Difference between revisions of "GRUB2"

From coreboot
Jump to: navigation, search
(With all modules(possible with last grub from bzr))
(signed kernels)
(39 intermediate revisions by one user not shown)
Line 1: Line 1:
 
'''[https://www.gnu.org/software/grub/grub.html GRUB2]''' is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.  
 
'''[https://www.gnu.org/software/grub/grub.html GRUB2]''' is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.  
 
  
 
== Status ==
 
== Status ==
 +
Grub2 can be launched:
 +
* Directly by coreboot as a payload
 +
* Directly by SeaBIOS as a payload
 +
* By SeaBIOS, on disk, as it would with a normal BIOS.
  
* The mainline version of GRUB2 has a [http://grub.enbug.org/CoreBoot wiki page on the coreboot port] (Update: no longer available)
+
Recent bzr versions have improved memory management that removes the memory limitations when ran as a payload.
* Additional information about our former GRUB2 effort (which was part of Google Summer of Code 2007) can be found in the history of this page. Don't expect any link there to work.
+
* As an alternative, you could consider using [[FILO]]. Both FILO and GRUB2 have various advantages and disadvantages. Which of the two is better suited depends on your requirements.
+
* Yet another alternative is to not put GRUB into the BIOS ROM, but have it run from your disk as you would with a vendor BIOS. For that, you can use [[SeaBIOS]] as payload, which will then be able to run either GRUB1 or GRUB2 from your disk.
+
  
 +
== features ==
 +
=== Security ===
 +
==== signed kernels ====
 +
Grub is capable of running only trusted(signed) kernels.
 +
* it supports only DSA gpg keys
  
== Compiling GRUB2 for being use as a payload ==
+
Here's a little howto.
See [[Talk:GRUB2]] and [https://lists.gnu.org/archive/html/grub-devel/2011-06/msg00003.html here] for more details.
+
 
 +
First generate a key:
 +
$ gpg --gen-key
 +
gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
 +
This is free software: you are free to change and redistribute it.
 +
There is NO WARRANTY, to the extent permitted by law.
 +
 +
Please select what kind of key you want:
 +
    (1) RSA and RSA (default)
 +
    (2) DSA and Elgamal
 +
    (3) DSA (sign only)
 +
    (4) RSA (sign only)
 +
Your selection? 3
 +
DSA keys may be between 1024 and 3072 bits long.
 +
What keysize do you want? (2048) 3072
 +
Requested keysize is 3072 bits
 +
Please specify how long the key should be valid.
 +
          0 = key does not expire
 +
      <n>  = key expires in n days
 +
      <n>w = key expires in n weeks
 +
      <n>m = key expires in n months
 +
      <n>y = key expires in n years
 +
Key is valid for? (0)
 +
Key does not expire at all
 +
Is this correct? (y/N) y
 +
 +
GnuPG needs to construct a user ID to identify your key.
 +
 +
Real name: Denis 'GNUtoo' Carikli
 +
Email address: GNUtoo@no-log.org
 +
Comment: Kernel signing key
 +
You selected this USER-ID:
 +
    "Denis 'GNUtoo' Carikli (Kernel signing key) <GNUtoo@no-log.org>"
 +
 +
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
 +
You need a Passphrase to protect your secret key.
 +
 +
We need to generate a lot of random bytes. It is a good idea to perform
 +
some other action (type on the keyboard, move the mouse, utilize the
 +
disks) during the prime generation; this gives the random number
 +
generator a better chance to gain enough entropy.
 +
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest
 +
size
 +
gpg: key C86D4C64 marked as ultimately trusted
 +
public and secret key created and signed.
 +
 +
gpg: checking the trustdb
 +
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
 +
gpg: depth: 0  valid:  2  signed:  0  trust: 0-, 0q, 0n, 0m, 0f, 2u
 +
pub  3072D/C86D4C64 2013-03-13
 +
      Key fingerprint = 7244 AC33 F9A7 9AE8 30DE  8996 9097 B48D C86D 4C64
 +
uid                  Denis 'GNUtoo' Carikli (Kernel signing key)
 +
<GNUtoo@no-log.org>
 +
 +
Note that this key cannot be used for encryption.  You may want to use
 +
the command "--edit-key" to generate a subkey for this purpose.
 +
Then sign the kernels and initramfs:
 +
cd /boot
 +
sudo -E gpg --detach-sign vmlinuz-linux-libre-pae
 +
sudo -E gpg --detach-sign initramfs-linux-libre-pae.img
 +
 
 +
gpg --export  > boot.key
 +
Then you can put the key on the memdisk(advised) or the boot partition for test purposes only.
 +
Then in grub do(for testing purposes):
 +
trust boot.key
 +
set check_signatures=enforce
 +
to only boot correctly signed kernels and initramfs...
 +
 
 +
Then load kernel and initramfs as usual...
 +
 
 +
==== LUKS disks openning ====
 +
grub is capable of opening LUKS disks like that:
 +
grub> ls
 +
(ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk)
 +
grub> cryptomount (ata2,msdos3)
 +
Attempting to decrypt master key...
 +
Enter passphrase for ata2,msdos3 (431439b0870f40a3bfe8f3ca3aa7072a):
 +
Slot 0 opened
 +
grub> ls
 +
(crypto0) (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk)
 +
grub> set root=crypto0
 +
grub> ls /
 +
lost+found/ boot/ var/ dev/ run/ etc/ tmp/ sys/ proc/ usr/ lib/ sbin/ bin/ home/ mnt/ opt/ root/ srv/ media/
 +
 
 +
Note that you have to type the password and so it's better to have some kind of output(VGA, Serial etc...)
 +
 
 +
=== Other features ===
 +
==== SeaBIOS launching ====
 +
grub is capable of launching seabios like that:
 +
Add Seabios to the memdisk:
 +
tar uvf ../memdisk.tar ../../seabios/out/bios.bin.elf --transform 's#.*#/bios.bin.elf#'
 +
Then add that to grub.cfg:
 +
menuentry 'SeaBios' {
 +
set root='memdisk'
 +
echo    'Loading SeaBios ...'
 +
chainloader /bios.bin.elf
 +
}
 +
 
 +
== grub.cfg ==
 +
=== Serial ===
 +
To enable serial, add the following on top of your grub.cfg:
 +
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
 +
terminal_input --append  serial
 +
terminal_output --append serial
  
 
=== Compiling ===
 
=== Compiling ===
Line 22: Line 130:
 
=== creating the grub payload (with a memdisk) ===
 
=== creating the grub payload (with a memdisk) ===
 
  cd grub-core
 
  cd grub-core
  tar cvf ../memdisk.tar serial.mod terminal.mod normal.mod echo.mod ahci.mod all_video.mod ata.mod boot.mod cat.mod chain.mod configfile.mod crypto.mod elf.mod ext2.mod extcmd.mod fshelp.mod help.mod linux.mod memdisk.mod minicmd.mod multiboot2.mod pata.mod part_msdos.mod gettext.mod --transform 's#^#/boot/grub/i386-coreboot/#'
+
  tar cvf ../memdisk.tar serial.mod terminal.mod normal.mod echo.mod ahci.mod all_video.mod ata.mod boot.mod cat.mod chain.mod configfile.mod
 +
crypto.mod elf.mod ext2.mod extcmd.mod fshelp.mod help.mod linux.mod memdisk.mod minicmd.mod multiboot2.mod pata.mod part_msdos.mod gettext.mod --transform 's#^#/boot/grub/i386-coreboot/#'
 
  tar uvf ../memdisk.tar grub.cfg  --transform 's#^#/boot/grub/#'
 
  tar uvf ../memdisk.tar grub.cfg  --transform 's#^#/boot/grub/#'
 
  ../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard -m ../memdisk.tar
 
  ../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard -m ../memdisk.tar
Line 42: Line 151:
 
  cd grub-core
 
  cd grub-core
 
  tar cvf ../memdisk.tar grub.cfg  --transform 's#^#/boot/grub/#'
 
  tar cvf ../memdisk.tar grub.cfg  --transform 's#^#/boot/grub/#'
  memdisk="$(ls *.mod | sed 's#.mod$##g')"
+
  modules="$(ls *.mod | sed 's#.mod$##g')"
 
  ../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf ${modules} -m ../memdisk.tar
 
  ../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf ${modules} -m ../memdisk.tar
 
  ls -l -h ../../grub2.elf
 
  ls -l -h ../../grub2.elf
  
 
=== combining with coreboot ===
 
=== combining with coreboot ===
 +
==== As a SeaBIOS payload ====
 
  build/cbfstool build/coreboot.rom add-payload -n img/grub2 -f grub2.elf -t raw
 
  build/cbfstool build/coreboot.rom add-payload -n img/grub2 -f grub2.elf -t raw
 
  build/cbfstool build/coreboot.rom print
 
  build/cbfstool build/coreboot.rom print
That way it will be possible to run grub2 as a payload after SeaBIOS: The advantage is that it's less risky. At runtime press F12 and you'll have the grub2 option.
+
That way it will be possible to run grub2 as a payload after SeaBIOS:  
 +
The advantage is that it's less risky. At runtime press F12 and you'll  
 +
have the grub2 option.
 +
 
 +
==== As a Coreboot payload ====
 +
Advantages: faster, can be used for security
 +
 
 +
Disadvantages: more risky if you have no way to recover
 +
 
 +
===== Howto =====
 +
 
 +
In make menuconfig of coreboot, select the path of grub2.elf.
 +
 
 +
Also make sure you have some kinds of output such as VGA or serial(it
 +
needs to be activated in both coreboot and grub)

Revision as of 23:00, 13 March 2013

GRUB2 is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.

Status

Grub2 can be launched:

  • Directly by coreboot as a payload
  • Directly by SeaBIOS as a payload
  • By SeaBIOS, on disk, as it would with a normal BIOS.

Recent bzr versions have improved memory management that removes the memory limitations when ran as a payload.

features

Security

signed kernels

Grub is capable of running only trusted(signed) kernels.

  • it supports only DSA gpg keys

Here's a little howto.

First generate a key:

$ gpg --gen-key
gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Denis 'GNUtoo' Carikli
Email address: GNUtoo@no-log.org
Comment: Kernel signing key
You selected this USER-ID:
    "Denis 'GNUtoo' Carikli (Kernel signing key) <GNUtoo@no-log.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest 
size
gpg: key C86D4C64 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   3072D/C86D4C64 2013-03-13
      Key fingerprint = 7244 AC33 F9A7 9AE8 30DE  8996 9097 B48D C86D 4C64
uid                  Denis 'GNUtoo' Carikli (Kernel signing key) 
<GNUtoo@no-log.org>

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.

Then sign the kernels and initramfs:

cd /boot
sudo -E gpg --detach-sign vmlinuz-linux-libre-pae
sudo -E gpg --detach-sign initramfs-linux-libre-pae.img
gpg --export  > boot.key

Then you can put the key on the memdisk(advised) or the boot partition for test purposes only. Then in grub do(for testing purposes):

trust boot.key
set check_signatures=enforce

to only boot correctly signed kernels and initramfs...

Then load kernel and initramfs as usual...

LUKS disks openning

grub is capable of opening LUKS disks like that:

grub> ls 
(ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk)
grub> cryptomount (ata2,msdos3)
Attempting to decrypt master key...
Enter passphrase for ata2,msdos3 (431439b0870f40a3bfe8f3ca3aa7072a):
Slot 0 opened
grub> ls
(crypto0) (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk) 
grub> set root=crypto0
grub> ls /
lost+found/ boot/ var/ dev/ run/ etc/ tmp/ sys/ proc/ usr/ lib/ sbin/ bin/ home/ mnt/ opt/ root/ srv/ media/

Note that you have to type the password and so it's better to have some kind of output(VGA, Serial etc...)

Other features

SeaBIOS launching

grub is capable of launching seabios like that: Add Seabios to the memdisk:

tar uvf ../memdisk.tar ../../seabios/out/bios.bin.elf --transform 's#.*#/bios.bin.elf#'

Then add that to grub.cfg:

menuentry 'SeaBios' {
	set root='memdisk'
	echo    'Loading SeaBios ...'
	chainloader /bios.bin.elf
}

grub.cfg

Serial

To enable serial, add the following on top of your grub.cfg:

serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input --append  serial
terminal_output --append serial

Compiling

bzr branch http://bzr.savannah.gnu.org/r/grub/trunk/grub
cd grub
./autogen.sh
./configure --with-platform=coreboot
make

creating the grub payload (with a memdisk)

cd grub-core
tar cvf ../memdisk.tar serial.mod terminal.mod normal.mod echo.mod ahci.mod all_video.mod ata.mod boot.mod cat.mod chain.mod configfile.mod
crypto.mod elf.mod ext2.mod extcmd.mod fshelp.mod help.mod linux.mod memdisk.mod minicmd.mod multiboot2.mod pata.mod part_msdos.mod gettext.mod --transform 's#^#/boot/grub/i386-coreboot/#'
tar uvf ../memdisk.tar grub.cfg  --transform 's#^#/boot/grub/#'
../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard -m ../memdisk.tar
ls -l -h ../../grub2.elf

creating the grub payload (without a memdisk)

cd grub-core
modules="serial terminal normal echo ahci all_video ata boot cat chain configfile crypto elf ext2 extcmd fshelp help linux memdisk minicmd multiboot2 pata part_msdos gettext"
../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard ${modules}
ls -l -h ../../grub2.elf

creating the grub payload (with a memdisk for the config file)

cd grub-core
tar cvf ../memdisk.tar grub.cfg  --transform 's#^#/boot/grub/#'
modules="serial terminal normal echo ahci all_video ata boot cat chain configfile crypto elf ext2 extcmd fshelp help linux memdisk minicmd multiboot2 pata part_msdos gettext"
../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard ${modules} -m ../memdisk.tar
ls -l -h ../../grub2.elf

With all modules(possible with last grub from bzr) And a memdisk for grub.cfg

cd grub-core
tar cvf ../memdisk.tar grub.cfg  --transform 's#^#/boot/grub/#'
modules="$(ls *.mod | sed 's#.mod$##g')"
../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf ${modules} -m ../memdisk.tar
ls -l -h ../../grub2.elf

combining with coreboot

As a SeaBIOS payload

build/cbfstool build/coreboot.rom add-payload -n img/grub2 -f grub2.elf -t raw
build/cbfstool build/coreboot.rom print

That way it will be possible to run grub2 as a payload after SeaBIOS: The advantage is that it's less risky. At runtime press F12 and you'll have the grub2 option.

As a Coreboot payload

Advantages: faster, can be used for security

Disadvantages: more risky if you have no way to recover

Howto

In make menuconfig of coreboot, select the path of grub2.elf.

Also make sure you have some kinds of output such as VGA or serial(it needs to be activated in both coreboot and grub)