1 / 16

CIS 228 Grub Basics and Boot Security

CIS 228 Grub Basics and Boot Security. How we get there. Physical security . Lock it up! BIOS Password Disable BIOS alternate boot devices Disable interactive boot: vi /etc/sysconfig/init PROMPT=no Password protected GRUB boot Console locking: yum install vlock, xlock

chibale
Download Presentation

CIS 228 Grub Basics and Boot Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 228 Grub Basics andBoot Security How we get there.

  2. Physical security • Lock it up! • BIOS Password • Disable BIOS alternate boot devices • Disable interactive boot: vi /etc/sysconfig/init PROMPT=no • Password protected GRUB boot • Console locking: yum install vlock, xlock • Lock desktop GUI, or no Xwindows at all. • Disable Ctrl/Alt/Del (procedure varies)

  3. Grand Unified Bootloader • Replaces LILO, which replaced SYSLINUX, which replaced LOADLIN. You still see these latter on “live” and install CD’s. • Works different from LILO in that changes are automatic after edit (LILO requires issuing of a command to regenerate MBR bootstrap) GRUB works in stages. Stage architecture allows GRUB to be large (~20-30K) and therefore fairly complex and highly configurable, compared to most bootloaders, which are sparse and simple to fit within the limitations of the Partition Table. • Stage 1 is located in the MBR and points (chainloads) to Stage 2, since the MBR is too small to contain all of the needed data. • Stage 2 points to the configuration file (/boot/grub/grub.conf –or- menu.lst), which contains user interface and and OS options . Stage 2 can be located anywhere on the disk. If Stage 2 cannot find its configuration table, GRUB will cease the boot sequence and present the user with a GRUB command line for manual configuration. • Stage 1.5 also exists and might be used if the boot information is small enough to fit in the area immediately after MBR.

  4. Boot Floppy/USB • cd /boot/grubcat stage1 stage2 > /dev/fd0 • cd /boot/grub/dd if=stage1 of=/dev/fd0 bs=512 count=1dd if=stage2 of=/dev/fd0 bs=512 seek=1

  5. Grub Versions • 0.97 • 1.97 • 1.98 • 1.99 • 2.0?

  6. Grub Configuration • /boot/grub/grub.conf -or- menu.lst. The following can also be placed on a single line • Defaults section default=0 …Default OS entry starting with 0 timeout=0 …Time to hit spacebar splashimage=(hd0,0)/boot/grub/splash.xpm.gz … boot display image, ESC to bypass hiddenmenu password=<encrypted password> • OS section title <any string> root (hd0,0) … optional, where OS image (kernel) is stored (hd0=sda, 0=partition 1) kernel /boot/vmlinux-<version> <options> root=/dev/sda2 … where / is -or- kernel (hd0,0)/boot/vmlinux-<version> <options> root=/dev/sda2 initrd /boot/initramfs-<version> (/boot/initrd in some distros) -or- initrd (hd0,0)/boot/initramfs-<version> lock .. Password protected entry For non-LINUX OS (i.e. Windows), or non-compliant OSes rootnoverify (hd0,0) chainloader (hd0,0)+1 … chain to OS specific boot loader (ntldr for Windows)

  7. GRUB Command Line • You need to know the following: - The partition containing the kernel (i.e. /boot) – root, find commands - The partition, path and filename of the initrd file (i.e. /boot) - Within that partition, the directory path and filename of the kernel - The partition containing /sbin/init (i.e. root=/dev/sdax on kernel statement) - ESC Key gets you to command line view past splashscreen • Example: The partition containing the kernel = /dev/hda1, or (hd0,0) in grub-speak Directory path and filename of the kernel = /vmlinuz-i686-up-4GBThe partition containing /sbin/init is /dev/sda2 grub> root (hd0,0)grub> kernel /vmlinuz-i686-up-4GB root=/dev/sda9 grub> boot -OR- grub> kernel (hd0,0)/vmlinuz-i686-up-4GB root=/dev/sda2grub> boot · any initrd image must match linux kernel image

  8. Boot Options Boot a foreign language distro • grub> root (hd0,0)grub> kernel /vmlinuz-i686-up-4GB root=/dev/sda2 lang=usgrub> boot Single partition • grub> root (hd0,0)grub> kernel /boot/vmlinuz-i686-up-4GB root=/dev/sda1grub> boot Maintenance mode • grub> root (hd0,0)grub> kernel /boot/vmlinuz-i686-up-4GB root=/dev/sda1 singlegrub> boot Unknown OS • grub> root (hd0,0) grub> find /sbin/init grub> find /vmlinuz* grub> find /boot/vmlinuz* grub> null (hd0,0)/vmlinuz

  9. (re)generating the MBR LINUX • grub-install /dev/sda • grub-install --root-directory=/boot /dev/sda Find unknown OS • grub> find /boot/grub/stage1 grub> root (hdX,Y)grub> setup (hd0) … writes the MBRquit • ms-sys …Windows MBR from LINUX Windows • fdisk /mbr (DOS) • bootsect (Win 7) • fixmbr (XP) • bootrec /mbr (Vista/Win 7)

  10. grub password • /etc/grub.conf - default=0 - timeout=15 - password GrbPwd4SysAd$ • Use the up-arrow and down-arrow keys to select which entry is highlighted. Press enter to boot the selected OS or 'p' to enter a password to unlock the next set of features. • “lock” directive (under title) prevents insecure booting of a system, like mtce mode

  11. Generating the password • grub-crypt - Password: GrbPwd4SysAd$ - Retype password: GrbPwd4SysAd$ - ^9^32kwzzX./3WISQ0C • /etc/grub.conf - default=0 - timeout=15 - password --encrypted ^9^32kwzzX./3WISQ0C Also: • grub-crypt --sha-256 • grub-crypt --md5 –OR- grub-md5-crypt • grub> md5crypt

  12. Grub 2 • Now with Debian/Ubuntu 9.10 (1.97), 11.10 (1.98) 12.04 (1.99), Fedora Core 16. Script driven Requires issue of command to update-grub togenerate MBR like LILO Password protection procedures more complex. In beta on 1.97, 1.98. Limited in Ubuntu 12.04 LTS Shift key gets you to command line display past splash-screen (replaces ESC in Grub 1) Partitioning numbering begins with 1, not 0 as in Grub 1 Hard drive numbering remains the same • GRUB 2 places files in three locations: /boot/grub2/grub.cfg - main configuration file that replaces menu.lst/grub.conf. DO NOT EDIT! /etc/grub.d/ - directory contains (bash) GRUB scripts used as building blocks for grub.cfg file built with update-grub command. /etc/default/grub - contains GRUB2 menu settings read by the GRUB scripts and written into grub.cfg. Customizeable part of GRUB, similar to the old menu.lst/grub.conf minus the actual boot entries.

  13. Grub 2 scripts Typical Ubuntu Scripts (note numbering sequence): • 00_header script that loads GRUB settings from /etc/default/grub. • 05_debian_theme defines the background, colors and themes. Script name changes on other distros. • 10_linux loads the menu entries for the installed distribution. • 20_memtest86+ loads the memtest utility. • 30_os-prober script that scans the hard disks for other OSes and adds them to the boot menu. • 40_custom is a template that you can use to create additional entries to the boot menu. This entry is never modified by automated OS detection.

  14. Script Examples: • 11_otherOS #!/bin/sh -eecho "Adding my custom Linux to GRUB 2"cat << EOFmenuentry "My custom Linux" {set root=(hd0,5)linux /boot/vmlinuzinitrd /boot/initrd.img}EOF • 12_windows #!/bin/sh -eecho "Adding Windows 8 to GRUB 2 menu"cat << EOFmenuentry "Windows 8" {set root=(hd0,1)chainloader (hd0,1)+1}EOF

  15. Grub2 commands • update-grub (/dev/sda)– updates OS list , generates grub.cfg. Front end to grub(2)-mkconfig 40_custom not modified by this command. • grub(2)-mkconfig /boot/grub2/grub.cfg - generates grub.cfg • grub(2)-install (/dev/sda) – generates mbr

  16. See also • UEFI – see EFI shim. 32 vs 64 bit. Secure Boot Procedures vary. • Windows 7 dual boot using bcdedit visual bcdedit tool, or EasyBCD • Windows (XP and before) dual boot: boot.ini: c:\linux.mbr=“Linux” … where linux.mbr is the hd0 mbr

More Related