pbear wrote: Wed Aug 16, 2023 5:35 pm
That's not how troubleshooting works. Before anything is considered a bug, it has to be replicated. For this sort of thing, a VM will do. Meanwhile, I've spent a couple hundred hours understanding Grub, precisely so I wouldn't have to rely on inscrutable black box apps. Moreover, encryption is notoriously unstable because it's so complicated. And, well, to be blunt, user error is a thing also.
I agree on all you said. If developers are willing to take this matter, I will gladly assist. Until then, I think most reasonable for me is to give up on this particular matter.
Better to invest my time finding a way how to encrypt boot, on MX23 and BTRFS, if possible.
BTW, isn't it funny, how many years have passed and still no support for using Argon2 family PBKDFs in GRUB? On more passes, it should be much more robust against bruteforcing than PBKDF2.
Nowdays, PBKDF2 can be very weak for lower iteration counts and/or not very long passwords.
Argon2 is supported in KeePassXC, for example, so there do exist libraries, which offer this functionality. (I am not an expert, and I know not every library is suitable for using in GRUB, but it is certainly doable.)
It seems to me GRUB developement in this regard it is delibarately omitted.
It would be nice to have a setup resistible even against the evil maid attack, albeit not my threat model.
(I mean not against state-of-the-art variants of this attack. But not every potential adversary or hacker is a three letter agency)
EDIT: But... it certainly is not in the interest of these agencies to let average Joe use such encryption, which will cause unneeded troubles to them.
So if accessible with reasonable effort, why not to have benefit of it?
fehlix wrote: Wed Aug 16, 2023 6:06 pm
andy wrote: Wed Aug 16, 2023 1:06 pm
1. is this supposed to work - repair the actual running system - thus without chroot-ing?
(should be simpler, because no chroot is needed)
Don't think, that any MX tools are build or tested to be run within a chroot.
Even if you use Chroot-Rescue-Scann tool, which does provides some comfort to go int chroot,
this tools are meant to repair the system but not from running GUI tools.
Some tools may work in chroot, other may create bad side effects or even worse a disaster.
andy wrote: Wed Aug 16, 2023 1:06 pm
2. is MX-Boot repair adapted to all variants of install - LUKS+BTRS+root on @ subvolume?
You better show details what you mean with all variants.
The normal way as offered by the MX installer
with /@-root and /@home subvolumes have been tested.
And if something does not work you would need to give details,
in a reproducible way in order to identify the issue to be reproducible.
1. Edit: strikeout
Yes, I have a feeling it is always supposed to be fired from the another system, I just wanted to be sure.
As previous versions of the tool were never able to unlock LUKS (for me), I started to think I am using it incorrectly, so trying every possibility, hence trying to run even from the system-being-repaired.
2. I have meant all setup combinations you allow in your installer.
Thank you for your answers. Ok, so if I will have plenty of spare time, I will try to replicate in a VM.
Just one thing comes to my mind: Since MX-Boot repair is a GUI tool, I suppose it is not intended for GRUB gurus, but for less experienced users, to help them potentially repair some errors, would you consider a good idea, to allow user to view the flow of internal probe commands and their output, used for gathering info, for internal logic to do actual repair, and, to allow dry run, which will list exact commands with their arguments, issued to repair?
Maybe hidden behind a checkbox named "Expert mode: show probe results", and "dry run only - show suggested repair."
It will be source of inspiration for some intermediate users, what can be done to diagnose problems, and maybe to send reports to experienced experts.
What do you think?
