grub bootloader Configuration Changes

From Kicksecure
Jump to navigation Jump to search
grub boot menu

Kernel Boot Parameter Changes

Introduction[edit]

Info This is a grub, not a Kicksecure feature. Unspecific to Kicksecure. Therefore Self Support First Policy applies.

Before trying specific kernel boot parameters, it is advisable to first add them temporarily for testing or troubleshooting purposes. When the parameters have the intended effect, they can then be added permanently.

Kernel boot parameters are text strings that disable/enable certain features or change specific system behaviors. To achieve the desired change, note kernel boot parameters: [1]

  • can be a simple keywords (like "splash" or "noapic")
  • are case-sensitive (for example "Noapic" would not have any effect but "noapic" would take effect)
  • might have an = sign to denote values (like "acpi_backlight=vendor")
  • might include punctuation (""i8042.noloop")

Kernel boot parameters have no effect unless entered exactly as advised -- spelling/formatting errors or invalid values do not result in an error message.

Kernel Boot Parameter Change[edit]

Follow these steps to temporarily add kernel boot parameters. Useful for testing such a normal (non-recovery mode) boot while enabling verbose boot messages. Alternatively, if that is accessible [2], see Permanent Configuration Changes.

1. Restart the system. [3]

2. Access the grub menu.

Repeatedly press the Esc key until the grub menu appears. Alternatively the Shift key can be held down continuously for BIOS-mode (not UEFI-mode) until the menu appears. [4]

3. Select the relevant entry to edit.

Use the arrow keys to highlight the relevant entry and then press the e key to enter edit mode.

4. Add kernel boot parameter changes.

Use the arrow keys to move down to the line that contains boot arguments: [5]

  • On BIOS systems the line will begin with linux.
  • On UEFI systems the line begins with linuxefi.

Press the End key to move the cursor to the end of that line. Press the space bar and carefully type in kernel boot parameters -- multiple parameters are separated with a space, but no spaces are added before/after any = signs or for punctuation in parameters.

5. Reboot the system.

Press Ctrl + X to boot the system with the new, temporary parameters.

The effect will only last for this boot session; once the system is restarted they will no longer have any effect.

Permanent Configuration Changes[edit]

1. Learn how to configure permanent changes.

Inspect the following resources:

  • folder /etc/default/grub.d
  • file /etc/default/grub.d/40_kernel_hardening.cfg

2. Create a new configuration file.

Open file /etc/default/grub.d/50_user.cfg in an editor with root rights.

Kicksecure

This box uses sudoedit for better security.

sudoedit /etc/default/grub.d/50_user.cfg

Kicksecure for Qubes

NOTES:

sudoedit /etc/default/grub.d/50_user.cfg

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Kicksecure, please refer to this link.

sudoedit /etc/default/grub.d/50_user.cfg

3. Paste the necessary kernel parameters.

Notes:

  • The following example uses kernel parameter nomodeset.
  • Replace only nomodeset with the actual kernel parameters you want to add.
  • Do not remove the leading text (underlined): GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nomodeset".
  • Do not remove the trailing quote ("; marked in bold): GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nomodeset".

GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nomodeset"

4. Save.

5. Regenerate grub configuration.

sudo update-grub

6. Done.

The process of adding a kernel parameter is complete.

7. Verification.

Optional.

Inspect /boot/grub/grub.cfg because that is the generated file which is actually used during the boot process.

Inspect Grub Configuration Changes[edit]

1. Put folder /boot/grub under git version control.

Git is a useful tool to record which files in a folder changed in what way.

Git setup for folder /boot/grub.

Install package(s) git auditd. Follow steps A to E.

Platform specific notice.

Update the package lists and upgrade the system The Web Archive Onion Version .

sudo apt update && sudo apt full-upgrade

Install the git auditd package(s).

Using apt command line --no-install-recommends option The Web Archive Onion Version is in most cases optional.

sudo apt install --no-install-recommends git auditd

Platform specific notice.

Done.

The procedure of installing package(s) git auditd is complete.

Change directory to folder /boot/grub.

cd /boot/grub

Initialize git in that folder.

sudo git init

Git needs an e-mail address. That e-mail address doesn't need to actually exist. That e-mail address would appear in git commit change logs if that git repository was ever pushed to any remote. If only used locally, the default you@example.com could be kept. Otherwise, the user may change you@example.com to any e-mail address of their choice.

sudo git config user.email "you@example.com"

Git needs an name. That name address doesn't need to actually exist. That name would appear in git commit change logs if that git repository was ever pushed to any remote. If only used locally, the default Your Name could be kept. Otherwise, the user may change Your Name to any name of their choice.

sudo git config user.name "Your Name"

Add all files in that folder to git.

sudo git add -A

Commit all files to git. [6]

sudo git commit -a -m .

2. Change grub configuration.

Make changes according to Permanent Configuration Changes.

3. See which files were modified by update-grub.

From the same folder.

git status

4. Inspect the changes.

Using command line using default diff viewer diff which might be a bit difficult to read but an alternative is presented in the next step.

git diff

A graphical diff viewer can be used. Unspecific. Undocumented.

git difftool

Inspect Kernel Command Line[edit]

To view the kernel command line of the currently booted kernel, run.

cat /proc/cmdline

If too much output, use grep to filter.

Note: Replace parameter with the actual kernel parameter you are looking for.

cat /proc/cmdline | grep parameter

Goodies[edit]

Boot with Manual Commands[edit]

TODO: document

https://forums.kicksecure.com/t/kicksecure-no-password-prompt-on-gnu-grub/483/3archive.org

Boot Related Screenshots[edit]

TODO: document

Legacy BIOS - GRUB Encryption Password Prompt[edit]

Figure: GRUB encryption password prompt (Legacy BIOS)

EFI - GRUB Encryption Password Prompt[edit]

Figure: GRUB encryption password prompt (EFI)

EFI - SecureBoot - Boot Error Message[edit]

Known issue. No bug report needed.

To resolve this, see Secure Boot.

initramfs (initramfs-tools or dracut) based encryption password prompt[edit]

Figure: initramfs (initramfs-tools or dracut) based encryption password prompt

See Also[edit]

Footnotes[edit]

  1. https://wiki.ubuntu.com/Kernel/KernelBootParametersarchive.org
  2. Not accessible if boot is broken obviously.
  3. Or shut it down and power it on again.
  4. The system might hang when holding down the Shift key. If that happens, just briefly release the Shift key and hold it down again until the grub menu appears.
  5. https://web.archive.org/web/20220312140233/https://docs.fedoraproject.org/en-US/Fedora/22/html/Multiboot_Guide/GRUB-runtime.htmlarchive.org
  6. Commits all files to git with commit message . for simplicity. Commit message could also be something else such as {{{sudo_maybe}}} git commit -a -m "initial commit".

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!