Development of System Image Creation and Bootstrapping Tools

From Kicksecure
< Dev
Jump to navigation Jump to search

Installing GRUB onto a disk image is a bit of a black art.

Installing GRUB onto a disk image is a bit of a black art. I haven't found any good documentation for it. This plugin is written based on de-ciphering the build_openstack_image script. Here is an explanation of what I _THINK_ is happening.

The crucial command is grub-install. It needs a ton of options to work correctly: see below in the code for the list, and the manpage for an explanation of what each of them means. We will be running grub-install in a chroot so that we use the version in the Debian version we're installing, rather than the host system, which might be any Debian version.

To run grub-install in a chroot, we need to set up the chroot in various ways. Firstly, we need to tell grub-install which device file the image has. We can't just give it the image file itself, since it isn't inside the chroot, so instead we arrange to have a loop block device that covers the whole image file, and we bind mount /dev into the chroot so the device is available.

grub-install seems to also require /proc and /sys so we bind mount /sys into the chroot as well. /proc is already mounted otherwise.

We install the UEFI version of GRUB, and for that we additionally bind mount the EFI partition in the image. Oh yeah, you MUST have one.

We also make sure the right GRUB package is installed in the chroot, before we run grub-install.

Further, there's some configuration tweaking we need to do. See the code. Don't ask me why they're necessary.

For cleanliness, we also undo any bind mounts into the chroot. Don't want to leave them in case they cause trouble.

Note that this is currently assuming that UEFI and either the amd64 (a.k.a. x86_64) or arm64 (a.k.a. aarch64) architectures are being used. These should probably not be hardcoded. Patch welcome.

Example projects to demonstrate technical challanges:

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!