[SOLVED, WAY COOL] How can I install GRUB2 & /boot on CD-R ?

hunterthomson · 2012-06-27 06:07:46

So, I want a setup like this:

SSD with GPT

/dev/sda1 - encrypted with dm-crypt/LUKS aes-cbc-essiv:sha256
/dev/mapper/crypt - LVM
/dev/MyStorage/rootvol - /
/dev/MyStorage/swapvol - SWAP
/dev/MyStorage/homevol - /home

Here is the tricky part....

I want GRUB2 and /boot on a CD-R
- How exactely can I do this?

I figure what I need is GRUB2 installed on the CD-R with grub/grub.cfg.. and stuff. Also, vmlinuz-linux, initramfs-linux.img, and initramfs-linux-fallback.img on the CD-R. I know all that vmlinuz-linux and initramfs will need to be complied with all the "encrypt" and "lvm2" hooks in mkinitcpio.conf.

I figure I may also have a /boot LVM so I can use pacman to install new kernels then just copy the new vmlinuz-linux & initramfs to a new .iso and burn a new CD-R.

It seems I can use "grub-mkrescue" to create the .iso for the CD-R but how can I spesify the vmlinuz-linux & initramfs that will be in the .iso..... Do I simply create the .iso with grub-mkrescue then edit the .iso and put the files in there then edit the grub.cfg?

(( Basicaly, the reason I want to do this is becuase I can not encrypt the bootloader or the /boot partition. So, I figure if I boot from read-only media then I don't have to worrie about someone modifying the bootloader or kernel i.e. installing a rootkit >yes, yes, I know it is far more likely I would get attacked through an exploit in the running-unencrypted OS< it is just cool ))

Last edited by hunterthomson (2012-06-27 11:12:25)

hunterthomson · 2012-06-27 11:11:02

NICE I figured it out

I'll write-up a clean and easy to understand Wiki for it.... maybe I'll just add it to the dm-crypt/LUKS wiki... or the GRUB2 wiki...

Any suggestions as to which wiki I should add it to?
I guess I could just create a new wiki and let the wiki moderators move it where they think it should be

Here is the raw uncut instructions...

mkdir /tmp/bootcd
mkdir /tmp/bootcd/boot
sudo cp -r /boot/* /tmp/bootcd/boot
sudo rm -r /tmp/bootcd/boot/lost+found

Edit /tmp/bootcd/boot/grub/grub.cfg

In that config you will see the word "root" to mean two different things. Sometimes it means /root partition and sometimes it means the /boot partition... you can use the command "ls -l /dev/disk/by-uuid" and "df -h" to figure out what is what.

In the first part, the header section you will see "set root=(hdX, gptX)". The first one is the /root, so don't change that.
In the indented section you will see "set root=(hdX, gptX)" again. This is the /boot Change this to: set root'(cd)'
Delete the "search --no-floppy bla bla" line after that.

Before

insmod part_gpt
insmod ext2
set root='(hd0,gpt3)'
search --no-floppy --fs-uuid --set=root a0axxxxxx-92a5-xxxx-881f-xxxxxxxxxxxx
if loadfont /usr/share/grub/unicode.pf2 ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  insmod part_gpt
  insmod ext2
  set root='(hd0,gpt2)'
  search --no-floppy --fs-uuid --set=root bxxxxxxxx-fxx2-4xx-8xxe-xxxxxxxxxxxx
  set locale_dir=($root)/grub/locale
  set lang=en_US
  insmod gettext
fi

After

insmod part_gpt
insmod ext2
set root='(hd0,gpt3)'
search --no-floppy --fs-uuid --set=root a0axxxxxx-92a5-xxxx-881f-xxxxxxxxxxxx
if loadfont /usr/share/grub/unicode.pf2 ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  insmod part_gpt
  insmod ext2
  set root='(cd)'
  set locale_dir=($root)/grub/locale
  set lang=en_US
  insmod gettext
fi

Next, in the menuentry section... like ### BEGIN /etc/grub.d/10_linux ###

For each menuentry

Change: set root='(hdX,gptX)'
To: set root='(cd)'

And delete the "search --no-floppy --fs-uuid bla bla bla" line after it

Then, you need to change the "linux" and "initrc" lines. You need to add /boot in front of both the /vmlinuz-linux and the /initramfs-linux.img

Before

menuentry 'Arch Linux, with Linux linux' --class archlinux --class gnu-linux --class gnu --class os {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_gpt
        insmod ext2
        set root='(hd0,gpt2)'
        search --no-floppy --fs-uuid --set=root bxxxxxxxx-fxx2-4xx-8xxe-xxxxxxxxxxxx
        echo    'Loading Linux linux ...'
        linux   /vmlinuz-linux root=UUID=a0axxxxxx-92a5-xxxx-881f-xxxxxxxxxxxx ro  quiet
        echo    'Loading initial ramdisk ...'
        initrd  /initramfs-linux.img
}
menuentry 'Arch Linux, with Linux linux Fallback' --class archlinux --class gnu-linux --class gnu --class os {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_gpt
        insmod ext2
        set root='(hd0,gpt2)'
        search --no-floppy --fs-uuid --set=root bxxxxxxxx-fxx2-4xx-8xxe-xxxxxxxxxxxx
        echo    'Loading Linux linux ...'
        linux   /vmlinuz-linux root=UUID=a0axxxxxx-92a5-xxxx-881f-xxxxxxxxxxxx ro  quiet
        echo    'Loading initial ramdisk ...'
        initrd  /initramfs-linux-fallback.img
}

After

menuentry 'Arch Linux, with Linux linux' --class archlinux --class gnu-linux --class gnu --class os {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_gpt
        insmod ext2
        set root='(cd)'
        echo    'Loading Linux linux ...'
        linux   /boot/vmlinuz-linux root=UUID=a0axxxxxx-92a5-xxxx-881f-xxxxxxxxxxxx ro  quiet
        echo    'Loading initial ramdisk ...'
        initrd  /boot/initramfs-linux.img
}
menuentry 'Arch Linux, with Linux linux Fallback' --class archlinux --class gnu-linux --class gnu --class os {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_gpt
        insmod ext2
        set root='(cd)'
        echo    'Loading Linux linux ...'
        linux   /boot/vmlinuz-linux root=UUID=a0axxxxxx-92a5-xxxx-881f-xxxxxxxxxxxx ro  quiet
        echo    'Loading initial ramdisk ...'
        initrd  /boot/initramfs-linux-fallback.img
}

Finally, create the boot.iso file with grub-mkrescue

grub-mkrescue --modules="linux ext2 fshelp ls boot pc part_gpt part_msdos vbe vga video_bochs video_cirrus ext2 gfxterm part_gpt gzio gfxmenu iso9660" --output boot.iso /tmp/bootcd

Test the boot disk with qemu or VirtualBox. As long as it drops you into the initramfs after it fails to find the /root partition you are golden.

Then, burn the ISO to a CD with like k3b or whatever.
Now, you have a fully secure read-only bootloader & kernel to go along with your full-disk encryption

Last edited by hunterthomson (2012-06-27 11:15:06)

anonymous_user · 2012-06-27 16:33:36

BTW wouldn't you have to repeat this process for any kernel updates?

hunterthomson · 2012-06-28 04:14:14

Yes, but you don't really have to do all of that. You can just use something like ISO Master to just put in the new kernel and initramfs's

I'll have the Wiki up by the end of the weekend. I want to play with it a little more to make sure the Wiki is as simple as possible.

I'll also write a little bash script with some sed magic to do it. I'll just ask the user what partition there /boot is on and a few sec's latter grub-boot.iso will be ready for them to burn.... heck I could just have the script say: "please insert a CD/DVD-R and hit Enter" Then have the script burn the CD/DVD-R too.

Last edited by hunterthomson (2012-06-28 04:16:50)

Arch Linux

#1 2012-06-27 06:07:46

[SOLVED, WAY COOL] How can I install GRUB2 & /boot on CD-R ?

#2 2012-06-27 11:11:02

Re: [SOLVED, WAY COOL] How can I install GRUB2 & /boot on CD-R ?

#3 2012-06-27 16:33:36

Re: [SOLVED, WAY COOL] How can I install GRUB2 & /boot on CD-R ?

#4 2012-06-28 04:14:14

Re: [SOLVED, WAY COOL] How can I install GRUB2 & /boot on CD-R ?

Board footer