GRUB2: Difference between revisions
(→Serial) |
|||
| Line 184: | Line 184: | ||
insmod usb | insmod usb | ||
insmod usbserial_pl2303 | insmod usbserial_pl2303 | ||
insmod usbserial_ftdi | |||
terminal_output --append serial_usb1 | terminal_output --append serial_usb1 | ||
terminal_input --append serial_usb1 | terminal_input --append serial_usb1 | ||
Revision as of 12:20, 15 December 2013
GRUB 2 is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.
Status
GRUB 2 can be launched:
- Directly by coreboot as a payload
- Directly by SeaBIOS as a payload
- By SeaBIOS, on disk, as it would with a normal BIOS.
Recent bzr versions have improved memory management that removes the memory limitations when ran as a payload.
features
Interesting features sumarry
- It can open and boot from encrypted LUKS partitions.
- It can verify the signatures of files ( interesting for initramfs and kenrels )
- has a "cbmemc" command that can see cbmem
- it's compatible with the coreboot framebuffer.
- it has some cmos commands that permits to interact with the nvram, like:
- cmostest
- cmosclear
- cmosset
- cmosdump
- it can loads and run coreboot payloads from cbfs(uncompressed trough cbfstool though), its memdisk, or any other filesystem it can read...
Security
signed kernels
GRUB is capable of running only trusted(signed) kernels.
- it supports only DSA gpg keys
Here's a little howto.
First generate a key:
$ gpg --gen-key
gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Denis 'GNUtoo' Carikli
Email address: GNUtoo@no-log.org
Comment: Kernel signing key
You selected this USER-ID:
"Denis 'GNUtoo' Carikli (Kernel signing key) <GNUtoo@no-log.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest
size
gpg: key C86D4C64 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
pub 3072D/C86D4C64 2013-03-13
Key fingerprint = 7244 AC33 F9A7 9AE8 30DE 8996 9097 B48D C86D 4C64
uid Denis 'GNUtoo' Carikli (Kernel signing key)
<GNUtoo@no-log.org>
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.
Then sign the kernels and initramfs:
cd /boot sudo -E gpg --detach-sign vmlinuz-linux-libre-pae sudo -E gpg --detach-sign initramfs-linux-libre-pae.img
gpg --export > boot.key
Then you can put the key on the memdisk (advised) or the boot partition for test purposes only. Then in GRUB do (for testing purposes):
trust boot.key set check_signatures=enforce
to only boot correctly signed kernels and initramfs...
Then load kernel and initramfs as usual...
Trisquel, Ubuntu, Debian
We want automatics hooks to sign our kernel so we don't have to do it manually each time... The following howto was tested on trisquel 6 Generate the key as root(sudo su) like we just explained, but without a password In debian based distributions you can hook the kernel build to sign the result: Add the following to /etc/kernel/postinst.d/yy-update-signatures
#! /bin/sh
set -e
version="$1"
rm -f /boot/vmlinuz-${version}.sig
gpg --detach-sign /boot/vmlinuz-${version}
rm -f /boot/initrd.img-${version}.sig
gpg --detach-sign /boot/initrd.img-${version}
Then do:
chmod +x /etc/kernel/postinst.d/yy-update-signatures
Then do:
gpg --export > /boot/boot.key
Then modify /etc/grub.d/10_linux to use bash instead of sh like that:
#! /bin/bash
And also modify to that:
case x`uname -m` in
xi?86 | xx86_64)
list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
done` ;;
*)
list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
done` ;;
esac
To look like that:
case x`uname -m` in
xi?86 | xx86_64)
list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
if [[ "$i" != /boot/*.sig ]] ; then
if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
fi
done` ;;
*)
list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
done` ;;
esac
LUKS disks openning
GRUB is capable of opening LUKS disks like that:
grub> ls (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk) grub> cryptomount (ata2,msdos3) Attempting to decrypt master key... Enter passphrase for ata2,msdos3 (431439b0870f40a3bfe8f3ca3aa7072a): Slot 0 opened grub> ls (crypto0) (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk) grub> set root=crypto0 grub> ls / lost+found/ boot/ var/ dev/ run/ etc/ tmp/ sys/ proc/ usr/ lib/ sbin/ bin/ home/ mnt/ opt/ root/ srv/ media/
Note that you have to type the password and so it's better to have some kind of output (VGA, Serial etc...)
Other features
Payloads launching
GRUB is capable of launching coreboot payloads. See the "Payloads" section of this page
grub.cfg
Serial
On a real serial port
To enable serial, add the following on top of your grub.cfg:
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 terminal_input --append serial terminal_output --append serial
On an usb serial adapter
To enable serial, add the following on top of your grub.cfg:
insmod ehci insmod ohci insmod uhci insmod usb insmod usbserial_pl2303 insmod usbserial_ftdi terminal_output --append serial_usb1 terminal_input --append serial_usb1
The issue is that it uses the serial ports's defaults which are at 9600bps...
Other things
Append that in your configuration:
terminal_input --append at_keyboard #add keyboard support. #set timeout=1 #you may want to set a timeout #set pager=1 # you may want to use the pager or not play 480 440 1 #play a beep at startup set prefix=(memdisk)/boot/grub
In case of native graphics you may want the following:
gfxpayload=keep terminal_output --append gfxterm
Payloads
Here is how to load the SeaBIOS payload from the memdisk.
menuentry 'SeaBios' {
set root='memdisk'
echo 'Loading SeaBios ...'
chainloader /bios.bin.elf
}
see in "creating the GRUB payload" how to include the file in the memdisk...
Distributions
Here's an example on how to load the parabola distribution on the Lenovo X60 from the fifth partition.
menuentry 'Parabola GNU/Linux-libre GNU/Linux, with Linux librepae kernel [Serial]' {
insmod ahci
insmod part_msdos
set root='ahci0,msdos5'
echo 'Loading Linux librepae kernel ...'
linux /vmlinuz-linux-libre-pae root=/dev/mapper/root ro cryptdevice=/dev/sda6:root idle=halt pcie_aspm=force console=ttyS0,115200
echo 'Loading initial ramdisk ...'
initrd /initramfs-linux-libre-pae.img
}
Scanning for grub.cfg on local Hard Drives.
menuentry 'Scan for OS on internal HDD' {
insmod regexp
insmod ahci
insmod part_msdos
for x in (ahci0,*) ; do
if [ -f "$x/grub/grub.cfg" ] ; then
menuentry "Load Config from $x" $x {
root=$2
configfile /grub/grub.cfg
}
fi
if [ -f "$x/boot/grub/grub.cfg" ] ; then
menuentry "Load Config from $x" $x {
root=$2
configfile /boot/grub/grub.cfg
}
fi
done
}
Compiling
bzr branch http://bzr.savannah.gnu.org/r/grub/trunk/grub cd grub ./autogen.sh ./configure --with-platform=coreboot make sudo make install #install the uttilities
creating the GRUB payload
Create a target directory:
mkdir memdisk
Then copy your grub.cfg in:
memdisk/boot/grub/grub.cfg
Then adapt and run that script:
#!/bin/sh rm -f grub2-x60.elf #copy the payloads you want cp ../../seabios-x60/out/bios.bin.elf ./memdisk/ cp ../../coreboot-qemu/payloads/nvramcui/nvramcui.elf ./memdisk/ cp ../../coreboot-x60/payloads/coreinfo/build/coreinfo.elf ./memdisk/ cp ../../memtest86+-4.20/memtest ./memdisk/memtest.elf #and some files cp ../../coreboot-x60/bootsplash.jpg ./memdisk/ cd memdisk grub-mkstandalone -O i386-coreboot -o ../grub2-x60.elf $(find -type f) echo "--RESULT--" ls -l -h ../grub2-x60.elf
combining with coreboot
As a SeaBIOS payload
build/cbfstool build/coreboot.rom add-payload -n img/grub2 -f grub2.elf -t raw build/cbfstool build/coreboot.rom print
That way it will be possible to run GRUB as a payload after SeaBIOS: The advantage is that it's less risky. At runtime press F12 and you'll have the GRUB option.
As a Coreboot payload
Advantages: faster, can be used for security
Disadvantages: more risky if you have no way to recover
Howto
In make menuconfig of coreboot, select the path of grub2.elf.
Also make sure you have some kinds of output such as VGA or serial (it needs to be activated in both coreboot and GRUB)
Before flashing
You should try the grub2.elf on qemu before flashing it to a real mainboard/laptop.