Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ISO file builder for Rescue64 (UEFI) + GRUB #309

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

oom-is
Copy link

@oom-is oom-is commented Oct 29, 2019

This is a standalone set of files in images/isoFiles/ that adds a capability to take any
Rescue64 (nominally UEFI) .img.gz file created by the normal ./buildrescue Rescue64 and
turn it into a UEFI-bootable ISO image - no CSM required. The "xorriso" utility is used to
remaster the Rescue64 .img file into an ISO. (NOTE: "mtools" package also must be installed
on the host, to allow mmd and mcopy utils to be used to manipulate the efiboot.img file.)

Primary reason for this was to allow Rescue images on CD for environments that avoid USB
and/or like to have dedicated media that can't get overwritten.

Secondary purpose was to test the ability of GRUB v2.04 to support Trusted Boot with built-in
shim_lock modules etc. and without requiring the user/sysadmin to perform additional
cryptographic/cert signing. That part is untested.

This set of scripts is tested against DTA SEDutil 1.15.1 and makes no changes to the normal
build process, but simply adds a "cd" then two additional steps after the Rescue64 image is built:

    cd isoFiles
    ./buildgrub
    ./buildiso

This is a standalone set of files in images/isoFiles/ that adds a capability to take any
Rescue64 (nominally UEFI) .img.gz file created by the normal "./buildrescue Rescue64" and
turn it into a UEFI-bootable ISO image - no CSM required.  The "xorriso" utility is used to
remaster the Rescue64 .img file into an ISO.

Primary reason for this was to allow Rescue images on CD for environments that avoid USB
and/or like to have dedicated media that can't get overwritten.

Secondary purpose was to test the ability of GRUB v2.04 to support Trusted Boot with built-in
"shim_lock" modules etc. and without requiring the user/sysadmin to perform additional
cryptographic/cert signing.  That part is untested.

This set of scripts is tested against DTA SEDutil 1.15.1 and makes no changes to the normal
build process, but simply adds a "cd" then two additional steps after the Rescue64 image is built:
    cd isoFiles
    ./buildgrub
    ./buildiso
@oom-is
Copy link
Author

oom-is commented Oct 29, 2019

The corresponding UEFI-bootable ISO file built from the unmodified DTA v1.15.1 source is here:
https://github.com/oom-is/sedutil/releases/download/1.15.1/sedutil-1.15.1-Rescue64UEFIgrub.iso

@ChubbyAnt
Copy link

On an AMD Ryzen system, I imaged this iso to a USB, and it hang on boot at loading:

Loading bzImage... ok
Loading rootfs.cpio.xz... ok
[NOT BLINKING CURSOR]

This image may require nomodeset in cfg to boot on Ryzen systems.

@oom-is
Copy link
Author

oom-is commented Oct 29, 2019

@ChubbyAnt my pull request was against the vanilla/stock 1.15.1 source and the linked ISO was built using the Rescue64 img compiled from that source. It has all the flaws of the vanilla 1.15.1 build. (That's one of the reasons I left it with the ability to edit the GRUB command line, in case someone wanted to add kernel parameters etc. on the fly.)

Apologies I wasn't more specific; for Ryzen, updated kernel, etc. please take a look at the ISO image I included here for an ISO built with the updated LTS buildroot, SHA512, and other patches in my "integ" tree as of 20191015. I'm testing an updated "beta" with additional minor changes but haven't pushed it out yet.

@ChubbyAnt
Copy link

@oom-is by adding acpi=off and nomodeset to the cfg files I was able to boot this ISO image...

https://github.com/oom-is/sedutil/releases/download/1.15.1/sedutil-1.15.1-Rescue64UEFIgrub.iso

...on AMD Ryzen with Secure Boot disabled and CSM disabled.

Unfortunately, with Secure Boot enabled, it does not pass the Secure Boot test in the BIOS.

@ChubbyAnt
Copy link

ChubbyAnt commented Oct 29, 2019

@ChubbyAnt my pull request was against the vanilla/stock 1.15.1 source and the linked ISO was built using the Rescue64 img compiled from that source. It has all the flaws of the vanilla 1.15.1 build. (That's one of the reasons I left it with the ability to edit the GRUB command line, in case someone wanted to add kernel parameters etc. on the fly.)

Apologies I wasn't more specific; for Ryzen, updated kernel, etc. please take a look at the ISO image I included here for an ISO built with the updated LTS buildroot, SHA512, and other patches in my "integ" tree as of 20191015. I'm testing an updated "beta" with additional minor changes but haven't pushed it out yet.

@oom-is The Resuce64 linked above boots to GRUB menu select, then allows selection of SEDutil, all with CSM disabled, but does not work with Secure Boot enabled on an AMD Ryzen system.

Question: is the PBA loaded through this image the Syslinux PBA or a Grub-based PBA?

@oom-is
Copy link
Author

oom-is commented Oct 29, 2019

PBA loaded through this image, at present time, is still Syslinux-based.
This was an intermediate "let's see if this works" snapshot.
When I couldn't otherwise turn a Rescue64+UEFI+Syslinux(6.03)+Buildroot(current) img file into a bootable ISO, I decided to try to remaster with GRUB as a bootloader.

For one of my target environments a UEFI-bootable ISO was a hard requirement, and this at least gives us something to start from as we sort out how to tweak and support Secure Boot without additional localized PKI certificates or re-signing.

Syslinux 6.03 is still current-but-old, and I haven't found any magic dust to sprinkle on Grub 2.04 to actually/easily enable Secure Boot support. I'm starting to think that for my target environments I will simply deal with having a local CA sign the necessary EFI files and I'll get the corresponding keys/trust anchors enrolled in the TPMs. [Grub2Win discussion; Debian discussion]

As another avenue of attack towards bootloaders that could reasonably support Secure Boot and/or converting the existing Rescue64 build to grub-2.0x, there are clearly ways to build a bootloader as part of the Buildroot build, instead of compiling Syslinux separately. I haven't looked more at those (or tried to figure out why r0m30 was building Syslinux separately); my next focus is sorting out how to actually fully support multiuser with a non-Admin user (e.g. allow User1 to be activated, have a "common name" and user-specific password set, and then lock/unlock Locking Range 0 but limit other powers.) From what I can tell, even with --enableUser plus AddUserToLockingACEs it's still not possible to fully "utilize" a User1..UserX non-admin account.

@oom-is
Copy link
Author

oom-is commented Nov 1, 2019

See also (for more "this is a headache" background): https://github.com/ipxe/shimdemo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants