CIS 228 Grub Basics and Boot Security

1
CIS 228 Grub Basics andBoot Security

• How we get there.

2
Physical security

• Lock it up!
• BIOS Password
• Disable BIOS alternate boot devices
• Disable interactive boot
• vi /etc/sysconfig/init
• PROMPTno
• Password protected GRUB boot
• Console locking yum install vlock, xlock
• Lock desktop GUI, or no Xwindows at all.
• Disable Ctrl/Alt/Del (procedure varies)

3
Grand Unified Bootloader

• Replaces LILO, which replaced SYSLINUX, which
  replaced LOADLIN. You still see these latter on
  live and install CDs.
• Works different from LILO in that changes are
  automatic after edit (LILO requires issuing of a
  command to regenerate MBR bootstrap)
• GRUB works in stages. Stage architecture
  allows GRUB to be large (20-30K) and therefore
  fairly complex and highly configurable, compared
  to most bootloaders, which are sparse and simple
  to fit within the limitations of the Partition
  Table.
• Stage 1 is located in the MBR and points
  (chainloads) to Stage 2, since the MBR is too
  small to contain all of the needed data.
• Stage 2 points to the configuration file
  (/boot/grub/grub.conf or- menu.lst), which
  contains user interface and and OS options .
  Stage 2 can be located anywhere on the disk. If
  Stage 2 cannot find its configuration table, GRUB
  will cease the boot sequence and present the user
  with a GRUB command line for manual
  configuration.
• Stage 1.5 also exists and might be used if the
  boot information is small enough to fit in the
  area immediately after MBR.

4
Boot Floppy/USB

• cd /boot/grubcat stage1 stage2 gt /dev/fd0
• cd /boot/grub/dd ifstage1 of/dev/fd0 bs512
  count1dd ifstage2 of/dev/fd0 bs512 seek1

5
Grub Versions

• 0.97
• 1.97
• 1.98
• 1.99
• 2.0?

6
Grub Configuration

• /boot/grub/grub.conf -or- menu.lst.
  The following can also be placed on a single line
• Defaults section
• default0 Default OS entry
  starting with 0
• timeout0 Time to hit spacebar
• splashimage(hd0,0)/boot/grub/splash.xpm.gz
  boot display image, ESC to bypass
• hiddenmenu
• passwordltencrypted passwordgt
• OS section
• title ltany stringgt
• root (hd0,0) optional,
  where OS image (kernel) is stored (hd0sda,
  0partition 1) kernel /boot/vmlinux-ltversio
  ngt ltoptionsgt root/dev/sda2 where / is
• -or- kernel (hd0,0)/boot/vmlinux-ltversiongt
  ltoptionsgt root/dev/sda2
• initrd /boot/initramfs-ltversiongt
  (/boot/initrd in some distros)
• -or- initrd (hd0,0)/boot/initramfs-ltversiongt
• lock ..
  Password protected entry
• For non-LINUX OS (i.e. Windows), or
  non-compliant OSes
• rootnoverify (hd0,0)
• chainloader (hd0,0)1 chain to
  OS specific boot loader (ntldr for Windows)

7
GRUB Command Line

• You need to know the following
• - The partition containing the kernel (i.e.
  /boot) root, find commands
• - The partition, path and filename of the initrd
  file (i.e. /boot)
• - Within that partition, the directory path and
  filename of the kernel
• - The partition containing /sbin/init (i.e.
  root/dev/sdax on kernel statement)
• - ESC Key gets you to command line view
  past splashscreen
• Example
• The partition containing the kernel /dev/hda1,
  or (hd0,0) in grub-speak
• Directory path and filename of the kernel
  /vmlinuz-i686-up-4GBThe partition containing
  /sbin/init is /dev/sda2
• grubgt root (hd0,0)grubgt kernel
  /vmlinuz-i686-up-4GB root/dev/sda9
• grubgt boot
• -OR-
• grubgt kernel (hd0,0)/vmlinuz-i686-up-4GB
  root/dev/sda2grubgt boot
• any initrd image must match linux kernel image

8
Boot Options

• Boot a foreign language distro
• grubgt root (hd0,0)grubgt kernel
  /vmlinuz-i686-up-4GB root/dev/sda2
  langusgrubgt boot
• Single partition
• grubgt root (hd0,0)grubgt kernel
  /boot/vmlinuz-i686-up-4GB root/dev/sda1grubgt
  boot
• Maintenance mode
• grubgt root (hd0,0)grubgt kernel
  /boot/vmlinuz-i686-up-4GB root/dev/sda1
  singlegrubgt boot
• Unknown OS
• grubgt root (hd0,0)
• grubgt find /sbin/init
• grubgt find /vmlinuz
• grubgt find /boot/vmlinuz
• grubgt null (hd0,0)/vmlinuz

9
(re)generating the MBR

• LINUX
• grub-install /dev/sda
• grub-install --root-directory/boot /dev/sda
• Find unknown OS
• grubgt find /boot/grub/stage1 grubgt root
  (hdX,Y)grubgt setup (hd0)
  writes the MBRquit
• ms-sys
  Windows MBR from LINUX
• Windows
• fdisk /mbr (DOS)
• bootsect (Win 7)
• fixmbr (XP)
• bootrec /mbr (Vista/Win 7)

10
grub password

• /etc/grub.conf
• - default0
• - timeout15
• - password GrbPwd4SysAd
• Use the up-arrow and down-arrow keys to select
  which entry is highlighted. Press enter to boot
  the selected OS or 'p' to enter a password to
  unlock the next set of features.
• lock directive (under title) prevents insecure
  booting of a system, like mtce mode

11
Generating the password

• grub-crypt
• - Password GrbPwd4SysAd
• - Retype password GrbPwd4SysAd
• - 932kwzzX./3WISQ0C
• /etc/grub.conf
• - default0
• - timeout15
• - password --encrypted 932kwzzX./3WISQ0C
• Also
• grub-crypt --sha-256
• grub-crypt --md5 OR- grub-md5-crypt
• grubgt md5crypt

12
Grub 2

• Now with Debian/Ubuntu 9.10 (1.97), 11.10 (1.98)
  12.04 (1.99), Fedora Core 16.
• Script driven
• Requires issue of command to update-grub to
  generate MBR like LILO
• Password protection procedures more complex. In
  beta on 1.97, 1.98. Limited in Ubuntu 12.04 LTS
• Shift key gets you to command line
  display past splash-screen (replaces ESC in Grub
  1)
• Partitioning numbering begins with 1, not
  0 as in Grub 1
• Hard drive numbering remains the same
• GRUB 2 places files in three locations
• /boot/grub2/grub.cfg - main configuration file
  that replaces menu.lst/grub.conf. DO NOT EDIT!
• /etc/grub.d/ - directory contains (bash) GRUB
  scripts used as building blocks for grub.cfg file
  built with update-grub command.
• /etc/default/grub - contains GRUB2 menu settings
  read by the GRUB scripts and written into
  grub.cfg. Customizeable part of GRUB, similar to
  the old menu.lst/grub.conf minus the actual boot
  entries.

13
Grub 2 scripts

• Typical Ubuntu Scripts (note numbering
  sequence)
• 00_header script that loads GRUB settings from
  /etc/default/grub.
• 05_debian_theme defines the background, colors
  and themes. Script name changes on other distros.
• 10_linux loads the menu entries for the installed
  distribution.
• 20_memtest86 loads the memtest utility.
• 30_os-prober script that scans the hard disks for
  other OSes and adds them to the boot menu.
• 40_custom is a template that you can use to
  create additional entries to the boot menu. This
  entry is never modified by automated OS detection.

14
Script Examples

• 11_otherOS
• !/bin/sh -eecho "Adding my custom Linux to
  GRUB 2"cat ltlt EOFmenuentry "My custom Linux"
  set root(hd0,5)linux /boot/vmlinuzinitrd
  /boot/initrd.imgEOF
• 12_windows
• !/bin/sh -eecho "Adding Windows 8 to GRUB 2
  menu"cat ltlt EOFmenuentry "Windows 8" set
  root(hd0,1)chainloader (hd0,1)1EOF

15
Grub2 commands

• update-grub (/dev/sda) updates OS list ,
  generates grub.cfg.
• Front end to grub(2)-mkconfig
• 40_custom not modified by this command.
• grub(2)-mkconfig /boot/grub2/grub.cfg -
  generates grub.cfg
• grub(2)-install (/dev/sda) generates mbr

16
See also

• UEFI see EFI shim. 32 vs 64 bit. Secure Boot
• Procedures vary.
• Windows 7 dual boot using bcdedit visual bcdedit
  tool, or EasyBCD
• Windows (XP and before) dual boot
• boot.ini c\linux.mbrLinux
• where linux.mbr is the hd0 mbr