Paolo RedaelliUseful stuffs to manage GRUB: Cryptography, Linux, and me: GRUB2 – A Rundown
I’ve spent an inordinate amount of time today going over GRUB2 for my upcoming RHCSA exam. I probably went overboard. If you are like me (scratching your head at GRUB2 wishing it would go back to “the way it was”) then I have a nice little rundown here for you that might make things easier.
Red Hat states that we need to be able to “Modify the System Bootloader” – That’s a pretty vague requirement if you ask me. You can do a metric FUCKTON of things with GRUB2 and it’s no surprise (at least to me) that you should be able to do a lot. But these exams are timed and short so I kept the scope of this article nice and light.
- Add/remove entries
- Use yum or rpm to add or remove installed kernels – Don’t go toying around manually on the exam – You will mess things up and cost yourself time.
- List default Kernel Selection: grub2-editenv list
- Lists default kernel selection
- Change Default Kernel: grub2-set-default
- EX: grub2-set-default ‘Fedora Linux, with Linux 3.1.2-1.fc16.x86_64’
- This will select that particular kernel – if it exists
- EX: grub2-set-default 0
- This will make the default kernel the first entry in the bootloader (arrayed numbering).
- GRUB2 PW Protection
- Edit /etc/grub.d/01_users and add the following lines:
- Set superusers=”username”
- Password user userpassword
- Supplement username with whatever username you want and userpassword with their password
- Edit /etc/grub.d/40_custom to tell GRUB what entries to PW protect
- By default, each entry will have a –unrestricted directive
- Replace –unrestricted with “–users user” without the quote and specify which user by name you created. This will allow only those users to access that menu option.
- If you do not make user of the –unrestricted directive or a –user directive, the system will assume ONLY SUPER USER.
- Encrypting PWs in GRUB2
- grub2-mkpasswd-pbkdf2
- it will prompt you for a password and it will output it in encrypted form that is compatible with GRUB2.
- Copy the hash and paste it in the template file where you configured users (01_users file found in the /etc/grub.d/ folder.)
- The format is really messy but it looks something like:
- password_pbkdf2 user grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85
- Append that entry to the bottom and it will check for hashes.
- NOTE: IF YOU MESS THIS UP, YOUR SYSTEM PROBABLY WONT BOOT.
- Resettings GRUB2
- Sometimes, you gotta restart shit
- rm /etc/grub.d/* (delete all grub.d scripts)
- rm /etc/sysconfig/grub (remove all system configuration)
- yum reinstall grub2-tools (reinstall the entire package)
- grub2-mkconfig -o /boot/grub2/grub.cfg (reset the entire configuration)
- Reinstalling GRUB2
- grub2-install <device>
- This will reinstall and restore any corrupted files in the /boot/grub2/ directory – If files are missing, they will be recreated.
- Finalizing changes:
- IF YOU CHANGE ANYTHING IN GRUB, YOU NEED TO RUN grub2-mkconfig OR THE CHANGES WILL NOT STICK.
- Two ways to do this:
- grub2-mkconfig -o /boot/grub2/grub.cfg
- USE ONLY IF ON TRADITIONAL BIOS
- grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
- USE ONLY IF ON UEFI BIOS
- Telling GRUB to boot into different targets
- Move into the append/edit mode with the e key at boot menu
- IF USING x86-64 — append boot directive to the end of the linux16 line
- IF USING UEFI — append boot directive to the end of the linuxefi line
- Possible Appends
- systemd.unit=[systemctl.target]
- So as you can see, we can do a lot with GRUB2 – In many ways, I think it’s much more convoluted than GRUB1 but the times, they are a changin’
- Any thoughts on this matter or corrections would be greatly appreciated!