CIS 228 Grub Basics and Boot Security How We Get There

CIS 228 Grub Basics and Boot Security How we get there. Physical security

• Lock it up!

• BIOS Password

• Disable BIOS alternate boot devices

• Disable interactive boot: vi /etc/sysconfig/init PROMPT=no

• Password protected GRUB boot

• Console locking: yum install vlock, xlock

• Lock desktop GUI, or no Xwindows at all.

• Disable Ctrl/Alt/Del (procedure varies) Grand Unified Bootloader

• Replaces LILO, which replaced SYSLINUX, which replaced LOADLIN. You still see these latter on “live” and install CD’s.

• Works different from LILO in that changes are automatic after edit (LILO requires issuing of a command to regenerate MBR bootstrap)

GRUB works in stages. Stage architecture allows GRUB to be large (~20-30K) and therefore fairly complex and highly configurable, compared to most bootloaders, which are sparse and simple to fit within the limitations of the Partition Table.

• Stage 1 is located in the MBR and points (chainloads) to Stage 2, since the MBR is too small to contain all of the needed data.

• Stage 2 points to the configuration file (/boot/grub/grub.conf –or- menu.lst), which contains user interface and and OS options . Stage 2 can be located anywhere on the disk. If Stage 2 cannot find its configuration table, GRUB will cease the boot sequence and present the user with a GRUB command line for manual configuration.

• Stage 1.5 also exists and might be used if the boot information is small enough to fit in the area immediately after MBR. Boot Floppy/USB

• cd /boot/grub cat stage1 stage2 > /dev/fd0

• cd /boot/grub/ dd if=stage1 of=/dev/fd0 bs=512 count=1 dd if=stage2 of=/dev/fd0 bs=512 seek=1 Grub Versions

• 0.97 • 1.97 • 1.98 • 1.99 • 2.0?

Grub Configuration • /boot/grub/grub.conf -or- menu.lst. The following can also be placed on a single line • Defaults section default=0 …Default OS entry starting with 0 timeout=0 …Time to hit spacebar splashimage=(hd0,0)/boot/grub/splash.xpm.gz … boot display image, ESC to bypass hiddenmenu password=

• OS section title root (hd0,0) … optional, where OS image (kernel) is stored (hd0=sda, 0=partition 1) kernel /boot/vmlinux- root=/dev/sda2 … where / is -or- kernel (hd0,0)/boot/vmlinux- root=/dev/sda2 initrd /boot/initramfs- (/boot/initrd in some distros) -or- initrd (hd0,0)/boot/initramfs- lock .. Password protected entry

For non-LINUX OS (i.e. Windows), or non-compliant OSes rootnoverify (hd0,0) chainloader (hd0,0)+1 … chain to OS specific boot loader (ntldr for Windows) GRUB Command Line • You need to know the following: - The partition containing the kernel (i.e. /boot) – root, find commands - The partition, path and filename of the initrd file (i.e. /boot) - Within that partition, the directory path and filename of the kernel - The partition containing /sbin/init (i.e. root=/dev/sdax on kernel statement) - ESC Key gets you to command line view past splashscreen • Example: The partition containing the kernel = /dev/hda1, or (hd0,0) in grub-speak Directory path and filename of the kernel = /vmlinuz-i686-up-4GB The partition containing /sbin/init is /dev/sda2 grub> root (hd0,0) grub> kernel /vmlinuz-i686-up-4GB root=/dev/sda9 grub> boot -OR- grub> kernel (hd0,0)/vmlinuz-i686-up-4GB root=/dev/sda2 grub> boot · any initrd image must match linux kernel image

Boot Options Boot a foreign language distro • grub> root (hd0,0) grub> kernel /vmlinuz-i686-up-4GB root=/dev/sda2 lang=us grub> boot

Single partition • grub> root (hd0,0) grub> kernel /boot/vmlinuz-i686-up-4GB root=/dev/sda1 grub> boot

Maintenance mode • grub> root (hd0,0) grub> kernel /boot/vmlinuz-i686-up-4GB root=/dev/sda1 single grub> boot

Unknown OS • grub> root (hd0,0) grub> find /sbin/init grub> find /vmlinuz* grub> find /boot/vmlinuz* grub> null (hd0,0)/vmlinuz

(re)generating the MBR

LINUX • grub-install /dev/sda • grub-install --root-directory=/boot /dev/sda Find unknown OS • grub> find /boot/grub/stage1 grub> root (hdX,Y) grub> setup (hd0) … writes the MBR quit • ms-sys …Windows MBR from LINUX

Windows • fdisk /mbr (DOS) • bootsect (Win 7) • fixmbr (XP) • bootrec /mbr (Vista/Win 7)

grub password

• /etc/grub.conf - default=0 - timeout=15 - password GrbPwd4SysAd$

• Use the up-arrow and down-arrow keys to select which entry is highlighted. Press enter to boot the selected OS or 'p' to enter a password to unlock the next set of features.

• “lock” directive (under title) prevents insecure booting of a system, like mtce mode Generating the password

• grub-crypt - Password: GrbPwd4SysAd$ - Retype password: GrbPwd4SysAd$ - ^9^32kwzzX./3WISQ0C

• /etc/grub.conf - default=0 - timeout=15 - password --encrypted ^9^32kwzzX./3WISQ0C

Also: • grub-crypt --sha-256 • grub-crypt --md5 –OR- grub-md5-crypt • grub> md5crypt Grub 2

• Now with Debian/Ubuntu 9.10 (1.97), 11.10 (1.98) 12.04 (1.99), Fedora Core 16. Script driven Requires issue of command to update-grub to generate MBR like LILO Password protection procedures more complex. In beta on 1.97, 1.98. Limited in Ubuntu 12.04 LTS Shift key gets you to command line display past splash-screen (replaces ESC in Grub 1) Partitioning numbering begins with 1, not 0 as in Grub 1 Hard drive numbering remains the same

• GRUB 2 places files in three locations: /boot/grub2/grub.cfg - main configuration file that replaces menu.lst/grub.conf. DO NOT EDIT! /etc/grub.d/ - directory contains (bash) GRUB scripts used as building blocks for grub.cfg file built with update-grub command. /etc/default/grub - contains GRUB2 menu settings read by the GRUB scripts and written into grub.cfg. Customizeable part of GRUB, similar to the old menu.lst/grub.conf minus the actual boot entries.

Grub 2 scripts

Typical Ubuntu Scripts (note numbering sequence):

• 00_header script that loads GRUB settings from /etc/default/grub.

• 05_debian_theme defines the background, colors and themes. Script name changes on other distros.

• 10_linux loads the menu entries for the installed distribution.

• 20_memtest86+ loads the memtest utility.

• 30_os-prober script that scans the hard disks for other OSes and adds them to the boot menu.

• 40_custom is a template that you can use to create additional entries to the boot menu. This entry is never modified by automated OS detection. Script Examples:

• 11_otherOS #!/bin/sh -e echo "Adding my custom Linux to GRUB 2" cat << EOF menuentry "My custom Linux" { set root=(hd0,5) linux /boot/vmlinuz initrd /boot/initrd.img } EOF

• 12_windows #!/bin/sh -e echo "Adding Windows 8 to GRUB 2 menu" cat << EOF menuentry "Windows 8" { set root=(hd0,1) chainloader (hd0,1)+1 } EOF Grub2 commands

• update-grub (/dev/sda)– updates OS list , generates grub.cfg.

Front end to grub(2)-mkconfig 40_custom not modified by this command.

• grub(2)-mkconfig /boot/grub2/grub.cfg - generates grub.cfg

• grub(2)-install (/dev/sda) – generates mbr See also

• UEFI – see EFI shim. 32 vs 64 bit. Secure Boot Procedures vary.

• Windows 7 dual boot using bcdedit visual bcdedit tool, or EasyBCD

• Windows (XP and before) dual boot: boot.ini: c:\linux.mbr=“Linux” … where linux.mbr is the hd0 mbr