Jump to content











Photo
- - - - -

Creating Secure Boot Chain: Linux to Windows


  • Please log in to reply
4 replies to this topic

#1 DapperDeer

DapperDeer

    Newbie

  • Members
  • 27 posts
  •  
    United States

Posted 09 June 2020 - 08:39 PM

Hello,

 

I've been tasked with creating a secure boot chain for my work. On boot, GRUB loads:

 

Grub.cfg

insmod part_msdos
load_env --file (hd0,msdos1)/boot/grub/grubenv
if [ "$Clean" = "true" ]; then
    Clean=false
    save_env Clean
    configfile /boot/grub/windows.cfg
else
    configfile /boot/grub/linux.cfg
fi
 

As you can see, it's a very simple menu that relies upon a variable "Clean" to be true. If it's not true, we only show our Linux boot entry which does integrity checks, changes the variable to true, and reboots. 

 

However, grubenv needs to be writable, which I remembered way too late that I need my boot chain to work on a verified filesystem - grubenv can't be verified if it keeps changing.

 

So, I'm now trying to use GRUB4DOS to kexec into from Linux. GRUB4DOS however takes forever to load/initialize and so my question to you all:

 

What should I do? Is there a secure way I can boot from Linux to Windows that I'm not seeing? Kexec-ing to GRUB2 is apparently possible, but I've not been able to find any documentation on how to do that.

 

I would really appreciate any help/advice you can give,

Thanks



#2 wimb

wimb

    Platinum Member

  • Developer
  • 2973 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 10 June 2020 - 09:09 AM

USB_FORMAT combines booting Windows and Linux and Grub4dos and Grub2

 

May be the files USB_FORMAT-44\UEFI_MAN\efi\grub\grub.cfg and USB_FORMAT-44\UEFI_MAN\grub2\grub.cfg can be of help to you.

 

More Info: USB Format Tool and UEFI_MULTI



#3 DapperDeer

DapperDeer

    Newbie

  • Members
  • 27 posts
  •  
    United States

Posted 10 June 2020 - 08:10 PM

USB_FORMAT combines booting Windows and Linux and Grub4dos and Grub2

 

May be the files USB_FORMAT-44\UEFI_MAN\efi\grub\grub.cfg and USB_FORMAT-44\UEFI_MAN\grub2\grub.cfg can be of help to you.

 

More Info: USB Format Tool and UEFI_MULTI

 

I appreciate the response but I genuinely have no idea how this is supposed to help me..?



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15469 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 June 2020 - 06:50 AM

What does "trigger" the status from "true" to "false"?

 

The filesystem on which Windows is installed is surely not read only, or at least it has some minimal parts that are not read-only so why you cannot use *something* else, like a file or its contents to check the status.

 

You can use cat or cat --hex on *any* file or you could do a direct write on a "special" sector on disk. :dubbio:

 

 

:duff:

Wonko



#5 DapperDeer

DapperDeer

    Newbie

  • Members
  • 27 posts
  •  
    United States

Posted 17 June 2020 - 09:29 PM

What does "trigger" the status from "true" to "false"?
 
The filesystem on which Windows is installed is surely not read only, or at least it has some minimal parts that are not read-only so why you cannot use *something* else, like a file or its contents to check the status.
 
You can use cat or cat --hex on *any* file or you could do a direct write on a "special" sector on disk. :dubbio:
 
 
:duff:
Wonko

 
The integrity check we have in place, if it succeeds, turns the variable true and then reboots the system.
 
We have UWF enabled on our filesystem, so any writes that do happen aren't actually written to the disk.
Even then, we have a "stamp" of sorts that we place on the filesystem. If/when the variable is changed, that stamp is no longer valid due to something on the filesystem changing.
That said, we do have a writable partition for logs and such. I asked about utilizing that and was told to make the boot chain work without using the writable partition.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users