Skip to main content
Topic: GRUB couldn't load sha512 hash after reencrypt from whirlpool (Read 966 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

GRUB couldn't load sha512 hash after reencrypt from whirlpool

Hello!
I re-encrypted my LUKS partition to SHA512 after the recent Whirlpool deprecation but grub complains about it:
Code: [Select]
error: Couldn't load sha512 hash.
error: no such cryptodisk found.
error: disk `lvmid\...` not found.
Entering rescue mode

I am able to open it and chroot into it.
I used the command:
Code: [Select]
cryptsetup-reencrypt --keep-key --hash sha512 /dev/nvme0n1p2
I also did mkinitcpio, grub-install, and grub-mkconfig.

My /etc/mkinitcpio.conf:
https://paste.debian.net/hidden/bea76dcd/
My /etc/default/grub:
https://paste.debian.net/hidden/9abb819b/

I have no idea what I am missing.
Any idea will be appreciated.

Any other checks that I did:
it is luks type 1
sha256 doesn't work either
I re-encrypted my disk (run reencrypt without --keep-key)
UUIDs are matching
I ran -Syu


Re: GRUB couldn't load sha512 hash after reencrypt from whirlpool

Reply #1
Hi, thanks for posting your problem on our forums.

I'm sorry this isn't exactly a very helpful and easy solution and it might not even be one, but for now it should be enough temporarily to get your system up and running until someone here posts a better solution or grub gets fixed.

First get the source code to grub, unpack, read the INSTALL file in the unpacked directory and follow the instructions to build and install grub to /usr/local.

I'm also doing a dive into grub's source code to see if I can find any useful info, but I haven't found any for now, I'll post if I do.

Re: GRUB couldn't load sha512 hash after reencrypt from whirlpool

Reply #2
Thank You for your response!
I have no problem with building grub from sources. Are You able to explain the logic behind this? Is this a known issue? Maybe I could help with looking for a problem in code. I will try building from sources tomorrow and will be back with the results.

Re: GRUB couldn't load sha512 hash after reencrypt from whirlpool

Reply #3
Oh and one very important thing I forgot to mention, after you compile and install grub to /usr/local, remove the grub EFI binary ( grubx64.efi ) that was installed using the grub from the Artix packages, and install the new grub EFI binary from the newly compiled and installed grub in /usr/local by specifying it's full path ( e.g /usr/local/bin/grub-install ... ).

After that, just follow the standard instructions to add your grub EFI binary to your UEFI boot menu. ( any and all grub commands should be executed from /usr/local )

Re: GRUB couldn't load sha512 hash after reencrypt from whirlpool

Reply #4
Thank You for your response!
I have no problem with building grub from sources. Are You able to explain the logic behind this? Is this a known issue? Maybe I could help with looking for a problem in code. I will try building from sources tomorrow and will be back with the results.

>Are You able to explain the logic behind this?

Sometimes the resulting binaries that are packaged are broken and they slip through.

This also happened with the tor daemon package, after an update it was broken, compiling and installing a local copy of tor from source worked until the one in the repos got fixed.

>Is this a known issue?

Not at all, googling brought nothing and nobody on the Arch forums had a similar problem.

Re: GRUB couldn't load sha512 hash after reencrypt from whirlpool

Reply #5
I re-encrypted my disk (run reencrypt without --keep-key)
running without --keep-key is data present in partition?
Create problems which don't have solution

Re: GRUB couldn't load sha512 hash after reencrypt from whirlpool

Reply #6
running without --keep-key is data present in partition?
Yes, it is. I am able to chroot to it and use it.

Edit:
I was able to compile and install grub from sources, and it actually works!
Thank You very much @Lancia!
There is this bug: https://savannah.gnu.org/bugs/?62122
It is enough to install gcc11 and add before configure and make commands:
Code: [Select]
BUILD_CC=gcc-11

P.S
Where I can find a guide on how to report a bug?

Re: GRUB couldn't load sha512 hash after reencrypt from whirlpool

Reply #7
Hey, I'm in similar situation. I'm trying to build grub from link you posted earlier logged from liveusb on my encrypted drive.
Make failes out of the sudden:
Code: [Select]
cc1: all warnings being treated as errors
make[2]: *** [Makefile:9439: util/grub_mkimage-mkimage.o] Error 1
make[2]: *** Waiting for unfinished jobs....
mv -f util/.deps-util/grub_mkimage-resolve.Tpo util/.deps-util/grub_mkimage-resolve.Po
mv -f util/.deps-util/grub_mkimage-grub-mkimage32.Tpo util/.deps-util/grub_mkimage-grub-mkimage32.Po
mv -f util/.deps-util/grub_mkimage-grub-mkimage64.Tpo util/.deps-util/grub_mkimage-grub-mkimage64.Po
make[2]: Leaving directory '/home/u/tmp/grub-2.06'
make[1]: *** [Makefile:11514: all-recursive] Error 1
make[1]: Leaving directory '/home/u/tmp/grub-2.06'
make: *** [Makefile:3372: all] Error 2
-sh-5.1# BUILD_CC=gcc-11 make -j`nproc`^C
-sh-5.1# gcc-11 --version
gcc-11 (GCC) 11.3.0

Okay, I just realized I did this on kernel 5.18.

Re: GRUB couldn't load sha512 hash after reencrypt from whirlpool

Reply #8
Did You run configure with the correct compiler?
Code: [Select]
BUILD_CC=gcc-11 ./configure
Remember to configure grub with EFI if You have one.

Re: GRUB couldn't load sha512 hash after reencrypt from whirlpool

Reply #9
Not to derail the current discussion, but here's a note for anyone still using whirlpool: cryptsetup 2.5.0-4 adds whirlpool support via ossl-modules/legacy.so.

 

Re: GRUB couldn't load sha512 hash after reencrypt from whirlpool

Reply #10
@RedBanana , @Lancia , @Arch_user , @random_bash and @corysanin - after the today's update this FDE manual should be working for both hashing methods; although now it uses sha512 by default - but whirlpool is working too for those who like it more. Later I will investigate what really gives a stronger encryption and maybe also re-check the other available encryption options too. If you have any justified opinion regarding this, please share your input, you are welcome! Yes, I have really studied the encryption in the past, but my knowledge may be a bit rusty now...