26

Re: How to compile Grub for full disk encryption Luks2+argon2id

jim wrote:
throgh wrote:
jim wrote:

you mean that for example, now I have Grub 2.04 installed, then I compiled Grub 2.12 and installed it instead of Grub 2.04. How to do this safely so as not to break the system? Using USB-live to remove the old Grub and install a new one?

I have not said it is fully safe: I only mentioned a way forward to have a reversible own standing package for usage. You want to use a complete new feature not even part of the upstream-release so far (argon2id), so I would not say it is "safe" for usage. Besides to underline that you should try this first in a virtual environment.


If we are talking about assembling and installing Grub 2.12 on a ready-made system, then I want to clarify again, is this instruction => https://linuxconfig.org/grub-compile-fr … ,suitable? I'll replace Grub 2.6 with Grub 2.12 and try installing it in a virtual machine to see how it works.

I don’t understand why I need PKGBUILD Grub 2.04 https://git.hyperbola.info:50100/~team/ … 34a54ef004 now if I’m building Grub 2.12. I would appreciate an explanation.

Jim, this was now multiple times explained here in the thread: To create a package you can install and remove without bothering other leftovers.
And you got already the explanation also that the link only explains one possible way to compile Grub, not the way it is used in the package of Hyperbola. So you will compile Grub, but perhaps not even fitting the system you want to run on. One last time: Research the offered data, tryout packaging (when you want to replace Grub 2.6 with Grub 2.12, this is exactly the same to be done in the definitions within the PKGBUILD-script, just a bit more and different). If you prefer to follow the linked guide, your decision. But while at creating packages you can get help, no one can help you further out with a local compiled version installed through "doas make install".

And one last point, jim: Please stay on-topic. You have asked for compilation not about QubesOS or other surely interesting fields for security. With every new note added here the thread is going more and more off-topic and derailed. Please do not add more invitations for others to add here even more notes as in the end this thread has only one choice left: Closing as it does not add anything or help something.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

27

Re: How to compile Grub for full disk encryption Luks2+argon2id

Got it, I'll try to assemble a new Grub

28 (edited by zapper 2024-05-10 02:02:50)

Re: How to compile Grub for full disk encryption Luks2+argon2id

jim wrote:
zapper wrote:
jim wrote:

you mean that for example, now I have Grub 2.04 installed, then I compiled Grub 2.12 and installed it instead of Grub 2.04. How to do this safely so as not to break the system? Using USB-live to remove the old Grub and install a new one?

To be honest, I think the safest thing to do, is to have two computers, have a qcow2 disk clone image ( that you know works) and copy paste it onto the other computer, make the changes and then go from there to see if it will work.

Just make sure its only using a small amount of GB the qcow2 image so that disk cloning is fast, like 40GB.



If it fails, you just load a live installation and copy the working qcow2 back on.

However, just make sure you have and use usb 3.0 if you use this method

Otherwise it will be hella slow.

I have msata drives on both my X230 and my T430 as well as one regular SSD. So usually I don't need a spare portable usb drive loaded with linux.

If this sounds too complicated, that's fine. It was only a suggestion.


Hello. Thank you very much for your useful advice.
Yes, I know everything you wrote about, it’s very useful for testing, I agree with you.

I'm more interested in how to protect a virtual machine from attack or, for example, a cascade of virtual machines and firewall rules between them as implemented in Qubes.

Qubes to me is a waste of resources, but idk, maybe it could be useful for this.

You will need a fast computer though.

But i am sure you know this probably.

I don't know enough about qubes, or packet blocker type stuff/

If you are only running one vm at a time, you should be more than safe. In fact, you could probably run a few without too much trouble if you know what you are doing as long as none of them are proprietary operating systems which I think you know would be unwise.

Even then, its not 100% you will be hacked or not hacked based on that.

It just very much ups your chances of getting hacked having proprietary operating systems loaded thats all.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

29

Re: How to compile Grub for full disk encryption Luks2+argon2id

zapper wrote:
jim wrote:
zapper wrote:

To be honest, I think the safest thing to do, is to have two computers, have a qcow2 disk clone image ( that you know works) and copy paste it onto the other computer, make the changes and then go from there to see if it will work.

Just make sure its only using a small amount of GB the qcow2 image so that disk cloning is fast, like 40GB.



If it fails, you just load a live installation and copy the working qcow2 back on.

However, just make sure you have and use usb 3.0 if you use this method

Otherwise it will be hella slow.

I have msata drives on both my X230 and my T430 as well as one regular SSD. So usually I don't need a spare portable usb drive loaded with linux.

If this sounds too complicated, that's fine. It was only a suggestion.


Hello. Thank you very much for your useful advice.
Yes, I know everything you wrote about, it’s very useful for testing, I agree with you.

I'm more interested in how to protect a virtual machine from attack or, for example, a cascade of virtual machines and firewall rules between them as implemented in Qubes.

Qubes to me is a waste of resources, but idk, maybe it could be useful for this.

You will need a fast computer though.

But i am sure you know this probably.

I don't know enough about qubes, or packet blocker type stuff/

If you are only running one vm at a time, you should be more than safe. In fact, you could probably run a few without too much trouble if you know what you are doing as long as none of them are proprietary operating systems which I think you know would be unwise.

Even then, its not 100% you will be hacked or not hacked based on that.

It just very much ups your chances of getting hacked having proprietary operating systems loaded thats all.



Hello . Thank you for your answer . I can’t answer here because Throgh forbids me.
Here I will tell you about Grub, how to build and install it.

30

Re: How to compile Grub for full disk encryption Luks2+argon2id

Oh, thanks for the "flowers", jim. Here is nothing "forbidden" and I just remind you that those debates are unneeded when you have no interest in packaging. wink

Sidewise: We have forum-rules!

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

31 (edited by jim 2024-05-15 07:17:53)

Re: How to compile Grub for full disk encryption Luks2+argon2id

Hello  Throgh. Please tell me whether this method will work or not?

I want to build Grub  2.12 not on a working system, but during system installation

$ doas pacman -Sy \
  make \
  diffutils \
  python \
  binutils \
  bison \
  gcc \
  gettext-tyny\
  flex


$ curl -O   https://ftp.gnu.org/gnu/grub/grub-2.12.tar.gz
$ curl -O   https://ftp.gnu.org/gnu/grub/grub-2.12.tar.gz.sig
            
            $ gpg --keyserver keyserver.ubuntu.com --receive-keys BE5C23209ACDDACEB20DB0A28C8189F1988C2166

$ gpg --verify grub-2.12.tar.gz.sig

$ tar -xvzf grub-2.12.tar.gz

$ cd grub-2.12

For i386-pc

./configure --disable-werror --disable-dependency-tracking

For 64-bit (U)EFI

./configure --with-platform=efi --target=x86_64 --disable-werror

$ make 

$ doas make install

32

Re: How to compile Grub for full disk encryption Luks2+argon2id

No, jim: This will not work the way you await. I have explained this now several times in the thread: This method is for a RUNNING system, when you are sure that you WILL NEVER AGAIN use another version of Grub (or other program you want) for the run- / lifetime of that currently installed system. You may do it that way, but you have afterwards no further point to approve or test, or even revert the changes done (which is essential for an installation to get it running and not restarting the whole installation-process with included compilation). One last time: Packaging is the way to go for approving a working system. Yes, errors in the package are more or  less the same but you can compile the package regardless on another system before (or outside the VM in usage).

Also: There are no base-devel packages installed before installation, so your approach will surely fail. You would have to do this within an already prepared chroot-environment, so after installing packages. As I have initial said in this posting: Won't work as you await.

And the configuration is also not working that way: When you have called autotools to configure the sources, your next step is "make". NOT "configure options" and "configure options" as you won't have the corresponding results and the version of Grub being compiled won't work again the way you await. Exactly for all this reasoning I have linked the PKGBUILD and the rest to note how you can reach more easy your goal. As also said: If you want a different version you are complete on your own especially with not even included features upstream in Grub.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

33

Re: How to compile Grub for full disk encryption Luks2+argon2id

throgh wrote:

No, jim: This will not work the way you await. I have explained this now several times in the thread: This method is for a RUNNING system, when you are sure that you WILL NEVER AGAIN use another version of Grub (or other program you want) for the run- / lifetime of that currently installed system. You may do it that way, but you have afterwards no further point to approve or test, or even revert the changes done (which is essential for an installation to get it running and not restarting the whole installation-process with included compilation). One last time: Packaging is the way to go for approving a working system. Yes, errors in the package are more or  less the same but you can compile the package regardless on another system before (or outside the VM in usage).

Also: There are no base-devel packages installed before installation, so your approach will surely fail. You would have to do this within an already prepared chroot-environment, so after installing packages. As I have initial said in this posting: Won't work as you await.

And the configuration is also not working that way: When you have called autotools to configure the sources, your next step is "make". NOT "configure options" and "configure options" as you won't have the corresponding results and the version of Grub being compiled won't work again the way you await. Exactly for all this reasoning I have linked the PKGBUILD and the rest to note how you can reach more easy your goal. As also said: If you want a different version you are complete on your own especially with not even included features upstream in Grub.

Intense...

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

34 (edited by jim 2024-05-16 19:10:40)

Re: How to compile Grub for full disk encryption Luks2+argon2id

Well, what other way is there that is as effective and automated as with Paru, 4 commands and a new Grub installed on the system without manual correction?

35

Re: How to compile Grub for full disk encryption Luks2+argon2id

I repeat again:

1. Download the needed data for packaging.
2. Creating a clean chroot (or using a local build).
3. Changing PKGBUILD-definitions, files and hashsums.
4. Building.

That is more or less the same without having:

- non-free AUR
- Rust-base paru in binary form distributed (which is non-free same way)
- correcting the PKGBUILD also as it uses perhaps not available dependencies

All was explained now multiple times and as said: You have no build-tools installed when you are using the ISO-file. The group base-devel is NOT available out of reasoning at that point. paru is neither effective nor it is automated when you need to modify the PKGBUILD or correct errors. There is no guarantee that paru and the AUR bring that wished simplification! Even more: Hyperbola is NOT Arch GNU/Linux and installing AUR-packages without evaluation is also misguiding the intention Hyperbola has. Arch GNU/Linux is not following the FHS and therefore the AUR-definition is only for Arch GNU/Linux itself, not for Hyperbola.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

36

Re: How to compile Grub for full disk encryption Luks2+argon2id

Thank you for your answer.

You have to answer what you think many times, but in reality nothing is clear! Therefore, I’m asking again, I assembled Grub locally using these instructions =>  https://linuxconfig.org/grub-compile-fr … e-on-linux  the first time, because everything is very clearly written, understandable, the commands and their explanations are indicated.

Further, in the previous answer (in another topic) you wrote to me that YOU have no problems with building applications, this is understandable because you are a developer and this is your life and profession, but 99.9% of users of all distros are not developers, so hundreds are created instructions and hundreds of sites and wikis that tell in detail how and what to do to get results. Since you often write that Hyperbola is an independent distro and does not need to be compared with other distros, then you need to describe in detail how to do this in each case.

Let's get back to your answers.

1. Upload the required packaging data.

Where to download from? What to download?

2. Create a clean chroot (or use a local build). Wiki link or example please.

3. Changing PKGBUILD definitions, files and hashes. You already gave the answer, but did not indicate which specific files need to be changed and to what.

4. Construction. Okay, this command is clear

makepkg -si

37

Re: How to compile Grub for full disk encryption Luks2+argon2id

Well, sure I am a bit more into compiling and building: But this does not mean I'm in a way more different as I needed to learn also how to package and how to use the packaging-tools. So what I want to underline is that no one needs to be much afraid of doing something "false". Especially with tools like qemu it is possible to setup a concrete environment where everything is possible to test and build. So that's the first border we all need to cross and therefore I want to send the message that this is a good startup with being "safe" and also in a "safe space". smile

What needs to be said: No one should think that there is any end of learning as life is learning and so please everyone ... never stop learning and always be curious and experiment.

Coming now to the concrete questions:

Download the data
The needed files for grub are here to be found (for the moment a concrete commit in the git-repository). A bit more generic:

git clone https://git.hyperbola.info:50100/packages/core.git
cd core/grub

Creating a clean chroot
This is a point of interest especially when having the stable-branch installed. Please be aware that for the moment we are reworking libretools into our hypertools so the testing-branch should not be used.

doas pacman -S libretools
doas librechroot clean-repo
doas librechroot -C /etc/pacman.conf -M /usr/share/pacman/defaults/makepkg.conf.x86_64 -n x86_64 make

Now you have a chroot named x86_64. From point 1 taken:

cd core/grub
doas libremakepkg -n x86_64

Changing the PKGBUILD
The PKGBUILD-file is a shellscript with a given command-structure for execution. You need to look into there especially with the given information of the package-version (downloading the corresponding tarball from a given URL) and getting the hashsum correct.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

38

Re: How to compile Grub for full disk encryption Luks2+argon2id

Throgh, thank you very much for your help, instructions and understanding. I will try your recommendations and get back to you with the result or question.