gentoo-config-luks2-grub-systemd: Update for GRUB 2.14

Author: Leo3418

content/en/collections/gentoo-config-luks2-grub-systemd/_index.md

@@ -12,7 +12,6 @@ cascade:
 - date: 2022-08-21
 - show_date: true
 - toc: true
-lastmod: 2022-08-21
 ---
 
 This collection is a tutorial which provides instructions to set up LUKS2-based
@@ -29,14 +28,6 @@ articles in this collection.
 
 ## Caveats and Disclaimers
 
-- This tutorial depends on **unofficial modification** to GRUB.  The patch for
-  the modification is from the [grub-devel mailing list][grub-devel-archive].
-  Although the patch has been tested by myself and has not exhibited any issues
-  so far, and it presumably has also been tested by their original authors,
-  reviewers, testers, and some other users too, there is **no guarantee** on
-  the modification's functionality, stability, compatibility, security, or
-  performance whatsoever.
-
 - This tutorial gives **no professional advice on computer security**.
   Although I endeavor to make responsible recommendations on security practices
   which *should* help make a system reasonably secure, there is **no

content/en/collections/gentoo-config-luks2-grub-systemd/background.md

@@ -42,11 +42,10 @@ is more resilient to header corruption and still provides modest protection
 when a weak passphrase is used.  These enhancements are realized by use of a
 second copy of the LUKS header and Argon2id.
 
-However, LUKS2 full disk encryption is not necessarily easy to set up:
+However, LUKS2 full disk encryption is not necessarily straightforward to set
+up:
 - On Gentoo, where many software packages' features can be customized via USE
   flags, the USE flags related to LUKS must be enabled.
-- Configuring the GRUB bootloader for LUKS2 with Argon2id is tricky because as
-  of version 2.12, GRUB still does not support Argon2id.
 - The boot process might prompt for the passphrase twice: GRUB asks for it
   first, and the init system will ask for it again because GRUB cannot pass
   the passphrase or the unlocked state to the init system.

content/en/collections/gentoo-config-luks2-grub-systemd/patch-grub.md

@@ -0,0 +1,132 @@
+---
+title: "Appendix: Patching GRUB 2.12/2.06 to Add LUKS2 and Argon2 Support"
+weight: 1001
+date: 2026-05-19
+vars:
+  memregion_patch: "4500-grub-2.06-runtime-memregion-alloc.patch"
+  argon2_patch_206: "5000-grub-2.06-luks2-argon2-v4.patch"
+  argon2_patch_212: "grub-2.12-luks2-argon2-v4.patch"
+  aur_patch: "9500-grub-AUR-improved-luks2.patch"
+---
+
+At the time of writing, the latest release of GRUB, which is 2.14, has
+built-in LUKS2 and Argon2id support.  Therefore, users who can use the latest
+GRUB release do not need to patch its source code to add LUKS2 and Argon2
+support, hence they can ignore the information on this page.
+
+However, users of older GRUB releases, including 2.12 and 2.06, need to patch
+them.  Neither GRUB 2.12 nor GRUB 2.06 has built-in support for Argon2id; GRUB
+2.06 even has more limitations on LUKS2 support.  Therefore, both GRUB 2.12 and
+GRUB 2.06 need some patches for LUKS2 and Argon2 support.
+
+## GRUB 2.12
+
+GRUB 2.12 only needs one patch [`{{< param vars.argon2_patch_212 >}}`](
+{{< patchesBaseURL.inline >}}
+{{- partial "static-path.html" (dict
+    "page" (index .Page.Ancestors.Reverse 2) "type" "res") -}}
+{{< /patchesBaseURL.inline >}}/{{< param vars.argon2_patch_212 >}}) to get
+support for LUKS2 with Argon2.  This patch was originally [submitted to the
+grub-devel mailing list][grub-devel-argon2-v4] and targeted GRUB 2.06; I ported
+it to GRUB 2.12, and it still works.
+
+To apply this patch to Gentoo's GRUB package -- `sys-boot/grub`, add it as a
+[Portage user patch][gentoo-wiki-etc-portage-patches] to
+`/etc/portage/patches/sys-boot/grub-2.12`.  Patches at this location are
+applied to all Gentoo revisions of GRUB 2.12 (`-r1`, `-r2`, etc.).  The
+following commands may be used to do this:
+
+{{< commands.inline "2.12" "argon2_patch_212" >}}
+{{- $grubVer := .Get 0 }}
+{{- $patches := split (.Get 1) " " }}
+{{- $patches = apply $patches "printf" "vars.%s" "." }}
+{{- $patches = apply $patches "page.Param" "." }}
+
+{{ $content := print
+    "# mkdir -p /etc/portage/patches/sys-boot/grub-" $grubVer | println }}
+{{ $content := print $content
+    "# cd /etc/portage/patches/sys-boot/grub-" $grubVer | println }}
+{{- $baseURL := partial "static-path.html" (dict
+    "page" (index .Page.Ancestors.Reverse 2) "type" "res" "abs" true) }}
+{{- range $patches }}
+{{- $content = print $content "# curl -O " $baseURL "/" . | println }}
+{{- end }}
+{{- highlight $content "console" }}
+{{< /commands.inline >}}
+
+Readers who are interested in learning more about Portage's user patch feature
+are welcome to read [another article on this website][portage-user-patches]
+that discusses it in depth.
+{.notice--success}
+
+Because this patch modifies the file `grub-core/Makefile.core.def`, according
+to the [`sys-boot/grub` ebuild][ebuild-sys-boot:grub], the `GRUB_AUTOGEN` and
+`GRUB_AUTORECONF` environment variables must be set.  **Otherwise, any builds
+of the package with the patch applied would fail.**  The environment variable
+can be set exclusively for all Gentoo revisions of `sys-boot/grub-2.12` in file
+`/etc/portage/env/sys-boot/grub-2.12`:
+
+```console
+# mkdir -p /etc/portage/env/sys-boot
+# echo -e 'GRUB_AUTOGEN=1\nGRUB_AUTORECONF=1' >> /etc/portage/env/sys-boot/grub-2.12
+```
+
+[grub-devel-argon2-v4]: https://lists.gnu.org/archive/html/grub-devel/2021-08/msg00027.html
+[grub-2.12-argon2]: https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00094.html
+[gentoo-wiki-etc-portage-patches]: https://wiki.gentoo.org/wiki//etc/portage/patches
+[portage-user-patches]: {{< relref "2021-03-01-portage-user-patches" >}}
+[ebuild-sys-boot:grub]: https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-boot/grub/grub-2.12.ebuild?id=76418694270557b6feb75381912a39569ee28d45#n6
+
+## GRUB 2.06
+
+GRUB 2.06's support for LUKS2 is [more limited][arch-wiki-grub-luks2].
+Although code implementing partial LUKS2 support exists in this version, the
+bootloader files installed using the default procedure do not support LUKS2.
+
+Luckily, after applying the following patches to GRUB 2.06, LUKS2 support can
+be added to the installed bootloader files automatically, and Argon2id is
+supported too.
+
+- [`{{< param vars.memregion_patch >}}`]({{< patchesBaseURL.inline />}}/{{<
+  param vars.memregion_patch >}}): A patch set that allows GRUB to allocate new
+  consecutive and large memory chunks, which is a prerequisite for Argon2
+  support in GRUB.  Argon2 enhances the security of LUKS by increasing the size
+  of memory required for unlocking computations, so GRUB must be able to
+  allocate more memory when needed.  This patch set was cherry-picked from
+  [GRUB 2.12][grub-git-memregion-patch].
+
+- [`{{< param vars.argon2_patch_206 >}}`]({{< patchesBaseURL.inline />}}/{{<
+  param vars.argon2_patch_206 >}}): The patch set that adds Argon2 support
+  itself to GRUB.  This patch is equivalent to the only patch needed for GRUB
+  2.12 mentioned above.
+
+- [`{{< param vars.aur_patch >}}`]({{< patchesBaseURL.inline />}}/{{< param
+  vars.aur_patch >}}): A patch [included][aur-git-grub-install-luks2-patch] in
+  the [`grub-improved-luks2-git`][aur-grub-improved-luks2-git] package on the
+  AUR, which is what the Arch Wiki's GRUB article recommends for users seeking
+  great LUKS2 support in GRUB.  This patch allows GRUB 2.06's `grub-install`
+  command to automatically install bootloader files with LUKS2 support.
+
+The numbers in front of the patches' file names are there only to control the
+order in which they are applied (patches with a smaller ordinal are applied
+first).  As long as the order is maintained, these numbers' values are
+arbitrary.
+{.notice--info}
+
+Similar to the case of GRUB 2.12, add these patches as Portage user patches to
+`/etc/portage/patches/sys-boot/grub-2.06`:
+
+{{< commands.inline "2.06" "memregion_patch argon2_patch_206 aur_patch" />}}
+
+Then, add the required environment variables to
+`/etc/portage/env/sys-boot/grub-2.06`:
+
+```console
+# mkdir -p /etc/portage/env/sys-boot
+# echo -e 'GRUB_AUTOGEN=1\nGRUB_AUTORECONF=1' >> /etc/portage/env/sys-boot/grub-2.06
+```
+
+[arch-wiki-grub-luks2]: https://wiki.archlinux.org/title/GRUB#LUKS2
+[grub-git-memregion-patch]: https://git.savannah.gnu.org/cgit/grub.git/log/?qt=range&q=8afa5ef45..1df293482
+[aur-grub-improved-luks2-git]: https://aur.archlinux.org/packages/grub-improved-luks2-git
+[aur-git-grub-install-luks2-patch]: https://aur.archlinux.org/cgit/aur.git/tree/grub-install_luks2.patch?h=grub-improved-luks2-git&id=27612416769e544d2c08d29932fff69129cb143a

content/en/collections/gentoo-config-luks2-grub-systemd/setup-process/configure-gentoo/grub.md

@@ -3,16 +3,15 @@ title: "Configure GRUB for Better User Experience"
 weight: 337
 ---
 
-Although GRUB now has out-of-box support for LUKS2 and Argon2id thanks to the
-patches applied previously, a few additional configuration steps can still be
-taken to improve the user experience of unlocking the LUKS partition from GRUB.
+A few additional configuration steps can be taken to improve the user
+experience of unlocking the LUKS partition from GRUB.
 
 ## Update GRUB Settings for LUKS
 
-GRUB's default settings disregard operating systems in LUKS partitions and
-therefore does not generate menu entries for them.  To let GRUB probe LUKS
-partitions and create corresponding menu entries, the following option needs to
-be added to `/etc/default/grub`:
+With the default configuration, GRUB disregards operating systems in LUKS
+partitions and therefore does not generate menu entries for them.  To let GRUB
+probe LUKS partitions and create corresponding menu entries, the following
+option needs to be added to `/etc/default/grub`:
 
 ```bash
 # /etc/default/grub

content/en/collections/gentoo-config-luks2-grub-systemd/setup-process/configure-gentoo/packages.md

@@ -1,12 +1,6 @@
 ---
 title: "Enable LUKS2 and Argon2 Support for Packages"
 weight: 332
-vars:
-  memregion_patch: "4500-grub-2.06-runtime-memregion-alloc.patch"
-  argon2_patch_206: "5000-grub-2.06-luks2-argon2-v4.patch"
-  argon2_patch_212: "grub-2.12-luks2-argon2-v4.patch"
-  aur_patch: "9500-grub-AUR-improved-luks2.patch"
-lastmod: 2023-12-24
 ---
 
 Because the LUKS partition uses LUKS2 and Argon2id, support for these LUKS
@@ -36,131 +30,16 @@ USE flag must be disabled so `cryptsetup` can be built into the initramfs by
 dracut, or else the LUKS partition could not be unlocked during boot.
 {.notice--success}
 
-## Add Patches for GRUB
-
-Neither GRUB 2.12 nor GRUB 2.06 supports the Argon2id PBKDF; GRUB 2.06 even has
-more limitations on LUKS2 support.  Therefore, both GRUB 2.12 and GRUB 2.06
-need some patches for LUKS2 with Argon2id support.
-
-### GRUB 2.12
-
-GRUB 2.12 only needs one patch [`{{< param vars.argon2_patch_212 >}}`](
-{{< patchesBaseURL.inline >}}
-{{- partial "static-path.html" (dict
-    "page" (index .Page.Ancestors.Reverse 2) "type" "res") -}}
-{{< /patchesBaseURL.inline >}}/{{< param vars.argon2_patch_212 >}}) to get
-support for LUKS2 with Argon2.  This patch was originally [submitted to the
-grub-devel mailing list][grub-devel-argon2-v4] and targeted GRUB 2.06; I ported
-it to GRUB 2.12, and it still works.
-
-This patch has not been merged into GRUB, nor is it likely to be merged in the
-future.  The patch's author [commented][grub-2.12-argon2] that, after the patch
-had been created, one dependency of GRUB gained Argon2 support, so the best way
-to add Argon2 support to GRUB became upgrading that dependency in GRUB's source
-tree.  What the patch does instead is adding the Argon2 reference
-implementation to GRUB, which has become redundant after the said dependency's
-new version would also add Argon2 support.
-
-To apply this patch to Gentoo's GRUB package -- `sys-boot/grub`, add it as a
-[Portage user patch][gentoo-wiki-etc-portage-patches] to
-`/etc/portage/patches/sys-boot/grub-2.12`.  Patches at this location are
-applied to all Gentoo revisions of GRUB 2.12 (`-r1`, `-r2`, etc.).  The
-following commands may be used to do this:
-
-{{< commands.inline "2.12" "argon2_patch_212" >}}
-{{- $grubVer := .Get 0 }}
-{{- $patches := split (.Get 1) " " }}
-{{- $patches = apply $patches "printf" "vars.%s" "." }}
-{{- $patches = apply $patches "page.Param" "." }}
-
-{{ $content := print
-    "# mkdir -p /etc/portage/patches/sys-boot/grub-" $grubVer | println }}
-{{ $content := print $content
-    "# cd /etc/portage/patches/sys-boot/grub-" $grubVer | println }}
-{{- $baseURL := partial "static-path.html" (dict
-    "page" (index .Page.Ancestors.Reverse 2) "type" "res" "abs" true) }}
-{{- range $patches }}
-{{- $content = print $content "# curl -O " $baseURL "/" . | println }}
-{{- end }}
-{{- highlight $content "console" }}
-{{< /commands.inline >}}
-
-Readers who are interested in learning more about Portage's user patch feature
-are welcome to read [another article on this website][portage-user-patches]
-that discusses it in depth.
-{.notice--success}
-
-Because this patch modifies the file `grub-core/Makefile.core.def`, according
-to the [`sys-boot/grub` ebuild][ebuild-sys-boot:grub], the `GRUB_AUTOGEN` and
-`GRUB_AUTORECONF` environment variables must be set.  **Otherwise, any builds
-of the package with the patch applied would fail.**  The environment variable
-can be set exclusively for all Gentoo revisions of `sys-boot/grub-2.12` in file
-`/etc/portage/env/sys-boot/grub-2.12`:
-
-```console
-# mkdir -p /etc/portage/env/sys-boot
-# echo -e 'GRUB_AUTOGEN=1\nGRUB_AUTORECONF=1' >> /etc/portage/env/sys-boot/grub-2.12
-```
-
-[grub-devel-argon2-v4]: https://lists.gnu.org/archive/html/grub-devel/2021-08/msg00027.html
-[grub-2.12-argon2]: https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00094.html
-[gentoo-wiki-etc-portage-patches]: https://wiki.gentoo.org/wiki//etc/portage/patches
-[portage-user-patches]: {{< relref "2021-03-01-portage-user-patches" >}}
-[ebuild-sys-boot:grub]: https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-boot/grub/grub-2.12.ebuild?id=76418694270557b6feb75381912a39569ee28d45#n6
-
-### GRUB 2.06
-
-GRUB 2.06's support for LUKS2 is [more limited][arch-wiki-grub-luks2].
-Although code implementing partial LUKS2 support exists in this version, the
-bootloader files installed using the default procedure do not support LUKS2.
-
-Luckily, after applying the following patches to GRUB 2.06, LUKS2 support can
-be added to the installed bootloader files automatically, and Argon2id is
-supported too.
+## GRUB 2.12 and Lower Only: Add Patches for GRUB
 
-- [`{{< param vars.memregion_patch >}}`]({{< patchesBaseURL.inline />}}/{{<
-  param vars.memregion_patch >}}): A patch set that allows GRUB to allocate new
-  consecutive and large memory chunks, which is a prerequisite for Argon2
-  support in GRUB.  Argon2 enhances the security of LUKS by increasing the size
-  of memory required for unlocking computations, so GRUB must be able to
-  allocate more memory when needed.  This patch set was cherry-picked from
-  [GRUB 2.12][grub-git-memregion-patch].
-
-- [`{{< param vars.argon2_patch_206 >}}`]({{< patchesBaseURL.inline />}}/{{<
-  param vars.argon2_patch_206 >}}): The patch set that adds Argon2 support
-  itself to GRUB.  This patch is equivalent to the only patch needed for GRUB
-  2.12 mentioned above.
-
-- [`{{< param vars.aur_patch >}}`]({{< patchesBaseURL.inline />}}/{{< param
-  vars.aur_patch >}}): A patch [included][aur-git-grub-install-luks2-patch] in
-  the [`grub-improved-luks2-git`][aur-grub-improved-luks2-git] package on the
-  AUR, which is what the Arch Wiki's GRUB article recommends for users seeking
-  great LUKS2 support in GRUB.  This patch allows GRUB 2.06's `grub-install`
-  command to automatically install bootloader files with LUKS2 support.
-
-The numbers in front of the patches' file names are there only to control the
-order in which they are applied (patches with a smaller ordinal are applied
-first).  As long as the order is maintained, these numbers' values are
-arbitrary.
-{.notice--info}
-
-Similar to the case of GRUB 2.12, add these patches as Portage user patches to
-`/etc/portage/patches/sys-boot/grub-2.06`:
-
-{{< commands.inline "2.06" "memregion_patch argon2_patch_206 aur_patch" />}}
-
-Then, add the required environment variables to
-`/etc/portage/env/sys-boot/grub-2.06`:
-
-```console
-# mkdir -p /etc/portage/env/sys-boot
-# echo -e 'GRUB_AUTOGEN=1\nGRUB_AUTORECONF=1' >> /etc/portage/env/sys-boot/grub-2.06
-```
+GRUB has gained built-in support for LUKS2 and Argon2id support since 2.14, so
+users of GRUB 2.14 do not need to manually patch its source code to manually
+add LUKS2 and Argon2id support.  These users can skip this step and move on to
+the next one.
 
-[arch-wiki-grub-luks2]: https://wiki.archlinux.org/title/GRUB#LUKS2
-[grub-git-memregion-patch]: https://git.savannah.gnu.org/cgit/grub.git/log/?qt=range&q=8afa5ef45..1df293482
-[aur-grub-improved-luks2-git]: https://aur.archlinux.org/packages/grub-improved-luks2-git
-[aur-git-grub-install-luks2-patch]: https://aur.archlinux.org/cgit/aur.git/tree/grub-install_luks2.patch?h=grub-improved-luks2-git&id=27612416769e544d2c08d29932fff69129cb143a
+Users who need to use an older GRUB release for any reason, including 2.12 and
+2.06, need to patch its source code to add LUKS2 and Argon2id support.  See
+[the appendix]({{% relref "../../patch-grub" %}}) for instructions.
 
 ## New Installation Only: Initialize Portage
 
@@ -174,8 +53,8 @@ chapter:
 
 ## Rebuild Packages
 
-First, build `sys-boot/grub` with the patches applied.  Before starting the
-build, please make sure that in the output of `emerge`,
+First, build `sys-boot/grub` (with any patches applied, if needed).  Before
+starting the build, please make sure that in the output of `emerge`,
 `GRUB_PLATFORMS="efi-64"` is enabled for `sys-boot/grub`.  In other words,
 please check that `efi-64` is listed *without* a minus sign (`-`) in front of
 it under `GRUB_PLATFORMS`.  If this is not true, the Handbook has [related

content/en/posts/2025-06-22-custom-gentoo-binhost.md

@@ -124,7 +124,7 @@ must be set up.
 [cachyos-benchmark]: https://www.phoronix.com/review/cachyos-x86-64-v3-v4
 [gentoo-news-x86-64-v3]: https://www.gentoo.org/news/2024/02/04/x86-64-v3.html
 [portage-user-patches-fix-bugs]: {{< relref "2021-03-01-portage-user-patches" >}}
-[portage-user-patches-grub-argon2]: {{< relref "collections/gentoo-config-luks2-grub-systemd/setup-process/configure-gentoo/packages#add-patches-for-grub" >}}
+[portage-user-patches-grub-argon2]: {{< relref "collections/gentoo-config-luks2-grub-systemd/patch-grub" >}}
 
 ## Effects
 

content/zh/posts/2025-06-22-custom-gentoo-binhost.md

@@ -52,7 +52,7 @@ toc: true
 [cachyos-benchmark]: https://www.phoronix.com/review/cachyos-x86-64-v3-v4
 [gentoo-news-x86-64-v3]: https://www.gentoo.org/news/2024/02/04/x86-64-v3.html
 [portage-user-patches-fix-bugs]: {{< relref "2021-03-01-portage-user-patches" >}}
-[portage-user-patches-grub-argon2]: {{< relref path="collections/gentoo-config-luks2-grub-systemd/setup-process/configure-gentoo/packages#add-patches-for-grub" lang="en" >}}
+[portage-user-patches-grub-argon2]: {{< relref path="collections/gentoo-config-luks2-grub-systemd/patch-grub" lang="en" >}}
 
 ## 效果
 
@@ -518,4 +518,4 @@ $ journalctl --all --unit binhost-update.service
 
 [gentoo-wiki-binpkg-guide]: https://wiki.gentoo.org/wiki/Binary_package_guide
 [github-hartwork-binary-gentoo]: https://github.com/hartwork/binary-gentoo
-[github-hartwork-binary-gentoo-readme-flags]: https://github.com/hartwork/binary-gentoo?tab=readme-ov-file#determining-ideal-build-flags
+[github-hartwork-binary-gentoo-readme-flags]: https://github.com/hartwork/binary-gentoo?tab=readme-ov-file#determining-ideal-build-flags