GRUB2: Difference between revisions

From coreboot
Jump to navigation Jump to search
No edit summary
(130 intermediate revisions by 11 users not shown)
Line 1: Line 1:
'''[http://grub.enbug.org/ GRUB2]''' is a modular, multiboot-capable bootloader for many operating systems.
'''[https://www.gnu.org/software/grub/grub.html GRUB 2]''' is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.  
 
GRUB2 can be used as a payload for coreboot. It's modular, extensible, supports booting off filesystems, and it has a scriptable shell.


== Status ==
== Status ==
GRUB 2 can be launched:
* Directly by coreboot as a payload
* Directly by SeaBIOS as a payload
* By SeaBIOS, on disk, as it would with a normal BIOS.


* A significant amount of work has been put into GRUB2 in our [[Monotone Repository|monotone repository]], which also provides snapshots.
Recent git versions have improved memory management that removes the memory limitations when ran as a payload.
* The mainline version of GRUB2 has a [http://grub.enbug.org/CoreBoot wiki page on the coreboot port].
 
== How to build GRUB2 as a payload ==
 
It's recommended to use a recent snapshot of the '''allpatches''' branch in the [[Monotone Repository|GRUB2 monotone repository]]
(you can also just download http://coreboot.org/viewmtn/branch/head/tar/org.coreboot.grub2.allpatches - which resolves to the latest revision on that branch; the top level directory in the resulting tarball represents the revision ID, which is a SHA-1 value over revision data, and thus varies wildly).
 
$ wget http://coreboot.org/viewmtn/revision/tar/edae9d3e3d999c07b2d8a99f04f258586eb79297 -O grub2.tar
$ tar xfv grub2.tar
$ cd edae9d3e3d999c07b2d8a99f04f258586eb79297
$ sh autogen.sh
$ ./configure --with-platform=coreboot --prefix=$PWD/installed
$ chmod 755 mkinstalldirs
$ make && make install
$ $PWD/installed/bin/grub-mkimage -o core.img normal fat iso9660 pc ata memdisk lar ls cat cmp hello help serial terminal test configfile multiboot boot loopback
 
== GRUB2 modules ==
 
GRUB2 is a modular system, you can include whichever modules you need into the image.
 
In addition to the [http://grub.enbug.org/CommandList full list of available modules in upstream GRUB2] the coreboot version of GRUB2 also adds a few more custom modules.
 
=== Suggested modules ===
 
We suggest that you use the following modules:
 
{| border="0" style="font-size: smaller" valign="top"
|- bgcolor="#6699dd"
! align="left" | Modules
! align="left" | Reason
 
|- bgcolor="#eeeeee" valign="top"
| serial, terminal, terminfo
| serial console support
 
|- bgcolor="#dddddd" valign="top"
| coreboot
| change to console automatically
 
|- bgcolor="#eeeeee" valign="top"
| digest
| crypto (incl. signature checking)
 
|- bgcolor="#dddddd" valign="top"
| memdisk, lar or cpio
| filesystem in rom
 
|}
 
During development, we used the following list of modules:
 
coreboot hello cat cmp fat iso9660 help lspci lsusb serial terminal lar terminfo memdisk atadisk ls
configfile boot hexdump digest linux multiboot pc
 
=== Modules specific to coreboot ===
 
The following modules are specific to coreboot, or to the coreboot version of GRUB2:
 
{| border="0" style="font-size: smaller" valign="top"
|- bgcolor="#6699dd"
! align="left" | Module name
! align="left" | Description
 
|- bgcolor="#eeeeee" valign="top"
| atadisk
| ATA disk driver based on the OpenBIOS driver
 
|- bgcolor="#dddddd" valign="top"
| coreboot
| load serial console information from coreboot table
 
|- bgcolor="#eeeeee" valign="top"
| lar
| archive format ("filesystem") driver for LAR files (such as coreboot v3 images)
 
|- bgcolor="#dddddd" valign="top"
| lsusb
| in the .usb branch, provides an uhci driver and usb storage support. highly experimental at this time
 
|}
 
=== Building a diskimage ===


If you are using coreboot v2, the firmware image is not a LAR archive, as in coreboot v3. If you want to place files in the coreboot+grub2 image, you can still create a diskimage and include it in your payload.
== features ==
=== Interesting features sumarry ===
* It can open and boot from encrypted LUKS partitions.
* It can verify the signatures of files ( interesting for initramfs and kernels )
* has a "cbmemc" command that can see cbmem
* it's compatible with the coreboot framebuffer.
* it has some cmos commands that permits to interact with the nvram, like:
** cmostest
** cmosclear
** cmosset
** cmosdump
* it can loads and run coreboot payloads from cbfs(both compressed and uncompressed), its memdisk, or any other filesystem it can read...


# create a lar/cpio/tar file (cpio must be gnu cpio. files created by other cpios might not be compatible)
=== Security ===
# add <code>-m lar/cpio-file</code> to your grub-mkimage command line
==== signed kernels ====
GRUB is capable of running only trusted(signed) kernels.
* it supports both RSA and DSA gpg keys


Per default GRUB2 looks for a configuration file [http://grub.enbug.org/grub.cfg grub.cfg] in the disk image. The path is
Here's a little howto.
(memdisk)/grub.cfg


== Checking Signatures ==
First generate a key:
$ gpg --gen-key
gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
          0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Denis 'GNUtoo' Carikli
Email address: GNUtoo@no-log.org
Comment: Kernel signing key
You selected this USER-ID:
    "Denis 'GNUtoo' Carikli (Kernel signing key) <GNUtoo@no-log.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest
size
gpg: key C86D4C64 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:  2  signed:  0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub  3072D/C86D4C64 2013-03-13
      Key fingerprint = 7244 AC33 F9A7 9AE8 30DE  8996 9097 B48D C86D 4C64
uid                  Denis 'GNUtoo' Carikli (Kernel signing key)
<GNUtoo@no-log.org>
Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
Then sign the kernels and initramfs:
cd /boot
sudo -E gpg --detach-sign vmlinuz-linux-libre-pae
sudo -E gpg --detach-sign initramfs-linux-libre-pae.img


Currently the tools for crypto signature verification are not built automatically. To build them, run
gpg --export  > boot.key
Then you can put the key on the memdisk (advised) or the boot partition for test purposes only.
Then in GRUB do (for testing purposes):
trust boot.key
set check_signatures=enforce
to only boot correctly signed kernels and initramfs...


$ cd libs/sigtools
Then load kernel and initramfs as usual...
$ make


=== Using sigtools ===
==== Trisquel, Ubuntu, Debian ====
We want automatics hooks to sign our kernel so we don't have to do it manually each time...
The following howto was tested on trisquel 6
Generate the key as root(sudo su) like we just explained, but without a password
In debian based distributions you can hook the kernel build to sign the result:
Add the following to /etc/kernel/postinst.d/yy-update-signatures
#! /bin/sh
set -e
version="$1"
rm -f /boot/vmlinuz-${version}.sig
gpg --detach-sign /boot/vmlinuz-${version}
rm -f /boot/initrd.img-${version}.sig
gpg --detach-sign /boot/initrd.img-${version}
Then do:
chmod +x /etc/kernel/postinst.d/yy-update-signatures
Then do:
gpg --export  > /boot/boot.key


Create a key pair filename.pub and filename.sec with
Then modify /etc/grub.d/10_linux to use bash instead of sh like that:
#! /bin/bash
And also modify to that:
<pre>
case x`uname -m` in
    xi?86 | xx86_64)
list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
                  if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
              done` ;;
    *)
list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
                  if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
    done` ;;
esac
</pre>
To look like that:
<pre>
case x`uname -m` in
    xi?86 | xx86_64)
list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
                  if [[ "$i" != /boot/*.sig ]] ; then
                      if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
                  fi
              done` ;;
    *)
list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
                  if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
    done` ;;
esac
</pre>


  $ genkeypair filename
==== LUKS disks openning ====
GRUB is capable of opening LUKS disks like that:
  grub> ls
(ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk)
grub> cryptomount (ata2,msdos3)
Attempting to decrypt master key...
Enter passphrase for ata2,msdos3 (431439b0870f40a3bfe8f3ca3aa7072a):
Slot 0 opened
grub> ls
(crypto0) (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk)
grub> set root=crypto0
grub> ls /
lost+found/ boot/ var/ dev/ run/ etc/ tmp/ sys/ proc/ usr/ lib/ sbin/ bin/ home/ mnt/ opt/ root/ srv/ media/


Create a signature of candidate using keyfile.sec and save it as candidate.sig:
Note that you have to type the password and so it's better to have some kind of output (VGA, Serial etc...)


$ gensig keyfile candidate
=== Other features ===
==== Payloads launching ====
GRUB is capable of launching coreboot payloads. See the "Payloads" section of this page


=== Verification in GRUB2 ===
== grub.cfg ==
=== Serial ===
==== On a real serial port ====
To enable serial, add the following on top of your grub.cfg:
serial --speed=115200 --word=8 --parity=no --stop=1
terminal_input --append  serial
terminal_output --append serial


Load /key.pub as public key and block access to all unsigned files with
==== On an usb serial or usb debug adapter ====
To enable serial, first find out the name of your usb serial port trough:
insmod nativedisk # needed not to get the disk disapearing when insmoding the *hci
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbserial_pl2303
insmod usbserial_ftdi
insmod usbserial_usbdebug
terminal_output
The terminal_output command should print it:
grub> terminal_output
Active output terminals:
serial_usb1 gfxterm
Available output terminals:
console vga_text serial
Here we can see "serial_usb1" so we now know that its name is usb1


  $ load-pubkey /key.pub
Then add the following on top of your grub.cfg:
insmod nativedisk
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbserial_pl2303
insmod usbserial_ftdi
insmod usbserial_usbdebug
  serial --speed=115200 --word=8 --parity=no --stop=1 usb1
terminal_output --append serial_usb1
terminal_input --append serial_usb1


Verify foo using the signature foo.sig, reporting success or failure and grant access to the file foo with:
The following chips/protocols are supported:
* usbdebug
* ftdi
* pl2303


  $ validate /foo /foo.sig
=== Other things ===
Append that in your configuration:
  terminal_input --append at_keyboard #add keyboard support.
#set timeout=1 #you may want to set a timeout
#set pager=1 # you may want to use the pager or not
play 480 440 1 #play a beep at startup
set prefix=(memdisk)/boot/grub
In case of native graphics you may want the following:
gfxpayload=keep
terminal_output --append gfxterm


Example:
=== Payloads ===
Here is how to load the SeaBIOS payload from the memdisk.
menuentry 'SeaBios' {
set root='memdisk'
echo    'Loading SeaBios ...'
chainloader /bios.bin.elf
}
see in "creating the GRUB payload" how to include the file in the memdisk...


  multiboot grub-invaders # fails
=== Distributions ===
validate grub-invaders grub-invaders.sig
Here's an example on how to load the parabola distribution on the Lenovo X60 from the fifth partition.
  multiboot grub-invaders # this time it succeeds
  menuentry 'Parabola GNU/Linux-libre GNU/Linux, with Linux librepae kernel [Serial]' {
        insmod ahci
        insmod part_msdos
set root='ahci0,msdos5'
echo 'Loading Linux librepae kernel ...'
linux /vmlinuz-linux-libre-pae root=/dev/mapper/root ro cryptdevice=/dev/sda6:root idle=halt pcie_aspm=force console=ttyS0,115200
echo 'Loading initial ramdisk ...'
initrd /initramfs-linux-libre-pae.img
  }


== Hints and Tricks ==
=== Scanning for grub.cfg on local Hard Drives. ===


=== Loading grub.cfg from disk ===
menuentry 'Scan for OS on internal HDD' {
insmod regexp
insmod ahci
insmod part_msdos
for x in (ahci0,*) ; do
if [ -f "$x/grub/grub.cfg" ] ; then
menuentry "Load Config from $x" $x {
root=$2
configfile /grub/grub.cfg
}
fi
if [ -f "$x/boot/grub/grub.cfg" ] ; then
menuentry "Load Config from $x" $x {
root=$2
configfile /boot/grub/grub.cfg
}
fi
done
}


It is suggested that grub.cfg is contained in a memdisk/lar image. This grub.cfg can be used to load other configuration files from any mass storage media. If you want to load a grub.cfg from the first device that contains one, your in-flash grub.cfg can look like this:
== Compiling ==
git clone git://git.savannah.gnu.org/grub.git grub
cd grub
./autogen.sh
./configure --with-platform=coreboot
make
sudo make install #install the utilities


  search -f -s /grub.cfg
== creating the GRUB payload==
  configfile /grub.cfg
Create a target directory:
  mkdir memdisk
Then copy your grub.cfg in:
  memdisk/boot/grub/grub.cfg


Then adapt and run that script:
#!/bin/sh
rm -f grub2-x60.elf
#copy the payloads you want
cp ../../seabios-x60/out/bios.bin.elf ./memdisk/
cp ../../coreboot-qemu/payloads/nvramcui/nvramcui.elf ./memdisk/
cp ../../coreboot-x60/payloads/coreinfo/build/coreinfo.elf ./memdisk/
cp ../../memtest86+-4.20/memtest ./memdisk/memtest.elf
#and some files
cp ../../coreboot-x60/bootsplash.jpg  ./memdisk/
cd memdisk
grub-mkstandalone -O i386-coreboot -o ../grub2-x60.elf $(find -type f)
echo "--RESULT--"
ls -l -h ../grub2-x60.elf


== To Do ==
== combining with coreboot ==
=== As a SeaBIOS payload ===
build/cbfstool build/coreboot.rom add-payload -n img/grub2 -f grub2.elf -t raw
build/cbfstool build/coreboot.rom print
That way it will be possible to run GRUB as a payload after SeaBIOS:
The advantage is that it's less risky. At runtime press F12 and you'll
have the GRUB option.


* USB stack integration (in progress).
=== As a Coreboot payload ===
* See more information in the "[http://tracker.coreboot.org/trac/coreboot/milestone/Port%20GRUB2%20to%20coreboot Porting GRUB2 to coreboot]" milestone in the coreboot issue tracker.
Advantages: faster, can be used for security


== History ==
Disadvantages: more risky if you have no way to recover


[[User:PatrickGeorgi|Patrick Georgi]] has been working on GRUB2 for coreboot during the Google Summer of Code 2007. He made an [http://coreboot.org/~oxygene/lbgrub2-20070820-1.tar.bz2 original code submission] on August 20th 2007. If you care, there is [http://coreboot.org/~oxygene/lbgrub2-instructions.txt documentation on how to use it], but that work is based on a very old version of GRUB2.
==== Howto ====


For various reasons, Robert Millan of the GRUB project did another original implementation, which got merged, so we moved our effort to their new code base and continued from there.
In make menuconfig of coreboot, select the path of grub2.elf.


== How to help? ==
Also make sure you have some kinds of output such as VGA or serial (it
needs to be activated in both coreboot and GRUB)


Contact [mailto:stepan@coresystems.de Stefan Reinauer], [mailto:oxygene@coresystems.de Patrick Georgi] or the [[Mailinglist|coreboot mailing list]] for more information.
== Before flashing ==
You should try the grub2.elf on qemu before flashing it to a real mainboard/laptop.

Revision as of 03:03, 21 February 2014

GRUB 2 is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.

Status

GRUB 2 can be launched:

  • Directly by coreboot as a payload
  • Directly by SeaBIOS as a payload
  • By SeaBIOS, on disk, as it would with a normal BIOS.

Recent git versions have improved memory management that removes the memory limitations when ran as a payload.

features

Interesting features sumarry

  • It can open and boot from encrypted LUKS partitions.
  • It can verify the signatures of files ( interesting for initramfs and kernels )
  • has a "cbmemc" command that can see cbmem
  • it's compatible with the coreboot framebuffer.
  • it has some cmos commands that permits to interact with the nvram, like:
    • cmostest
    • cmosclear
    • cmosset
    • cmosdump
  • it can loads and run coreboot payloads from cbfs(both compressed and uncompressed), its memdisk, or any other filesystem it can read...

Security

signed kernels

GRUB is capable of running only trusted(signed) kernels.

  • it supports both RSA and DSA gpg keys

Here's a little howto.

First generate a key:

$ gpg --gen-key
gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Denis 'GNUtoo' Carikli
Email address: GNUtoo@no-log.org
Comment: Kernel signing key
You selected this USER-ID:
    "Denis 'GNUtoo' Carikli (Kernel signing key) <GNUtoo@no-log.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest 
size
gpg: key C86D4C64 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   3072D/C86D4C64 2013-03-13
      Key fingerprint = 7244 AC33 F9A7 9AE8 30DE  8996 9097 B48D C86D 4C64
uid                  Denis 'GNUtoo' Carikli (Kernel signing key) 
<GNUtoo@no-log.org>

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.

Then sign the kernels and initramfs:

cd /boot
sudo -E gpg --detach-sign vmlinuz-linux-libre-pae
sudo -E gpg --detach-sign initramfs-linux-libre-pae.img
gpg --export  > boot.key

Then you can put the key on the memdisk (advised) or the boot partition for test purposes only. Then in GRUB do (for testing purposes):

trust boot.key
set check_signatures=enforce

to only boot correctly signed kernels and initramfs...

Then load kernel and initramfs as usual...

Trisquel, Ubuntu, Debian

We want automatics hooks to sign our kernel so we don't have to do it manually each time... The following howto was tested on trisquel 6 Generate the key as root(sudo su) like we just explained, but without a password In debian based distributions you can hook the kernel build to sign the result: Add the following to /etc/kernel/postinst.d/yy-update-signatures

#! /bin/sh
set -e

version="$1"

rm -f /boot/vmlinuz-${version}.sig
gpg --detach-sign /boot/vmlinuz-${version}
rm -f /boot/initrd.img-${version}.sig
gpg --detach-sign /boot/initrd.img-${version}

Then do:

chmod +x /etc/kernel/postinst.d/yy-update-signatures

Then do:

gpg --export  > /boot/boot.key

Then modify /etc/grub.d/10_linux to use bash instead of sh like that:

#! /bin/bash

And also modify to that:

 case x`uname -m` in
     xi?86 | xx86_64)
 	list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
                   if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
               done` ;;
     *) 
 	list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
                   if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
 	     done` ;;
 esac

To look like that:

 case x`uname -m` in
     xi?86 | xx86_64)
 	list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
                   if [[ "$i" != /boot/*.sig ]] ; then 
                       if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
                   fi
               done` ;;
     *) 
 	list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
                   if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
 	     done` ;;
 esac

LUKS disks openning

GRUB is capable of opening LUKS disks like that:

grub> ls 
(ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk)
grub> cryptomount (ata2,msdos3)
Attempting to decrypt master key...
Enter passphrase for ata2,msdos3 (431439b0870f40a3bfe8f3ca3aa7072a):
Slot 0 opened
grub> ls
(crypto0) (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk) 
grub> set root=crypto0
grub> ls /
lost+found/ boot/ var/ dev/ run/ etc/ tmp/ sys/ proc/ usr/ lib/ sbin/ bin/ home/ mnt/ opt/ root/ srv/ media/

Note that you have to type the password and so it's better to have some kind of output (VGA, Serial etc...)

Other features

Payloads launching

GRUB is capable of launching coreboot payloads. See the "Payloads" section of this page

grub.cfg

Serial

On a real serial port

To enable serial, add the following on top of your grub.cfg:

serial --speed=115200 --word=8 --parity=no --stop=1
terminal_input --append  serial
terminal_output --append serial

On an usb serial or usb debug adapter

To enable serial, first find out the name of your usb serial port trough:

insmod nativedisk # needed not to get the disk disapearing when insmoding the *hci
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbserial_pl2303
insmod usbserial_ftdi
insmod usbserial_usbdebug
terminal_output

The terminal_output command should print it:

grub> terminal_output 
Active output terminals:
serial_usb1 gfxterm 
Available output terminals:
console vga_text serial 

Here we can see "serial_usb1" so we now know that its name is usb1

Then add the following on top of your grub.cfg:

insmod nativedisk
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbserial_pl2303
insmod usbserial_ftdi
insmod usbserial_usbdebug
serial --speed=115200 --word=8 --parity=no --stop=1 usb1
terminal_output --append serial_usb1
terminal_input --append serial_usb1

The following chips/protocols are supported:

  • usbdebug
  • ftdi
  • pl2303

Other things

Append that in your configuration:

terminal_input --append at_keyboard #add keyboard support.
#set timeout=1 #you may want to set a timeout
#set pager=1 # you may want to use the pager or not
play 480 440 1 #play a beep at startup
set prefix=(memdisk)/boot/grub

In case of native graphics you may want the following:

gfxpayload=keep
terminal_output --append gfxterm

Payloads

Here is how to load the SeaBIOS payload from the memdisk.

menuentry 'SeaBios' {
	set root='memdisk'
	echo    'Loading SeaBios ...'
	chainloader /bios.bin.elf
}

see in "creating the GRUB payload" how to include the file in the memdisk...

Distributions

Here's an example on how to load the parabola distribution on the Lenovo X60 from the fifth partition.

menuentry 'Parabola GNU/Linux-libre GNU/Linux, with Linux librepae kernel [Serial]' {
        insmod ahci
        insmod part_msdos
	set root='ahci0,msdos5'
	echo	'Loading Linux librepae kernel ...'
	linux	/vmlinuz-linux-libre-pae root=/dev/mapper/root ro cryptdevice=/dev/sda6:root idle=halt pcie_aspm=force console=ttyS0,115200
	echo	'Loading initial ramdisk ...'
	initrd	/initramfs-linux-libre-pae.img
}

Scanning for grub.cfg on local Hard Drives.

menuentry 'Scan for OS on internal HDD' {
	insmod regexp
	insmod ahci
	insmod part_msdos
	for x in (ahci0,*) ; do
		if [ -f "$x/grub/grub.cfg" ] ; then
			menuentry "Load Config from $x" $x { 
				root=$2
				configfile /grub/grub.cfg
			}
		fi
		if [ -f "$x/boot/grub/grub.cfg" ] ; then
			menuentry "Load Config from $x" $x {
				root=$2
				configfile /boot/grub/grub.cfg
			}
		fi
	done
}

Compiling

git clone git://git.savannah.gnu.org/grub.git grub
cd grub
./autogen.sh
./configure --with-platform=coreboot
make
sudo make install #install the utilities

creating the GRUB payload

Create a target directory:

mkdir memdisk

Then copy your grub.cfg in:

memdisk/boot/grub/grub.cfg

Then adapt and run that script:

#!/bin/sh
rm -f grub2-x60.elf
#copy the payloads you want
cp ../../seabios-x60/out/bios.bin.elf ./memdisk/
cp ../../coreboot-qemu/payloads/nvramcui/nvramcui.elf ./memdisk/
cp ../../coreboot-x60/payloads/coreinfo/build/coreinfo.elf ./memdisk/
cp ../../memtest86+-4.20/memtest ./memdisk/memtest.elf
#and some files
cp ../../coreboot-x60/bootsplash.jpg  ./memdisk/
cd memdisk
grub-mkstandalone -O i386-coreboot -o ../grub2-x60.elf $(find -type f)
echo "--RESULT--"
ls -l -h ../grub2-x60.elf

combining with coreboot

As a SeaBIOS payload

build/cbfstool build/coreboot.rom add-payload -n img/grub2 -f grub2.elf -t raw
build/cbfstool build/coreboot.rom print

That way it will be possible to run GRUB as a payload after SeaBIOS: The advantage is that it's less risky. At runtime press F12 and you'll have the GRUB option.

As a Coreboot payload

Advantages: faster, can be used for security

Disadvantages: more risky if you have no way to recover

Howto

In make menuconfig of coreboot, select the path of grub2.elf.

Also make sure you have some kinds of output such as VGA or serial (it needs to be activated in both coreboot and GRUB)

Before flashing

You should try the grub2.elf on qemu before flashing it to a real mainboard/laptop.