From 88869036a62e31acf9a478ba3d9689761386e436 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Sat, 21 Oct 2023 16:41:53 +0100 Subject: [PATCH] clarification 2 Signed-off-by: Leah Rowe --- site/docs/linux/index.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/site/docs/linux/index.md b/site/docs/linux/index.md index 737df0c..32038c0 100644 --- a/site/docs/linux/index.md +++ b/site/docs/linux/index.md @@ -49,11 +49,17 @@ Then still as root, do these commands: Now your distro's GRUB menu should work, when your distro's GRUB bootloader is executed from Libreboot's SeaBIOS payload. -Encrypted (LUKS/dm-crypt) installations +Encrypted /boot via LUKS2 with argon2 ======================================= Full encryption for basic LUKS2 (with PBKDF or argon2 key derivation) is -supported in libreboot. Legacy LUKS1 is also supported. +supported in libreboot. Legacy LUKS1 is also supported. On *most* other +systems, `/boot` must be encrypted, but Libreboot supports use of the +GRUB bootloader as a coreboot payload. + +GRUB has code in it that can be used to unlock LUKS1 and LUKS2 dm-crypt, +using the `cryptomount` command. With this, you can boot with *true* full +disk encryption, by encrypting `/boot`. This is a boon for security, because it's harder to tamper with, and you could potentially write-protect plus maybe provide @@ -92,6 +98,15 @@ At the time of the Libreboot 20231021 release, the GRUB upstream (on gnu.org) did not have these argon2 patches in its source tree, but Libreboot merges and maintains them out of tree. +argon2id +-------- + +You should *specifically* use argon2id. Please ensure this, because some +older LUKS2 setups defaulted to the weaker *argon2d*. This post by Matthew +Garret contains information about that: + + + NOTE: You should also read the instructions about about `GRUB_TERMINAL`. Rebooting system in case of freeze