Red Hat Satellite GRUB UEFI PXE script

Satellite 6 TFTP boot file legacy grub conversion script

This script is used to convert the tftp boot files (found in /var/lib/tftpboot/pxelinux.cfg/) which are automatically generated by Satellite 6 into the old legacy grub format. Why is this useful? Recently I encountered some HP servers which have an additional 10GbE card in one of the PCI-E slots on the machine which is used for the PXE boot. Unfortunately this additional interface only supports UEFI boot and not classic bios boot. By default Satellite 6 uses the shim image for UEFI but this doesn’t work with the older Linux kernel used by RHEL6.X. If this script is executed on a capsule or satellite server which has TFTP enabled, it will automatically replace the boot files using the old format which gives a successful boot for RHEL6.




GRUB 2.02 in the works…

See the FOSDEM slides for some of the features listed in the Phoronix article.






Alexander on U-Boot+UEFI+GRUB on ARM

Here’s one interesting presentation for the upcoming OpenIoT and Embedded Linux Conference:

Marrying U-Boot, uEFI and grub2 – Alexander Graf, SUSE

Booting is hard. Booting in the ARM world is even harder. State of the art are a dozen different boot loaders that may or may not deserve that name. Each gets configured differently and each has its own pros and cons. As a distribution this is a nightmare. Configuring each and every one of them complicates code that really should be very simple. To solve the problem, we can just add another layer of abstraction (grub2) on top of another layer of abstraction (uEFI) on top of another layer of abstraction (u-boot). Follow me on a journey on how all those layers can make life easier for the distribution and how much fun uEFI really is. After this talk, you will know how ARM systems boot, what uEFI really means, how uEFI binaries interact with firmware and how this enables convergence of the Enterprise and Embedded markets.

Alexander Graf, KVM Wizard, SUSE
Alexander started working for SUSE about 8 years ago. Since then he worked on fancy things like SUSE Studio, QEMU, KVM and openSUSE on ARM. Whenever something really useful comes to his mind, he tends to implement it. Among others he did Mac OS X virtualization using KVM, nested SVM, KVM on PowerPC and a lot of work in QEMU for openSUSE on ARM. He is the upstream maintainer of KVM for PowerPC, QEMU for PowerPC and QEMU for S390x.





PVS-Studio blog on bugs in GRUB


What’s Hiding Inside the GNU Boot Loader? Searching for Bugs in Grub
PVS-Studio analyzer continues to explore and adapt to the Linux platform. Today we will take a look at the bugs that the tool managed to find in the Grub boot loader. In this article, we will talk about the results of analysis of the boot loader for Unix-like operating systems, known as Grub. This program was developed by Erich Boleyn and comes as part of the GNU Project. GRUB is a reference boot loader implementation compliant with the Multiboot specification and is able to boot any compliant operating system. The Grub project is written in C and has been already checked by other analyzers, including Coverity, so you wouldn’t expect to find any unchecked code fragments in a project like that. PVS-Studio analyzer, however, did manage to catch a few interesting bugs. […]



Interesting new project. I wish most modern Linux distros let you control keys in ways like this. Check out the entire web page on Github, nice read for Linux/UEFI even if you don’t plan on using cryptboot.


Encrypted boot partition manager with UEFI Secure Boot support

With encrypted boot partition, nobody can see or modify your kernel image or initramfs. GRUB boot loader supports booting from encrypted boot partition, but you would be still vulnerable to Evil Maid attacks. One possible solution is to use UEFI Secure Boot. Get rid of preloaded Secure Boot keys (you really don’t want to trust Microsoft and OEM), enroll your own Secure Boot keys and sign GRUB boot loader with your keys. Evil maid would be unable to boot modified boot loader (not signed by your keys) and whole attack is prevented. cryptboot simply makes this easy and manageable.

* Linux (x86_64)
* UEFI firmware with enabled Secure Boot
* separate /boot partition encrypted with LUKS
* cryptsetup
* openssl
* efitools
* sbsigntools
* efibootmgr
* grub (grub-efi on Debian based distributions)


And this article points out something else crazy: “but current TrustedGRUB2 doesn’t even support UEFI yet.


Enterprise: a UEFI boot loader for Linux

‘Enterprise’ is the name of a UEFI boot loader that is meant to boot 1 or more Linux ISOs off a USB thumbdrive. The last release was back in 2015, but there is recent Github code activity. SevenBits created ‘Enterprise’, in addition to ‘Mac Linux USB Loader’, which sets up a bootable USB with Enterprise.

Enterprise (named after the Starship Enterprise from Star Trek) is an EFI program that is designed to assist in booting Linux distributions from USB sticks on UEFI-based PCs and Macs, something that is continously regarded as being near to impossible due to quirks in vendors’ EFI implementations and really quite poor support from Linux distributions.  Using Enterprise, you can create bootable USB drives that boot on a UEFI-based computer without needing rEFIt or rEFInd to be installed.  Originally designed to compliment ‘Mac Linux USB Loader’, Enterprise can also be used on its own to boot Linux on a variety of UEFI-based PCs and Macs.  The purpose of Enterprise is as the first stage in a two-stage booting process for ‘Mac Linux USB Loader’-created USB drives. Enterprise is a custom UEFI boot manager designed to load Linux distributions, even those without UEFI booting support, directly from ISO files on UEFI-based computers.  Enterprise provides an easy-to-use and simplistic interface that automates many of the tasks necessary to boot distributions of Linux from an ISO file.  Enterprise supports booting multiple distributions, so you can have more than one distribution per USB stick and multiple configurations for each distribution. Enterprise requires a configuration file telling it about which distributions it should load. This configuration file is created automatically when you use tools like Mac Linux USB Loader, though it is possible to write your own file and configure Enterprise as one would configure other boot managers such as GRUB, gummiboot, and syslinux, albeit much more simply.  Enterprise is under the LGPL; it pulls in code from other software projects (namely, gummiboot). It is written in portable C, and can be compiled to run on both 32-bit and 64-bit EFI firmware types.