Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 228 Grub Basics and Boot Security

Published byMikaela Fraga Lombardi Modified over 5 years ago

Similar presentations

Presentation on theme: "CIS 228 Grub Basics and Boot Security"— Presentation transcript:

1 CIS 228 Grub Basics and Boot Security
How we get there.

2 Physical security Lock it up! BIOS Password
Disable BIOS alternate boot devices Disable interactive boot: vi /etc/sysconfig/init PROMPT=no Password protected GRUB boot Console locking: yum install vlock, xlock Lock desktop GUI, or no Xwindows at all. Disable Ctrl/Alt/Del (procedure varies)

3 Grand Unified Bootloader
Replaces LILO, which replaced SYSLINUX, which replaced LOADLIN. You still see these latter on “live” and install CD’s. Works different from LILO in that changes are automatic after edit (LILO requires issuing of a command to regenerate MBR bootstrap) GRUB works in stages. Stage architecture allows GRUB to be large (~20-30K) and therefore fairly complex and highly configurable, compared to most bootloaders, which are sparse and simple to fit within the limitations of the Partition Table. Stage 1 is located in the MBR and points (chainloads) to Stage 2, since the MBR is too small to contain all of the needed data. Stage 2 points to the configuration file (/boot/grub/grub.conf –or- menu.lst), which contains user interface and and OS options Stage 2 can be located anywhere on the disk. If Stage 2 cannot find its configuration table, GRUB will cease the boot sequence and present the user with a GRUB command line for manual configuration. Stage 1.5 also exists and might be used if the boot information is small enough to fit in the area immediately after MBR.

4 Backup! dd if=/dev/sda /dev/sdb1/linux.bin bs=512 count=1
cd /boot/grub(2)/ cp grub.cfg /dev/sdb1/grub.cfg

5 Grub Versions 0.97 1.97 1.98 1.99 2.0

6 Grub Configuration /boot/grub/grub.conf or menu.lst. The following can also be placed on a single line Defaults section default= …Default OS entry starting with 0 timeout= …Time to hit spacebar splashimage=(hd0,0)/boot/grub/splash.xpm.gz … boot display image, ESC to bypass hiddenmenu password=<encrypted password> OS section title <any string> root (hd0,0) … optional, where OS image (kernel) is stored (hd0=sda, 0=partition 1) kernel /boot/vmlinux-<version> <options> root=/dev/sda2 … where / is -or- kernel (hd0,0)/boot/vmlinux-<version> <options> root=/dev/sda2 initrd /boot/initramfs-<version> (/boot/initrd in some distros) -or- initrd (hd0,0)/boot/initramfs-<version> lock Password protected entry For non-LINUX OS (i.e. Windows), or non-compliant OSes rootnoverify (hd0,0) chainloader (hd0,0) … chain to OS specific boot loader (ntldr for Windows)

7 GRUB Command Line · any initrd image must match linux kernel image
You need to know the following: - The partition containing the kernel (i.e. /boot) – root, find commands - The partition, path and filename of the initrd file (i.e. /boot) - Within that partition, the directory path and filename of the kernel - The partition containing /sbin/init (i.e. root=/dev/sdax on kernel statement) - ESC Key gets you to command line view past splashscreen Example: The partition containing the kernel = /dev/sda1, or (hd0,0) in grub-speak /dev/sda1 is the same partition as (hd0,0) Directory path and filename of the kernel = /vmlinuz-i686-up-4GB The partition containing /sbin/init is /dev/sda2 grub> root (hd0,0) grub> kernel /vmlinuz-i686-up-4GB root=/dev/sda9 grub> boot -OR- grub> kernel (hd0,0)/vmlinuz-i686-up-4GB root=/dev/sda2 grub> boot · any initrd image must match linux kernel image

8 Grub Command Line Example
Imagine a system in which /dev/hda1 is mounted as /boot, and /dev/hda9 is mounted as /. Within /boot the kernel filename is vmlinuz-i686-up-4GB. Now let's answer the four questions: 1. The partition containing the kernel = /dev/hda1, or (hd0,0) in grub-speak 2. Within that partition, the directory path and filename of the kernel = /vmlinuz-i686-up-4GB Remember, /dev/hda1 is mounted directly to /boot, so it contains the kernel directly) 3. The partition containing /sbin/init is /dev/hda9 In that case, here are the grub commands you would input to boot that system: grub> root (hd0,0) grub> kernel /vmlinuz-i686-up-4GB root=/dev/hda9 grub> boot

9 Boot Options Boot a foreign language distro
grub> root (hd0,0) grub> kernel /vmlinuz-i686-up-4GB root=/dev/sda2 lang=us grub> boot Single partition grub> root (hd0,0) grub> kernel /boot/vmlinuz-i686-up-4GB root=/dev/sda1 grub> boot Maintenance mode grub> root (hd0,0) grub> kernel /boot/vmlinuz-i686-up-4GB root=/dev/sda1 single grub> boot Unknown OS grub> root (hd0,0) grub> find /sbin/init grub> find /vmlinuz* grub> find /boot/vmlinuz* grub> null (hd0,0)/vmlinuz

10 (re)generating the MBR
LINUX update-grub Front end to grub(2)-mkconfig grub-install /dev/sda grub-install --root-directory=/boot /dev/sda Find unknown OS grub> find /boot/grub/stage1 grub> root (hdX,Y) grub> setup (hd0) … writes the MBR quit ms-sys …Windows MBR from LINUX dd backup? Windows fdisk /mbr (DOS) bootsect (Win 7) fixmbr (XP) bootrec /mbr (Vista/Win 7)

11 grub password /etc/grub.conf - default=0 - timeout=15
- password GrbPwd4SysAd$ Use the up-arrow and down-arrow keys to select which entry is highlighted. Press enter to boot the selected OS or 'p' to enter a password to unlock the next set of features. “lock” directive (under title) prevents insecure booting of a system, like mtce mode

12 Generating the password
grub-crypt - Password: GrbPwd4SysAd$ - Retype password: GrbPwd4SysAd$ - ^9^32kwzzX./3WISQ0C /etc/grub.conf - default=0 - timeout=15 - password --encrypted ^9^32kwzzX./3WISQ0C Also: grub-crypt --sha-256 grub-crypt --md5 –OR- grub-md5-crypt grub> md5crypt

13 Grub 2 Now with Debian/Ubuntu 9.10 (1.97), (1.98) (1.99), Fedora Core 16. Script driven Requires issue of command to update-grub to generate MBR like LILO Password protection procedures more complex. In beta on 1.97, Limited in Ubuntu LTS Shift key gets you to command line display past splash-screen (replaces ESC in Grub 1) Partitioning numbering begins with 1, not 0 as in Grub 1 Hard drive numbering remains the same GRUB 2 places files in three locations: /boot/grub2/grub.cfg - main configuration file that replaces menu.lst/grub.conf. DO NOT EDIT! /etc/grub.d/ - directory contains (bash) GRUB scripts used as building blocks for grub.cfg file built with update-grub command. /etc/default/grub - contains GRUB2 menu settings read by the GRUB scripts and written into grub.cfg. Customizeable part of GRUB, similar to the old menu.lst/grub.conf minus the actual boot entries.

14 Grub 2 scripts Typical Ubuntu Scripts (note numbering sequence):
00_header script that loads GRUB settings from /etc/default/grub. 05_debian_theme defines the background, colors and themes. Script name changes on other distros. 10_linux loads the menu entries for the installed distribution. 20_memtest86+ loads the memtest utility. 30_os-prober script that scans the hard disks for other OSes and adds them to the boot menu. 40_custom is a template that you can use to create additional entries to the boot menu. This entry is never modified by automated OS detection.

15 Script Examples: 11_otherOS
#!/bin/sh -e echo "Adding my custom Linux to GRUB 2" cat << EOF menuentry "My custom Linux" { set root=(hd0,5) linux /boot/vmlinuz initrd /boot/initrd.img } EOF 12_windows #!/bin/sh -e echo "Adding Windows 8 to GRUB 2 menu" cat << EOF menuentry "Windows 8" { set root=(hd0,1) chainloader (hd0,1)+1 } EOF

16 Grub2 commands update-grub no longer exists grub(2)-mkconfig takes over the function grub(2)-mkconfig /boot/grub2/grub.cfg - generates grub.cfg grub(2)-install (/dev/sda) – generates mbr

17 Password protection To specify a superuser, add the following lines in the /etc/grub.d/01_users file, where john is the name of the user designated as the superuser, and johnspassword is the superuser's password: cat <<EOF set superusers="john" password john johnspassword EOF To allow other users to access the menu entries, add additional lines per user at the end of the /etc/grub.d/01_users file. password jane janespassword When the users and passwords are set up, specify the menu entries that should be password-protected in the /etc/grub.d/40_custom file in a similar fashion to the following: menuentry 'Red Hat Enterprise Linux Server' --unrestricted { set root=(hd0,msdos1) linux /vmlinuz } menuentry 'Fedora' --users jane { set root=(hd0,msdos2) menuentry 'Red Hat Enterprise Linux Workstation’ { set root=(hd0,msdos3) Then recreate grub.cfg with grub2-mkconfig –o /boot/grub2/grub.cfg

18 Password encryption To generate an encrypted password, run the grub2-mkpasswd-pbkdf2 command on the command line as root. Enter the desired password when prompted and repeat it. The command then outputs your password in an encrypted form. Copy the hash, and paste it in the template file where you configured the users, that is, in /etc/grub.d/01_users set superusers="root" password_pbkdf2 root grub.pbkdf2.sha ED80F115963D984BDCB35AA671C C3E9B014D862DA6ACC77BC110EED A87FD3700C037320E51E D53247EC0722DDF15FC.C56EC AD86CEA FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85 Generate grub.cfg with grub2.mkconfig –o /boot/grub2/grub.cfg

19 See also UEFI – see EFI shim. 32 vs 64 bit. Secure Boot
Procedures vary. Windows 7 dual boot using bcdedit visual bcdedit tool, or EasyBCD Windows (XP and before) dual boot: boot.ini: c:\linux.mbr=“Linux” … where linux.mbr is the hd0 mbr

Download ppt "CIS 228 Grub Basics and Boot Security"

Similar presentations

Linux Boot Loaders. ♦ Overview A boot loader is a small program that exists in the system and loads the operating system into the system’s memory at system.

Linux Boot Loaders. ♦ Overview A boot loader is a small program that exists in the system and loads the operating system into the system’s memory at system.
Booting and Shuting Down WeeSan Lee. Roadmap Bootstrapping Boot Loaders Startup/Init Scripts Reboot & Shutdown Q&A.

Booting and Shuting Down WeeSan Lee. Roadmap Bootstrapping Boot Loaders Startup/Init Scripts Reboot & Shutdown Q&A.
Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.

Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.
Week 8 System Initialization and X Windows. Objectives  Summarize the major steps necessary to boot a Linux system  Configure the LILO and GRUB boot.

Week 8 System Initialization and X Windows. Objectives  Summarize the major steps necessary to boot a Linux system  Configure the LILO and GRUB boot.
Linux+ Guide to Linux Certification Chapter Nine System Initialization.

Linux+ Guide to Linux Certification Chapter Nine System Initialization.
Linux Booting Procedure

Linux Booting Procedure
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Linux can be generally divided into four major components: 1. KERNEL – OS, ultimate boss The kernel is the core program that runs programs and manages.

Linux can be generally divided into four major components: 1. KERNEL – OS, ultimate boss The kernel is the core program that runs programs and manages.
Booting the Linux Kernel Dr. Michael L. Collard 1.

Booting the Linux Kernel Dr. Michael L. Collard 1.
Linux+ Guide to Linux Certification, Third Edition

Linux+ Guide to Linux Certification, Third Edition
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Booting And Shutting Down. Bootstrapping  Bootstrapping is standard term for “starting up a computer”  During bootstrapping the kernel is loaded into.

Booting And Shutting Down. Bootstrapping  Bootstrapping is standard term for “starting up a computer”  During bootstrapping the kernel is loaded into.
Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.

Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.
Linux Installation Chapter II. Linux Distributions Pre-packaged, installable Linux Anyone can compile a distribution, have to inculde GPL Available for.

Linux Installation Chapter II. Linux Distributions Pre-packaged, installable Linux Anyone can compile a distribution, have to inculde GPL Available for.
S.Ha.R.K. Workshop28/02/05 S.Ha.R.K. Installation HowTo Tullio Facchinetti University of Pavia - Italy.

S.Ha.R.K. Workshop28/02/05 S.Ha.R.K. Installation HowTo Tullio Facchinetti University of Pavia - Italy.
Bootloader / multi-boot

Bootloader / multi-boot
Lesson 4-Installing Network Operating Systems. Overview Installing and configuring Novell NetWare 6.0. Installing and configuring Windows 2000 Server.

Lesson 4-Installing Network Operating Systems. Overview Installing and configuring Novell NetWare 6.0. Installing and configuring Windows 2000 Server.
Linux Install. Resources Guide to Linux Installation and Administration, Nicholas Wells, Course Technology, 2000.

Linux Install. Resources Guide to Linux Installation and Administration, Nicholas Wells, Course Technology, 2000.
UNIX Startup and Shutdown CSCI N321 – System and Network Administration Copyright © 2000, 2012 by Scott Orr and the Trustees of Indiana University.

UNIX Startup and Shutdown CSCI N321 – System and Network Administration Copyright © 2000, 2012 by Scott Orr and the Trustees of Indiana University.
CIS 191 - Lesson 3 Booting Up Systems Skills Needed The following skills are really important for getting through this lesson: Walking through a system.

CIS Lesson 3 Booting Up Systems Skills Needed The following skills are really important for getting through this lesson: Walking through a system.

Similar presentations

Ads by Google