CIS 228 Grub Basics and Boot Security

Slides:



Advertisements
Similar presentations
Linux Boot Loaders. ♦ Overview A boot loader is a small program that exists in the system and loads the operating system into the system’s memory at system.
Advertisements

Booting and Shuting Down WeeSan Lee. Roadmap Bootstrapping Boot Loaders Startup/Init Scripts Reboot & Shutdown Q&A.
Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.
Week 8 System Initialization and X Windows. Objectives  Summarize the major steps necessary to boot a Linux system  Configure the LILO and GRUB boot.
Linux+ Guide to Linux Certification Chapter Nine System Initialization.
Linux Booting Procedure
Linux+ Guide to Linux Certification, Second Edition
Linux can be generally divided into four major components: 1. KERNEL – OS, ultimate boss The kernel is the core program that runs programs and manages.
Booting the Linux Kernel Dr. Michael L. Collard 1.
Linux+ Guide to Linux Certification, Third Edition
Linux+ Guide to Linux Certification, Second Edition
Booting And Shutting Down. Bootstrapping  Bootstrapping is standard term for “starting up a computer”  During bootstrapping the kernel is loaded into.
Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.
Linux Installation Chapter II. Linux Distributions Pre-packaged, installable Linux Anyone can compile a distribution, have to inculde GPL Available for.
S.Ha.R.K. Workshop28/02/05 S.Ha.R.K. Installation HowTo Tullio Facchinetti University of Pavia - Italy.
Bootloader / multi-boot
Lesson 4-Installing Network Operating Systems. Overview Installing and configuring Novell NetWare 6.0. Installing and configuring Windows 2000 Server.
Linux Install. Resources Guide to Linux Installation and Administration, Nicholas Wells, Course Technology, 2000.
UNIX Startup and Shutdown CSCI N321 – System and Network Administration Copyright © 2000, 2012 by Scott Orr and the Trustees of Indiana University.
CIS Lesson 3 Booting Up Systems Skills Needed The following skills are really important for getting through this lesson: Walking through a system.
Linux+ Guide to Linux Certification Chapter Three Linux Installation and Usage.
IT Essentials: PC Hardware and Software 1 Chapter 7 Windows NT/2000/XP Operating Systems.
Linux Booting Procedure
CIS 228 Grub Basics and Boot Security How we get there.
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.
ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Gene Perkins, Lassen High School Networking Academy
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 14 Managing and Troubleshooting Windows 2000.
CIT 470: Advanced Network and System AdministrationSlide #1 CIT 470: Advanced Network and System Administration Booting and Runlevels.
COSC 4750 Customizing and maintenance. Installing software Redhat/Fedora (and linux in general) has a package installer, called rpm Many programs will.
UNIX Startup and Shutdown CSCI N321 – System and Network Administration Copyright © 2000, 2010 by Scott Orr and the Trustees of Indiana University.
Installation Overview Lab#2 1Hanin Abdulrahman. Installing Ubuntu Linux is the process of copying operating system files from a CD, DVD, or USB flash.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
14 Step-by-Step Instructions for an Upgrade Installation n Prepare for the installation Verify that all devices and applications are Windows 2000 compatible.
CIS Lesson 5 Lesson 5 New Skills Boot time GRUB edits (review) Changing BIOS boot order on a VM (review) Mounting CD ISO and floppy Image files on.
CHAPTER 2. Overview 1. Pre-Installation Tasks 2. Installing and Configuring Linux 3. X Server 4. Post Installation Configuration and Tasks.
Click to Install Linux Edward Marsh CSE 403. Operational Concepts Provide a way to seamlessly install Linux as a dual boot with Windows on client computers.
UNIX Startup and Shutdown CSCI N321 – System and Network Administration Copyright © 2000, 2009 by Scott Orr and the Trustees of Indiana University.
The Linux Operating System R.Bigelow. What is an Operating System An operating system is a collection of programs that manage a computer's resources.
System initialization Unit objectives A.Outline steps necessary to boot a Linux system, configure LILO and GRUB boot loaders, and dual boot Linux with.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
1 Setup and Compile Linux Kernel Speaker: Yi-Ji Jheng Date:
Chap 1 ~ Introducing LINUX LINUX is a free-stable multi-user operating system that derives from UNIX operating system Benefits: 1) Linux is released under.
Overview A) Power on or reset B) 1st stage boot loader C) 2nd stage boot loader D) Operate system.
Linux Introduction Linux was developed in the early 1990’s by Linus Torvald computer science student at the University of Helsinki Linux is distributed.
Chap- 2 BOOTING & SHUTDOWN LINUX SYSTEM Created by: Asst. Prof. Ashish Shah, J.M.PATEL COLLEGE, GOREGOAN W 1.
1 COP 4343 Unix System Administration Unit 1: –Linux OS structure –Distributions –Hardware inventory –Disks and partitions –Installation steps –Boot loader.
1 Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free-electrons.com The GRUB bootloader Michael.
Day 1 Tasks How do you backup the MBR (Master Boot Record) of a hard disk? How do you backup the primary partition table of an MBR type hard disk? How.
Security Risk Assessment Determine how important your computer is to your group ● Mission critical? ● Sensitive information? ● Expensive hardware? ● Service.
The GRUB bootloader Michael Opdenacker Thomas Petazzoni Free Electrons
BY: SALMAN 1.
Chapter 8 Unix & Linux.
GRUB 2 Dave Soergel.
Chapter Objectives In this chapter, you will learn:
Guide to Linux Installation and Administration, 2e
SUSE Linux Enterprise Desktop Administration
BY: SALMAN.
Structure of Unix OS.
Files Used in the Boot Process
CONFIGURING HARDWARE DEVICE & START UP PROCESS
Booting Up 15-Nov-18 boot.ppt.
IS3440 Linux Security Unit 2 Securing a Linux Platform―Core Components
Chapter Overview Operating System Basics
SUSE Linux Enterprise Desktop Administration
Modern PC operating systems
You will be given the answer. You must give the correct question.
Presentation transcript:

CIS 228 Grub Basics and Boot Security How we get there.

Physical security Lock it up! BIOS Password Disable BIOS alternate boot devices Disable interactive boot: vi /etc/sysconfig/init PROMPT=no Password protected GRUB boot Console locking: yum install vlock, xlock Lock desktop GUI, or no Xwindows at all. Disable Ctrl/Alt/Del (procedure varies)

Grand Unified Bootloader Replaces LILO, which replaced SYSLINUX, which replaced LOADLIN. You still see these latter on “live” and install CD’s. Works different from LILO in that changes are automatic after edit (LILO requires issuing of a command to regenerate MBR bootstrap) GRUB works in stages. Stage architecture allows GRUB to be large (~20-30K) and therefore fairly complex and highly configurable, compared to most bootloaders, which are sparse and simple to fit within the limitations of the Partition Table. Stage 1 is located in the MBR and points (chainloads) to Stage 2, since the MBR is too small to contain all of the needed data. Stage 2 points to the configuration file (/boot/grub/grub.conf –or- menu.lst), which contains user interface and and OS options . Stage 2 can be located anywhere on the disk. If Stage 2 cannot find its configuration table, GRUB will cease the boot sequence and present the user with a GRUB command line for manual configuration. Stage 1.5 also exists and might be used if the boot information is small enough to fit in the area immediately after MBR.

Backup! dd if=/dev/sda /dev/sdb1/linux.bin bs=512 count=1 cd /boot/grub(2)/ cp grub.cfg /dev/sdb1/grub.cfg

Grub Versions 0.97 1.97 1.98 1.99 2.0

Grub Configuration /boot/grub/grub.conf -or- menu.lst. The following can also be placed on a single line Defaults section default=0 …Default OS entry starting with 0 timeout=0 …Time to hit spacebar splashimage=(hd0,0)/boot/grub/splash.xpm.gz … boot display image, ESC to bypass hiddenmenu password=<encrypted password> OS section title <any string> root (hd0,0) … optional, where OS image (kernel) is stored (hd0=sda, 0=partition 1) kernel /boot/vmlinux-<version> <options> root=/dev/sda2 … where / is -or- kernel (hd0,0)/boot/vmlinux-<version> <options> root=/dev/sda2 initrd /boot/initramfs-<version> (/boot/initrd in some distros) -or- initrd (hd0,0)/boot/initramfs-<version> lock .. Password protected entry For non-LINUX OS (i.e. Windows), or non-compliant OSes rootnoverify (hd0,0) chainloader (hd0,0)+1 … chain to OS specific boot loader (ntldr for Windows)

GRUB Command Line · any initrd image must match linux kernel image You need to know the following: - The partition containing the kernel (i.e. /boot) – root, find commands - The partition, path and filename of the initrd file (i.e. /boot) - Within that partition, the directory path and filename of the kernel - The partition containing /sbin/init (i.e. root=/dev/sdax on kernel statement) - ESC Key gets you to command line view past splashscreen Example: The partition containing the kernel = /dev/sda1, or (hd0,0) in grub-speak /dev/sda1 is the same partition as (hd0,0) Directory path and filename of the kernel = /vmlinuz-i686-up-4GB The partition containing /sbin/init is /dev/sda2 grub> root (hd0,0) grub> kernel /vmlinuz-i686-up-4GB root=/dev/sda9 grub> boot -OR- grub> kernel (hd0,0)/vmlinuz-i686-up-4GB root=/dev/sda2 grub> boot · any initrd image must match linux kernel image

Grub Command Line Example Imagine a system in which /dev/hda1 is mounted as /boot, and /dev/hda9 is mounted as /. Within /boot the kernel filename is vmlinuz-i686-up-4GB. Now let's answer the four questions: 1. The partition containing the kernel = /dev/hda1, or (hd0,0) in grub-speak 2. Within that partition, the directory path and filename of the kernel = /vmlinuz-i686-up-4GB Remember, /dev/hda1 is mounted directly to /boot, so it contains the kernel directly) 3. The partition containing /sbin/init is /dev/hda9 In that case, here are the grub commands you would input to boot that system: grub> root (hd0,0) grub> kernel /vmlinuz-i686-up-4GB root=/dev/hda9 grub> boot

Boot Options Boot a foreign language distro grub> root (hd0,0) grub> kernel /vmlinuz-i686-up-4GB root=/dev/sda2 lang=us grub> boot Single partition grub> root (hd0,0) grub> kernel /boot/vmlinuz-i686-up-4GB root=/dev/sda1 grub> boot Maintenance mode grub> root (hd0,0) grub> kernel /boot/vmlinuz-i686-up-4GB root=/dev/sda1 single grub> boot Unknown OS grub> root (hd0,0) grub> find /sbin/init grub> find /vmlinuz* grub> find /boot/vmlinuz* grub> null (hd0,0)/vmlinuz

(re)generating the MBR LINUX update-grub Front end to grub(2)-mkconfig grub-install /dev/sda grub-install --root-directory=/boot /dev/sda Find unknown OS grub> find /boot/grub/stage1 grub> root (hdX,Y) grub> setup (hd0) … writes the MBR quit ms-sys …Windows MBR from LINUX dd backup? Windows fdisk /mbr (DOS) bootsect (Win 7) fixmbr (XP) bootrec /mbr (Vista/Win 7)

grub password /etc/grub.conf - default=0 - timeout=15 - password GrbPwd4SysAd$ Use the up-arrow and down-arrow keys to select which entry is highlighted. Press enter to boot the selected OS or 'p' to enter a password to unlock the next set of features. “lock” directive (under title) prevents insecure booting of a system, like mtce mode

Generating the password grub-crypt - Password: GrbPwd4SysAd$ - Retype password: GrbPwd4SysAd$ - ^9^32kwzzX./3WISQ0C /etc/grub.conf - default=0 - timeout=15 - password --encrypted ^9^32kwzzX./3WISQ0C Also: grub-crypt --sha-256 grub-crypt --md5 –OR- grub-md5-crypt grub> md5crypt

Grub 2 Now with Debian/Ubuntu 9.10 (1.97), 11.10 (1.98) 12.04 (1.99), Fedora Core 16. Script driven Requires issue of command to update-grub to generate MBR like LILO Password protection procedures more complex. In beta on 1.97, 1.98. Limited in Ubuntu 12.04 LTS Shift key gets you to command line display past splash-screen (replaces ESC in Grub 1) Partitioning numbering begins with 1, not 0 as in Grub 1 Hard drive numbering remains the same GRUB 2 places files in three locations: /boot/grub2/grub.cfg - main configuration file that replaces menu.lst/grub.conf. DO NOT EDIT! /etc/grub.d/ - directory contains (bash) GRUB scripts used as building blocks for grub.cfg file built with update-grub command. /etc/default/grub - contains GRUB2 menu settings read by the GRUB scripts and written into grub.cfg. Customizeable part of GRUB, similar to the old menu.lst/grub.conf minus the actual boot entries.

Grub 2 scripts Typical Ubuntu Scripts (note numbering sequence): 00_header script that loads GRUB settings from /etc/default/grub. 05_debian_theme defines the background, colors and themes. Script name changes on other distros. 10_linux loads the menu entries for the installed distribution. 20_memtest86+ loads the memtest utility. 30_os-prober script that scans the hard disks for other OSes and adds them to the boot menu. 40_custom is a template that you can use to create additional entries to the boot menu. This entry is never modified by automated OS detection.

Script Examples: 11_otherOS #!/bin/sh -e echo "Adding my custom Linux to GRUB 2" cat << EOF menuentry "My custom Linux" { set root=(hd0,5) linux /boot/vmlinuz initrd /boot/initrd.img } EOF 12_windows #!/bin/sh -e echo "Adding Windows 8 to GRUB 2 menu" cat << EOF menuentry "Windows 8" { set root=(hd0,1) chainloader (hd0,1)+1 } EOF

Grub2 commands update-grub no longer exists grub(2)-mkconfig takes over the function grub(2)-mkconfig /boot/grub2/grub.cfg - generates grub.cfg grub(2)-install (/dev/sda) – generates mbr

Password protection To specify a superuser, add the following lines in the /etc/grub.d/01_users file, where john is the name of the user designated as the superuser, and johnspassword is the superuser's password: cat <<EOF set superusers="john" password john johnspassword EOF To allow other users to access the menu entries, add additional lines per user at the end of the /etc/grub.d/01_users file. password jane janespassword When the users and passwords are set up, specify the menu entries that should be password-protected in the /etc/grub.d/40_custom file in a similar fashion to the following: menuentry 'Red Hat Enterprise Linux Server' --unrestricted { set root=(hd0,msdos1) linux /vmlinuz } menuentry 'Fedora' --users jane { set root=(hd0,msdos2) menuentry 'Red Hat Enterprise Linux Workstation’ { set root=(hd0,msdos3) Then recreate grub.cfg with grub2-mkconfig –o /boot/grub2/grub.cfg

Password encryption To generate an encrypted password, run the grub2-mkpasswd-pbkdf2 command on the command line as root. Enter the desired password when prompted and repeat it. The command then outputs your password in an encrypted form. Copy the hash, and paste it in the template file where you configured the users, that is, in /etc/grub.d/01_users set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85 Generate grub.cfg with grub2.mkconfig –o /boot/grub2/grub.cfg

See also UEFI – see EFI shim. 32 vs 64 bit. Secure Boot Procedures vary. Windows 7 dual boot using bcdedit visual bcdedit tool, or EasyBCD Windows (XP and before) dual boot: boot.ini: c:\linux.mbr=“Linux” … where linux.mbr is the hd0 mbr

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.