From 8a396f32f7844266aa1c2b01de5c191c906adc05 Mon Sep 17 00:00:00 2001
From: Maurice Zhou <jasper@apvc.uk>
Date: Sun, 21 Nov 2021 23:34:08 +0100
Subject: [PATCH] GRUB: preliminary support for PBKDF2-only LUKS2

Signed-off-by: Maurice Zhou <jasper@apvc.uk>
---
 .../Root on ZFS/4-optional-configuration.rst  | 32 ++++++++++++++++---
 .../Arch Linux/Root on ZFS/6-recovery.rst     |  2 +-
 .../Fedora/Root on ZFS/6-recovery.rst         |  2 +-
 .../Root on ZFS/2-system-configuration.rst    |  2 --
 .../NixOS/Root on ZFS/6-recovery.rst          |  2 +-
 .../6-recovery.rst                            |  2 +-
 6 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/docs/Getting Started/Arch Linux/Root on ZFS/4-optional-configuration.rst b/docs/Getting Started/Arch Linux/Root on ZFS/4-optional-configuration.rst
index e69af9f..23a6e97 100644
--- a/docs/Getting Started/Arch Linux/Root on ZFS/4-optional-configuration.rst	
+++ b/docs/Getting Started/Arch Linux/Root on ZFS/4-optional-configuration.rst	
@@ -20,11 +20,17 @@ states before pacman transactions.
 Install an AUR helper of choice then install ``rozb3-pac`` from AUR
 for pacman integration::
 
-  pacman -S --needed git base-devel
+  pacman -S --needed git base-devel sudo
+  echo 'nobody ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/00_nobody
+  su - nobody -s /bin/bash
+  mkdir /tmp/build
+  export HOME=/tmp/build
   git clone https://aur.archlinux.org/paru-bin.git
   cd paru-bin
   makepkg -si
   paru -S rozb3-pac
+  logout
+  rm /etc/sudoers.d/00_nobody
 
 Supply password with SSH
 ~~~~~~~~~~~~~~~~~~~~~~~~
@@ -107,14 +113,15 @@ root pool will be replaced by keyfile, embedded in initrd.
 #. Create LUKS containers::
 
     for i in ${DISK}; do
-     cryptsetup luksFormat -q --type luks1 --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks $i-part2
-     echo $LUKS_PWD | cryptsetup luksAddKey --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks $i-part2
+     cryptsetup luksFormat -q --type luks2 --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks $i-part2
+     echo $LUKS_PWD | cryptsetup luksAddKey --pbkdf pbkdf2 --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks $i-part2
      cryptsetup open ${i}-part2 ${i##*/}-part2-luks-bpool_$INST_UUID --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks
      echo ${i##*/}-part2-luks-bpool_$INST_UUID ${i}-part2 /etc/cryptkey.d/bpool_$INST_UUID-key-luks discard >> /etc/crypttab
     done
 
-   GRUB 2.06 still does not have complete support for LUKS2, LUKS1
-   is used instead.
+   In GRUB 2.06, only the PBKDF2 key derivation function
+   is supported, thus PBKDF2 is used
+   for passphrase key slot. Other slots are not affected.
 
 #. Embed key file in initrd::
 
@@ -187,6 +194,21 @@ root pool will be replaced by keyfile, embedded in initrd.
 #. Enable GRUB cryptodisk::
 
      echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
+#. Let GRUB decrypt all LUKS containers on boot::
+
+     tee -a /etc/grub.d/09_bpool_luks2-decryption <<FOE
+     cat <<EOF
+       insmod luks2
+       insmod pbkdf2
+       insmod part_gpt
+       insmod gcry_rijndael
+       insmod gcry_sha256
+       insmod cryptodisk
+       cryptomount hd0,gpt2
+     EOF
+     FOE
+
+     chmod +x /etc/grub.d/09_bpool_luks2-decryption
 
 #. **Important**: Back up root dataset key ``/etc/cryptkey.d/rpool_$INST_UUID-${INST_ID}-key-zfs``
    to a secure location.
diff --git a/docs/Getting Started/Arch Linux/Root on ZFS/6-recovery.rst b/docs/Getting Started/Arch Linux/Root on ZFS/6-recovery.rst
index 11b8506..84fbb1b 100644
--- a/docs/Getting Started/Arch Linux/Root on ZFS/6-recovery.rst	
+++ b/docs/Getting Started/Arch Linux/Root on ZFS/6-recovery.rst	
@@ -28,7 +28,7 @@ This section is also applicable if you are in
    Boot computer from the rescue media.
    Both legacy and EFI mode are supported.
 
-   Or `download generated GRUB rescue image <https://gitlab.com/m_zhou/bieaz/uploads/4a1b7cefb42723de6eb04f9dc485be3b/grub-rescue.img.7z>`__.
+   Or `download generated GRUB rescue image <https://nu8.org/pages/projects/bieaz/#grub-rescue-images>`__.
 
 #. List available disks with ``ls`` command::
 
diff --git a/docs/Getting Started/Fedora/Root on ZFS/6-recovery.rst b/docs/Getting Started/Fedora/Root on ZFS/6-recovery.rst
index 9e57d4a..fa17155 100644
--- a/docs/Getting Started/Fedora/Root on ZFS/6-recovery.rst	
+++ b/docs/Getting Started/Fedora/Root on ZFS/6-recovery.rst	
@@ -28,7 +28,7 @@ This section is also applicable if you are in
    Boot computer from the rescue media.
    Both legacy and EFI mode are supported.
 
-   Or `download generated GRUB rescue image <https://gitlab.com/m_zhou/bieaz/uploads/4a1b7cefb42723de6eb04f9dc485be3b/grub-rescue.img.7z>`__.
+   Or `download generated GRUB rescue image <https://nu8.org/pages/projects/bieaz/#grub-rescue-images>`__.
 
 #. List available disks with ``ls`` command::
 
diff --git a/docs/Getting Started/NixOS/Root on ZFS/2-system-configuration.rst b/docs/Getting Started/NixOS/Root on ZFS/2-system-configuration.rst
index f329938..c603b3c 100644
--- a/docs/Getting Started/NixOS/Root on ZFS/2-system-configuration.rst	
+++ b/docs/Getting Started/NixOS/Root on ZFS/2-system-configuration.rst	
@@ -212,8 +212,6 @@ System Configuration
         zfs create -o canmount=on -o mountpoint=/$i rpool_$INST_UUID/$INST_ID/DATA/local/$i
     done
 
-   Datasets for immutable root filesystem::
-
     zfs create -o canmount=on rpool_$INST_UUID/$INST_ID/DATA/default/state
     for i in {/etc/nixos,/etc/cryptkey.d}; do
       mkdir -p /mnt/state/$i /mnt/$i
diff --git a/docs/Getting Started/NixOS/Root on ZFS/6-recovery.rst b/docs/Getting Started/NixOS/Root on ZFS/6-recovery.rst
index 2d88aa3..dc172b2 100644
--- a/docs/Getting Started/NixOS/Root on ZFS/6-recovery.rst	
+++ b/docs/Getting Started/NixOS/Root on ZFS/6-recovery.rst	
@@ -28,7 +28,7 @@ This section is also applicable if you are in
    Boot computer from the rescue media.
    Both legacy and EFI mode are supported.
 
-   Or `download generated GRUB rescue image <https://gitlab.com/m_zhou/bieaz/uploads/4a1b7cefb42723de6eb04f9dc485be3b/grub-rescue.img.7z>`__.
+   Or `download generated GRUB rescue image <https://nu8.org/pages/projects/bieaz/#grub-rescue-images>`__.
 
 #. List available disks with ``ls`` command::
 
diff --git a/docs/Getting Started/RHEL-based distro/RHEL 8-based distro Root on ZFS/6-recovery.rst b/docs/Getting Started/RHEL-based distro/RHEL 8-based distro Root on ZFS/6-recovery.rst
index 9e57d4a..fa17155 100644
--- a/docs/Getting Started/RHEL-based distro/RHEL 8-based distro Root on ZFS/6-recovery.rst	
+++ b/docs/Getting Started/RHEL-based distro/RHEL 8-based distro Root on ZFS/6-recovery.rst	
@@ -28,7 +28,7 @@ This section is also applicable if you are in
    Boot computer from the rescue media.
    Both legacy and EFI mode are supported.
 
-   Or `download generated GRUB rescue image <https://gitlab.com/m_zhou/bieaz/uploads/4a1b7cefb42723de6eb04f9dc485be3b/grub-rescue.img.7z>`__.
+   Or `download generated GRUB rescue image <https://nu8.org/pages/projects/bieaz/#grub-rescue-images>`__.
 
 #. List available disks with ``ls`` command::