Encrypted boot partition

Encrypted boot partition

[James Courtier-Dutton]

Hi,

Is there any encryption support in grub?

I would like to encrypt the boot partition, and let someone type the
password into the grub boot screens.
So, one would then get:
1) Switch PC on.
2) Type in password
3) Grub Boot menu.

The reason to encrypt the boot partition is to make tampering more difficult.
One then only has to do integrity assurance on the small grub loader
up until the grub boot menu.

I know that one method to reach this integrity is to use a read-only
USB boot memory stick that contains grub and the Linux kernel images,
then only needing the "root" partition to be encrypted.
Boot times are quicker if it can read the kernel/initrd images from
the HD instead of the USB memory stick.
This would also have the advantage that a single usb boot memory stick
could then be able to boot different machines, that might have
different kernels, using the same usb stick.

The usb stick is used to provide the integrity assurance on the small
grub loader in the following scenario.
1) User keeps USB stick at all times. The USB stick is set to read
only, so cannot be tampered with easily.
2) Laptop may be left un-attended when powered off.
3) User returns to laptop, and uses USB stick to boot it.

Summary:
Permit grub boot menu to be in LUKS encrypted partition.

Kind Regards

James

Re: Encrypted boot partition

[Duboucher Thomas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 18/07/2010 10:45, James Courtier-Dutton a écrit :
> Hi,
> 
> Is there any encryption support in grub?
> 
> Summary:
> Permit grub boot menu to be in LUKS encrypted partition.
> 
> Kind Regards
> 
> James
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/grub-devel
> 

	There was a patch that added LUKS support to Grub2[1] that I've been
using for some time, but it's a little old now. ;)

	Thomas.

[1] http://michael.gorven.za.net/cgi-bin/hgwebdir.fcgi/grub/luks-old/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxCyy0ACgkQBV7eXqefhqgIMgCeLcNqSiXxV5ddlwb69mEgtzqV
0QwAniqUWN7D329isnjS8c7AXOxYudnr
=uD2B
-----END PGP SIGNATURE-----

Grub update?

[Henry W. Peters]

Running Debian Squeeze. Just got an update, & now my terminal is hung up 
with the following message:


Configuring grub-pc ├──────────────────────────┐
  │                                                                           │
  │ which devices you'd like grub-install to be automatically run for, if
  │ any.
  │
  │ It is recommended that you do this in most situations, to prevent the
  │ installed GRUB from getting out of sync with other components such as
  │ grub.cfg or with newer Linux images it will have to load.
  │
  │ If you're unsure which drive is designated as boot drive by your BIOS,
  │ it is often a good idea to install GRUB to all of them.
  │
  │ Note: It is possible to install GRUB to partition boot records as well,
  │ and some appropriate partitions are offered here.  However, this forces
  │ GRUB to use the blocklist mechanism, which makes it less reliable, and
  │ therefore is not recommended.
  │
  │ <Ok>
  │

No options are given, the "<Ok> " is not a real return button. I tried 
restarting (had to give password to do so)... & then re updating, it 
goes back to this same message & hangs up. It's been about 20 minutes 
now... I only have two HD's. What to do?


Thanks.
Henry

Re: Grub update?

[Colin Watson]

On Sun, Jul 18, 2010 at 12:04:55PM -0400, Henry W. Peters wrote:
> Running Debian Squeeze. Just got an update, & now my terminal is hung up  
> with the following message:
>
>
> Configuring grub-pc ├──────────────────────────┐
>  │                                                                           │
>  │ which devices you'd like grub-install to be automatically run for, if
>  │ any.
>  │
>  │ It is recommended that you do this in most situations, to prevent the
>  │ installed GRUB from getting out of sync with other components such as
>  │ grub.cfg or with newer Linux images it will have to load.
>  │
>  │ If you're unsure which drive is designated as boot drive by your BIOS,
>  │ it is often a good idea to install GRUB to all of them.
>  │
>  │ Note: It is possible to install GRUB to partition boot records as well,
>  │ and some appropriate partitions are offered here.  However, this forces
>  │ GRUB to use the blocklist mechanism, which makes it less reliable, and
>  │ therefore is not recommended.
>  │
>  │ <Ok>
>  │
>
> No options are given, the "<Ok> " is not a real return button. I tried  
> restarting (had to give password to do so)... & then re updating, it  
> goes back to this same message & hangs up. It's been about 20 minutes  
> now... I only have two HD's. What to do?

The next screen after that should have a set of drives to select; this
has worked perfectly in my testing.  If it doesn't then that's a problem
at some other layer ...

(You may have to use Tab to get to the OK button before pressing Return,
or something.)

In any case, this isn't really a GRUB problem, but more a problem with
Debian; you should ask about it in some Debian context, perhaps
debian-user.

-- 
Colin Watson                                       [cjwatson@ubuntu.com]

Re: Grub update?

[Henry W. Peters]

On 07/18/2010 01:42 PM, Colin Watson wrote:
> On Sun, Jul 18, 2010 at 12:04:55PM -0400, Henry W. Peters wrote:
>    
>> Running Debian Squeeze. Just got an update,&  now my terminal is hung up
>> with the following message:
>>
>>
>> Configuring grub-pc ├──────────────────────────┐
>>   │                                                                           │
>>   │ which devices you'd like grub-install to be automatically run for, if
>>   │ any.
>>   │
>>   │ It is recommended that you do this in most situations, to prevent the
>>   │ installed GRUB from getting out of sync with other components such as
>>   │ grub.cfg or with newer Linux images it will have to load.
>>   │
>>   │ If you're unsure which drive is designated as boot drive by your BIOS,
>>   │ it is often a good idea to install GRUB to all of them.
>>   │
>>   │ Note: It is possible to install GRUB to partition boot records as well,
>>   │ and some appropriate partitions are offered here.  However, this forces
>>   │ GRUB to use the blocklist mechanism, which makes it less reliable, and
>>   │ therefore is not recommended.
>>   │
>>   │<Ok>
>>   │
>>
>> No options are given, the "<Ok>  " is not a real return button. I tried
>> restarting (had to give password to do so)...&  then re updating, it
>> goes back to this same message&  hangs up. It's been about 20 minutes
>> now... I only have two HD's. What to do?
>>      
> The next screen after that should have a set of drives to select; this
> has worked perfectly in my testing.  If it doesn't then that's a problem
> at some other layer ...
>
> (You may have to use Tab to get to the OK button before pressing Return,
> or something.)
>
> In any case, this isn't really a GRUB problem, but more a problem with
> Debian; you should ask about it in some Debian context, perhaps
> debian-user.
>    

Thanks for reply Colin.

I needed to hit the tab button to highlight "<OK>" but now I get the 
list, & it has a red cursor, that when I hit return in the appropriate 
item, it goes to "<OK>" & I hit return, & get this:

─────────────────────────┤ Configuring grub-pc ├──────────────────────────┐
  │                                                                           │
  │ You chose not to install GRUB to any devices.  If you continue, the 
boot  │
  │ loader may not be properly configured, and when your computer 
next        │
  │ starts up it will use whatever was previously in the boot sector.  
If     │
  │ there is an earlier version of GRUB 2 in the boot sector, it may 
be       │
  │ unable to load modules or handle the current configuration 
file.          │
  │                                                                           │
  │ If you are already running a different boot loader and want to carry 
on   │
  │ doing so, or if this is a special environment where you do not need 
a     │
  │ boot loader, then you should continue anyway.  Otherwise, you 
should      │
  │ install GRUB 
somewhere.                                                   │
  │                                                                           │
  │ Continue without installing 
GRUB?                                         │
  │                                                                           │
  │ <Yes> <No>

Of course, I select <No> & it brings me back to the option lists, etc. 
again.How do I select an option?

I think this is a grub problem (insufficient (& rather non standard (?) 
instructions to select options!).

Thanks again.
Henry

Re: Grub update?

[Colin Watson]

On Sun, Jul 18, 2010 at 02:01:10PM -0400, Henry W. Peters wrote:
> On 07/18/2010 01:42 PM, Colin Watson wrote:
>> The next screen after that should have a set of drives to select; this
>> has worked perfectly in my testing.  If it doesn't then that's a problem
>> at some other layer ...
>>
>> (You may have to use Tab to get to the OK button before pressing Return,
>> or something.)
>>
>> In any case, this isn't really a GRUB problem, but more a problem with
>> Debian; you should ask about it in some Debian context, perhaps
>> debian-user.
>
> Thanks for reply Colin.
>
> I needed to hit the tab button to highlight "<OK>" but now I get the  
> list, & it has a red cursor, that when I hit return in the appropriate  
> item, it goes to "<OK>" & I hit return, & get this:
[...]
> Of course, I select <No> & it brings me back to the option lists, etc.  
> again.How do I select an option?

Press Space with the relevant checkbox highlighted.

> I think this is a grub problem (insufficient (& rather non standard (?)  
> instructions to select options!).

This list deals with the upstream GRUB code.  The problems you are
having are with the Debian packaging (or, more strictly, with debconf's
dialog frontend, which isn't a part of the Debian GRUB packaging at all
although it does make use of it due to Debian packaging standards).  I
appreciate that it is not always easy for a user to tell the difference,
but that is why I am advising you.

The problem with having the dialog advise you to press Space is that the
method for selecting a checkbox varies depending on the frontend in use.
Many people will be using (e.g.) the GNOME frontend and if I made the
packaging advise you to press Space then this would make no sense to
them.

If you wish to continue this discussion, then perhaps you could file a
Debian bug report on the grub-pc package?  It's not really on-topic for
this list.

Cheers,

-- 
Colin Watson                                       [cjwatson@ubuntu.com]

Re: Grub update?

[Henry W. Peters]

On 07/18/2010 02:11 PM, Colin Watson wrote:
>
> Press Space with the relevant checkbox highlighted.
>
>    
>> I think this is a grub problem (insufficient (&  rather non standard (?)
>> instructions to select options!).
>>      
> This list deals with the upstream GRUB code.  The problems you are
> having are with the Debian packaging (or, more strictly, with debconf's
> dialog frontend, which isn't a part of the Debian GRUB packaging at all
> although it does make use of it due to Debian packaging standards).  I
> appreciate that it is not always easy for a user to tell the difference,
> but that is why I am advising you.
>
> The problem with having the dialog advise you to press Space is that the
> method for selecting a checkbox varies depending on the frontend in use.
> Many people will be using (e.g.) the GNOME frontend and if I made the
> packaging advise you to press Space then this would make no sense to
> them.
>
> If you wish to continue this discussion, then perhaps you could file a
> Debian bug report on the grub-pc package?  It's not really on-topic for
> this list.
>
> Cheers,
>    

Thanks again Colin! Space was the place.

No bug... (now I have to reboot, & find out for sure).

In appreciation for time.

Henry