Cryptography, Linux, and me: GRUB2 – A Rundown

Useful stuffs to manage GRUB:  Cryptography, Linux, and me: GRUB2 – A Rundown

I’ve spent an inordinate amount of time today going over GRUB2 for my upcoming RHCSA exam. I probably went overboard. If you are like me (scratching your head at GRUB2 wishing it would go back to “the way it was”) then I have a nice little rundown here for you that might make things easier.
 
Red Hat states that we need to be able to “Modify the System Bootloader” – That’s a pretty vague requirement if you ask me. You can do a metric FUCKTON of things with GRUB2 and it’s no surprise (at least to me) that you should be able to do a lot. But these exams are timed and short so I kept the scope of this article nice and light.
 

  • Add/remove entries
    • Use yum or rpm to add or remove installed kernels – Don’t go toying around manually on the exam – You will mess things up and cost yourself time.
  • List default Kernel Selection: grub2-editenv list
    • Lists default kernel selection
  • Change Default Kernel: grub2-set-default
    • EX: grub2-set-default ‘Fedora Linux, with Linux 3.1.2-1.fc16.x86_64’
      • This will select that particular kernel – if it exists
    • EX: grub2-set-default 0
      • This will make the default kernel the first entry in the bootloader (arrayed numbering).
  • GRUB2 PW Protection
    • Edit /etc/grub.d/01_users and add the following lines:
      • Set superusers=”username”
      • Password user userpassword
      • Supplement username with whatever username you want and userpassword with their password
    • Edit /etc/grub.d/40_custom to tell GRUB what entries to PW protect
      • By default, each entry will have a –unrestricted directive
      • Replace –unrestricted with “–users user” without the quote and specify which user by name you created. This will allow only those users to access that menu option.
      • If you do not make user of the –unrestricted directive or a –user directive, the system will assume ONLY SUPER USER.

 

  • Encrypting PWs in GRUB2
    • grub2-mkpasswd-pbkdf2
      • it will prompt you for a password and it will output it in encrypted form that is compatible with GRUB2.
      • Copy the hash and paste it in the template file where you configured users (01_users file found in the /etc/grub.d/ folder.)
      • The format is really messy but it looks something like:
        • password_pbkdf2 user grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85
      • Append that entry to the bottom and it will check for hashes.
      • NOTE: IF YOU MESS THIS UP, YOUR SYSTEM PROBABLY WONT BOOT.

 

  • Resettings GRUB2
    • Sometimes, you gotta restart shit
      • rm /etc/grub.d/* (delete all grub.d scripts)
      • rm /etc/sysconfig/grub (remove all system configuration)
      • yum reinstall grub2-tools (reinstall the entire package)
      • grub2-mkconfig -o /boot/grub2/grub.cfg (reset the entire configuration)

 

  • Reinstalling GRUB2
    • grub2-install <device>
      • This will reinstall and restore any corrupted files in the /boot/grub2/ directory – If files are missing, they will be recreated.

 

  • Finalizing changes:
    • IF YOU CHANGE ANYTHING IN GRUB, YOU NEED TO RUN grub2-mkconfig OR THE CHANGES WILL NOT STICK.
      • Two ways to do this:
        • grub2-mkconfig -o /boot/grub2/grub.cfg
          • USE ONLY IF ON TRADITIONAL BIOS
        • grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
          • USE ONLY IF ON UEFI BIOS
  • Telling GRUB to boot into different targets
    • Move into the append/edit mode with the e key at boot menu
    • IF USING x86-64 — append boot directive to the end of the linux16 line
    • IF USING UEFI — append boot directive to the end of the linuxefi line
    • Possible Appends
      • systemd.unit=[systemctl.target] 
  • So as you can see, we can do a lot with GRUB2 – In many ways, I think it’s much more convoluted than GRUB1 but the times, they are a changin’
  • Any thoughts on this matter or corrections would be greatly appreciated!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.