GRUB2: Difference between revisions
Line 12: | Line 12: | ||
=== Security === | === Security === | ||
==== signed kernels ==== | ==== signed kernels ==== | ||
Grub is capable of running only trusted(signed) kernels like that: | |||
First generate a key: | First generate a key: | ||
$ gpg --gen-key | $ gpg --gen-key |
Revision as of 20:39, 13 March 2013
GRUB2 is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.
Status
Grub2 can be launched:
- Directly by coreboot as a payload
- Directly by SeaBIOS as a payload
- By SeaBIOS, on disk, as it would with a normal BIOS.
Recent bzr versions have improved memory management that removes the memory limitations when ran as a payload.
features
Security
signed kernels
Grub is capable of running only trusted(signed) kernels like that: First generate a key:
$ gpg --gen-key gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Denis 'GNUtoo' Carikli Email address: GNUtoo@no-log.org Comment: kernel siging key You selected this USER-ID: "Denis 'GNUtoo' Carikli (kernel siging key) <GNUtoo@no-log.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key F882B81F marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 4096R/F882B81F 2013-03-13 Key fingerprint = E74E 91E5 950C 38B6 B001 4F89 6C93 114F F882 B81F uid Denis 'GNUtoo' Carikli (kernel siging key) <GNUtoo@no-log.org> Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose.
LUKS disks openning
grub is capable of opening LUKS disks like that:
grub> ls (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk) grub> cryptomount (ata2,msdos3) Attempting to decrypt master key... Enter passphrase for ata2,msdos3 (431439b0870f40a3bfe8f3ca3aa7072a): Slot 0 opened grub> ls (crypto0) (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk) grub> set root=crypto0 grub> ls / lost+found/ boot/ var/ dev/ run/ etc/ tmp/ sys/ proc/ usr/ lib/ sbin/ bin/ home/ mnt/ opt/ root/ srv/ media/
Note that you have to type the password and so it's better to have some kind of output(VGA, Serial etc...)
Other features
SeaBIOS launching
grub is capable of launching seabios like that: Add Seabios to the memdisk:
tar uvf ../memdisk.tar ../../seabios/out/bios.bin.elf --transform 's#.*#/bios.bin.elf#'
Then add that to grub.cfg:
menuentry 'SeaBios' { set root='memdisk' echo 'Loading SeaBios ...' chainloader /bios.bin.elf }
grub.cfg
Serial
To enable serial, add the following on top of your grub.cfg:
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 terminal_input --append serial terminal_output --append serial
Compiling
bzr branch http://bzr.savannah.gnu.org/r/grub/trunk/grub cd grub ./autogen.sh ./configure --with-platform=coreboot make
creating the grub payload (with a memdisk)
cd grub-core tar cvf ../memdisk.tar serial.mod terminal.mod normal.mod echo.mod ahci.mod all_video.mod ata.mod boot.mod cat.mod chain.mod configfile.mod crypto.mod elf.mod ext2.mod extcmd.mod fshelp.mod help.mod linux.mod memdisk.mod minicmd.mod multiboot2.mod pata.mod part_msdos.mod gettext.mod --transform 's#^#/boot/grub/i386-coreboot/#' tar uvf ../memdisk.tar grub.cfg --transform 's#^#/boot/grub/#' ../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard -m ../memdisk.tar ls -l -h ../../grub2.elf
creating the grub payload (without a memdisk)
cd grub-core modules="serial terminal normal echo ahci all_video ata boot cat chain configfile crypto elf ext2 extcmd fshelp help linux memdisk minicmd multiboot2 pata part_msdos gettext" ../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard ${modules} ls -l -h ../../grub2.elf
creating the grub payload (with a memdisk for the config file)
cd grub-core tar cvf ../memdisk.tar grub.cfg --transform 's#^#/boot/grub/#' modules="serial terminal normal echo ahci all_video ata boot cat chain configfile crypto elf ext2 extcmd fshelp help linux memdisk minicmd multiboot2 pata part_msdos gettext" ../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard ${modules} -m ../memdisk.tar ls -l -h ../../grub2.elf
With all modules(possible with last grub from bzr) And a memdisk for grub.cfg
cd grub-core tar cvf ../memdisk.tar grub.cfg --transform 's#^#/boot/grub/#' memdisk="$(ls *.mod | sed 's#.mod$##g')" ../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf ${modules} -m ../memdisk.tar ls -l -h ../../grub2.elf
combining with coreboot
As a SeaBIOS payload
build/cbfstool build/coreboot.rom add-payload -n img/grub2 -f grub2.elf -t raw build/cbfstool build/coreboot.rom print
That way it will be possible to run grub2 as a payload after SeaBIOS: The advantage is that it's less risky. At runtime press F12 and you'll have the grub2 option.
As a Coreboot payload
Advantages: faster, can be used for security
Disadvantages: more risky if you have no way to recover
Howto
In make menuconfig of coreboot, select the path of grub2.elf.
Also make sure you have some kinds of output such as VGA or serial(it needs to be activated in both coreboot and grub)