Check LUKS2 Encrypted boot

[dngray]

Description

URL of affected page: https://privacyguides.org/linux-desktop/hardening/#secure-boot

Looks like GRUB supports LUKS2. This comment seems to suggest systemd-boot can also boot an encrypted LUKS2 partition, but I've not seen any information about that.

We should investigate this and update the page.

[d4rklynk]

I found this https://www.gnu.org/software/grub/manual/grub/grub.pdf#cryptomount at chapter 16.3.19 cryptomount

GRUB suports devices encrypted using LUKS, LUKS2 and geli. Note that necessary modules (luks, luks2 and geli) have to be loaded manually before this command can be used. For LUKS2 only the PBKDF2 key derivation function is supported, as Argon2 is not yet supported.

[d4rklynk]

This https://wiki.archlinux.org/title/GRUB#Encrypted_/boot followed by https://wiki.archlinux.org/title/GRUB#LUKS2 and finally that issue https://savannah.gnu.org/bugs/?55093

[dngray]

At this point we wouldn't be recommending a git tagged version of Grub. If I'm being honest, I really don't like the "encrypted boot" idea because it will never be part of an installer, and is certainly redundant when you're using TPM and measuring your bootloader. I think systemd-measure which will no doubt become a better developed solution that is far more common.

When I tried out encrypted encrypted Grub it was super slow, because the Grub implementation of even LUKS1 didn't have SSE support if I remember correctly. I doubt it has been audited either, as nobody really uses except for hardcore nerds following the arch wiki.

I also totally see distributions in the future doing away with BIOS support, and only supporting systemd-boot only. Redhat already has made some attempt to do this in F37 and although rejected they have settled for making UEFI the default.