for me, the import_gcry.py > > script also being hard to read. So I have the following questions: > > > > 1) What are the cryptographic requirements of GRUB? I.e. which > > features and algorithms does GRUB require right now? > > 2) Can we include monocypher just for the purpose of unlocking > > argon2-configured luks2 partitions? > > 3) Is it of interest to replace libgcrypt entirely (if possible, with > > monocypher e.g.?) > > If this change will not break (much) currently existing features and > simplify the code I am OK with doing this experiment. > > > If the best plan to go ahead with is to upgrade libgcrypt, as I've > > said before, it would be good to know the version currently bundled > > with GRUB (I'm just reiterating this point.) But from my viewpoint, > > Let me poke Vladimir once again... > > > libgcrypt is a userland library with a wide range of features; perhaps > > not the most appropriate for a bootloader. I'm wondering if the > > reasons that led to choosing libgcrypt in the past for GRUB can be > > reevaluated now that there are more options for cryptographic > > libraries. > > As I said above, I am OK with reevaluating current libgcrypt approach. Ping on this; Vladimir if you are busy that is ok, just give me a later date and I can ping you later. You said something about the end of the week, so I keep thinking about this... But for me it's not urgent. If you want to respond in 2 months, that's fine too, but just let me know so that I can put it past me for now. Regards, Nikolaos Chatzikonstantinou _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2024-02-11 21:02 UTC | newest] Thread overview: 17+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-12-22 17:29 State of Argon2 support Nikolaos Chatzikonstantinou 2023-12-23 3:43 ` Oskari Pirhonen 2024-01-01 19:48 ` Patrick Steinhardt 2024-01-04 15:49 ` Nikolaos Chatzikonstantinou 2024-01-23 16:57 ` Daniel Kiper 2024-01-24 5:05 ` Nikolaos Chatzikonstantinou 2024-01-24 5:46 ` Nikolaos Chatzikonstantinou 2024-01-24 6:23 ` Nikolaos Chatzikonstantinou 2024-01-25 18:15 ` Daniel Kiper 2024-01-26 8:18 ` Nikolaos Chatzikonstantinou 2024-01-26 9:55 ` Patrick Steinhardt 2024-01-26 18:00 ` Daniel Kiper 2024-01-26 17:50 ` Daniel Kiper 2024-01-26 20:31 ` Vladimir 'phcoder' Serbinenko 2024-01-30 15:18 ` Nikolaos Chatzikonstantinou 2024-02-02 14:10 ` Daniel Kiper 2024-02-11 21:01 ` Nikolaos Chatzikonstantinou
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.