From 49e61a77b83db719eb9af566bcdeb6f8438ff3b3 Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Sun, 20 Aug 2023 13:44:25 +0100
Subject: [PATCH] news page: grub argon2 support

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 site/news/MANIFEST  |  1 +
 site/news/argon2.md | 68 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 site/news/argon2.md

diff --git a/site/news/MANIFEST b/site/news/MANIFEST
index 82c4d89..5b47741 100644
--- a/site/news/MANIFEST
+++ b/site/news/MANIFEST
@@ -1,3 +1,4 @@
+argon2.md
 hp8470p_and_dell_t1650.md
 hp2170p.md
 update202308.md
diff --git a/site/news/argon2.md b/site/news/argon2.md
new file mode 100644
index 0000000..d0087af
--- /dev/null
+++ b/site/news/argon2.md
@@ -0,0 +1,68 @@
+% Encrypted /boot/ on LUKSv2 with argon2i/id now possible in Libreboot GRUB
+% Leah Rowe
+% 20 August 2023
+
+<img tabindex=1 class="r" src="https://av.libreboot.org/grub/argon2.jpg" /><span class="f"><img src="https://av.libreboot.org/grub/argon2.jpg" /></span>
+
+Introduction
+============
+
+The GRUB payload has supported LUKSv2 for a long time, but only with the
+old-school PBKDF2 key derivation method; most Linux dm-crypt setups on LUKSv2
+use argon2-based key derivation, which GRUB did not support. This mean either:
+use LUKSv2 with PBKDF2 (less secure), or LUKSv2 (ditto), in GRUB.
+
+Today, Libreboot now supports argon2 key derivation in its version of GRUB,
+which is offered as a coreboot payload within the Libreboot build system, and
+in Libreboot releases.
+
+Why does this matter?
+---------------------
+
+Libreboot previously documented how to boot distros from encrypted `/boot`,
+which is a boon for security because it's harder to compromise a machine that
+has encrypted `/boot` (containing the linux kernel) than if it were unencrypted
+like on most LUKS setups. In addition to this, you may consider [GRUB
+hardening](../docs/linux/grub_hardening.md) steps such as GPG signature checking
+of your installed Linux kernel.
+
+These patches import the PHC argon2 implementation into Libreboot's version
+of GRUB:
+
+* <https://browse.libreboot.org/lbmk.git/commit/?id=2c0c521e2f15776fd604f8da3bc924dec95e1fd1>
+* <https://browse.libreboot.org/lbmk.git/commit/?id=fd6025321c4ae35e69a75b45d21bfbfb4eb2b3a0>
+* <https://browse.libreboot.org/lbmk.git/tree/resources/scripts/build/payload/grub?id=fd6025321c4ae35e69a75b45d21bfbfb4eb2b3a0>
+
+Argon2 is the newer key derivation preferred on modern LUKSv2 setups. It is
+strongly recommended that you *upgrade* to argon2id, specifically, for your
+setup.
+
+How to get it
+-------------
+
+This is unavailable in the current Libreboot 20230625 release, but will be
+available in the next Libreboot release. For now, you can compile a ROM image
+yourself from the Libreboot build system, lbmk, like so:
+
+[How to build Libreboot ROM images from source](../docs/build/)
+
+Further reading
+===============
+
+PHC argon2 implementation
+-------------------------
+
+This is the reference argon2 implementation, now used by Libreboot,
+and the upstream project for that is hosted here:
+
+<https://github.com/P-H-C/phc-winner-argon2>
+
+Article by Matthew Garrett
+--------------------------
+
+[PSA: upgrade your LUKS key derivation
+function](https://mjg59.dreamwidth.org/66429.html) by Matthew Garret, talks
+further about the importance of secure key derivation (specifically argon2id)
+on encrypted Linux setups.
+
+Always use encryption!