GRUB: Difference between revisions

From 15h.org
Jump to navigation Jump to search
Newer edit →
VisualWikitext
Created page with "GRUB can be added to SeaBIOS as a floppy image to provide a bug-free bootloader stored in the CBFS. GRUB can be used to verify kernel/initrd integrity and/or to support encrypted /boot partitions. == Debian 13, Signed Kernel/Initrd == Debian can be configured to auto-sign the installed kernel/initrd. This setup is done as the root user. '''Dependencies''' <nowiki> apt install gpg</nowiki> '''Generate the signing key''' <nowiki> gpg --full-gen-key</nowiki> * Use RSA..."
 
No edit summary
Line 1: Line 1:
GRUB can be added to SeaBIOS as a floppy image to provide a bug-free bootloader stored in the CBFS. GRUB can be used to verify kernel/initrd integrity and/or to support encrypted /boot partitions.
GRUB can be added to SeaBIOS as a floppy image to provide a bug-free bootloader stored in the CBFS. GRUB can be used to verify kernel/initrd integrity and/or to support encrypted /boot partitions.


== Debian 13, Signed Kernel/Initrd ==
== Verifying /boot ==
Debian can be configured to auto-sign the installed kernel/initrd. This setup is done as the root user.
If you have GPG signed files in /boot, GRUB can verify them each boot to prevent tampering.
* [[Debian Signed Boot]]


'''Dependencies'''
'''grub.cfg'''
<nowiki>
apt install gpg</nowiki>
 
'''Generate the signing key'''
<nowiki>
gpg --full-gen-key</nowiki>


* Use RSA (sign only)
Review your systems current grub.cfg (/boot/grub/grub.cfg) to find your root UUID and other information you may need. You will need to load all necessary modules before loading your GPG key. Here is an example grub.cfg used on Debian 13.
* Use 4096 bits
* Set the key to never expire


  <nowiki>
  <nowiki>
gpg --export > boot.key</nowiki>
insmod part_gpt
insmod crypto
insmod cryptodisk
insmod geli
insmod ufs2   
insmod search
insmod search_label
insmod usb_keyboard
insmod echo
insmod ls
insmod cat     
insmod test   
insmod configfile
insmod bsd
insmod reboot
insmod pbkdf2
insmod password
insmod password_pbkdf2
insmod gcry_rsa
insmod gcry_sha512
insmod gcry_rijndael
insmod verifiers
insmod play   
insmod part_msdos
insmod mdraid1x
insmod lvm
insmod ext2
insmod diskfilter
insmod gzio
insmod ntfs
insmod linux
insmod drivemap
insmod chain
insmod loopback


'''Setup auto-signing'''
trust /boot/grub/boot.key
<nowiki>
mkdir -p /etc/initramfs/post-update.d/
vim /etc/initramfs/post-update.d/sign_image</nowiki>


<nowiki>
set timeout_style=menu
#!/bin/sh
set timeout=5


image=$2
play 480 440 1


if [ -f "${image}.sig" ]; then
menuentry 'Debian GNU/Linux (signed)' {
echo "Removing ${image}.sig"
        set check_signatures=enforce
rm ${image}.sig
        search --no-floppy --fs-uuid --set=root xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
fi


echo "Signing ${image}"
        echo   'Loading Linux ...'
/usr/bin/gpg --detach-sign ${image} || exit
        linux  /boot/latest/vmlinuz root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro
        echo    'Loading initial ramdisk ...'
        initrd  /boot/latest/initrd.img
}


mkdir -p /boot/latest
menuentry 'Debian GNU/Linux (unsigned)' {
cp -v ${image} /boot/latest/initrd.img
        set check_signatures=no
cp -v ${image}.sig /boot/latest/initrd.img.sig</nowiki>
        search --no-floppy --fs-uuid --set=root xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 
<nowiki>
chmod +x /etc/initramfs/post-update.d/sign_image</nowiki>
 
<nowiki>
vim /etc/kernel/postinst.d/sign_image</nowiki>
 
<nowiki>
#!/bin/sh
 
image=$2
 
if [ -f "${image}.sig" ]; then
echo "Removing ${image}.sig"
rm ${image}.sig
fi
 
echo "Signing ${image}"
/usr/bin/gpg --detach-sign ${image} || exit
 
mkdir -p /boot/latest
cp -v ${image} /boot/latest/vmlinuz
cp -v ${image}.sig /boot/latest/vmlinuz.sig</nowiki>
 
<nowiki>
chmod +x /etc/kernel/postinst.d/sign_image</nowiki>
 
'''Reinstall your kernel'''
<nowiki>
# Find your kernel package
dpkg --list | grep linux-image
# Reinstall your kernel, ie:
apt install --mark-auto --reinstall linux-image-6.12.63+deb13-amd64</nowiki>
 
You should find these messages in the output if everything is setup correctly:
<nowiki>
Signing /boot/initrd.img-6.12.63+deb13-amd64
'/boot/initrd.img-6.12.63+deb13-amd64' -> '/boot/latest/initrd.img'
'/boot/initrd.img-6.12.63+deb13-amd64.sig' -> '/boot/latest/initrd.img.sig'


Signing /boot/vmlinuz-6.12.63+deb13-amd64
        echo    'Loading Linux ...'
'/boot/vmlinuz-6.12.63+deb13-amd64' -> '/boot/latest/vmlinuz'
        linux  /boot/latest/vmlinuz root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro
'/boot/vmlinuz-6.12.63+deb13-amd64.sig' -> '/boot/latest/vmlinuz.sig'</nowiki>
        echo    'Loading initial ramdisk ...'
        initrd  /boot/latest/initrd.img
}</nowiki>

Revision as of 05:02, 19 January 2026

GRUB can be added to SeaBIOS as a floppy image to provide a bug-free bootloader stored in the CBFS. GRUB can be used to verify kernel/initrd integrity and/or to support encrypted /boot partitions.

Verifying /boot

If you have GPG signed files in /boot, GRUB can verify them each boot to prevent tampering.

grub.cfg

Review your systems current grub.cfg (/boot/grub/grub.cfg) to find your root UUID and other information you may need. You will need to load all necessary modules before loading your GPG key. Here is an example grub.cfg used on Debian 13. 

insmod part_gpt
insmod crypto
insmod cryptodisk
insmod geli
insmod ufs2     
insmod search
insmod search_label
insmod usb_keyboard
insmod echo
insmod ls
insmod cat      
insmod test     
insmod configfile
insmod bsd
insmod reboot
insmod pbkdf2
insmod password
insmod password_pbkdf2
insmod gcry_rsa 
insmod gcry_sha512
insmod gcry_rijndael 
insmod verifiers
insmod play     
insmod part_msdos
insmod mdraid1x
insmod lvm
insmod ext2
insmod diskfilter
insmod gzio
insmod ntfs
insmod linux
insmod drivemap
insmod chain
insmod loopback

trust /boot/grub/boot.key

set timeout_style=menu
set timeout=5

play 480 440 1

menuentry 'Debian GNU/Linux (signed)' {
        set check_signatures=enforce
        search --no-floppy --fs-uuid --set=root xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

        echo    'Loading Linux ...'
        linux   /boot/latest/vmlinuz root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro
        echo    'Loading initial ramdisk ...'
        initrd  /boot/latest/initrd.img
}

menuentry 'Debian GNU/Linux (unsigned)' {
        set check_signatures=no
        search --no-floppy --fs-uuid --set=root xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

        echo    'Loading Linux ...'
        linux   /boot/latest/vmlinuz root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro
        echo    'Loading initial ramdisk ...'
        initrd  /boot/latest/initrd.img
}
Retrieved from "https://15h.org/index.php?title=GRUB&oldid=1698"