From ec2a86ad56b18700f4444b7856ab019f957be131 Mon Sep 17 00:00:00 2001 From: Alberto Planas Date: Tue, 8 Oct 2024 15:46:51 +0200 Subject: [PATCH] Add GRUB2 BLS post Signed-off-by: Alberto Planas --- _posts/2024/2024-10-10-grub2-bls.md | 76 +++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 _posts/2024/2024-10-10-grub2-bls.md diff --git a/_posts/2024/2024-10-10-grub2-bls.md b/_posts/2024/2024-10-10-grub2-bls.md new file mode 100644 index 00000000..85b8cb47 --- /dev/null +++ b/_posts/2024/2024-10-10-grub2-bls.md @@ -0,0 +1,76 @@ +--- +author: Alberto Planas +date: 2024-09-20 09:00:00+02:00 +layout: post +license: CC-BY-SA-3.0 +title: Presenting GRUB2 BLS +categories: +- Announcements +- openSUSE +- Tumbleweed +- MicroOS +- GRUB2 +tags: +- openSUSE +- Tumbleweed +- MicroOS +- sysadmin +- rolling release +- sdbootutil +- GRUB +- GRUB2 +- TPM +- EFI +- Full-Disk +- encryption +- systemd +- YaST2 +--- + + +## GRUB2 with BLS is now in MicroOS and Tumbleweed + +Recently the openSUSE project released for MicroOS and Tumbleweed a +new version of the GRUB2 package, with a new subpackage +`grub2-$ARCH-efi-bls`. This subpackage deliver a new EFI file, +`grubbls.efi`, that can be used as replacement of the traditional +`grub.efi`. + +The new PE binary is a version of GRUB2 that includes a set of patches +from Fedora, that makes the bootloader follows the boot loader +specification ([BLS](https://uapi-group.org/specifications/specs/boot_loader_specification/)). This will make GRUB2 understand the boot +entries from `/boot/efi/entries`, and dynamically generate the boot +menu showed during boot time. + +This is really important for full disk encryption (FDE), because this +means that now we can re-use all the architecture and tools designed +for `systemd-boot`. For example, installing or updating the boot +loader can now be done with `sdbootutil install`, the +`suse-module-tools` scriptlets will create new BLS entries when a new +kernel is installed, and the `tukit` and `snapper` plugins will take +care of doing the right thing when snapshots are created or removed. + +Reusing all those tools without change was a great win, but what is +better is that some of the quirks that the classical GRUB2 presented +when extending the event log are not present anymore. Before this +package, `sdbootutil` needed to take ownership of the `grub.conf` +file, as this will be measured by GRUB2 *by executed lines*. That is +right, for each line that is read and executed by the GRUB2 parser, a +new PCR#8 will take place, and because GRUB2 support conditional as +other complex constructors, it is very hard to predict the final value +of PCR#8 without imposing a very minimal and strict `grub.conf`. + +But with the new BLS subpackage this file, together with the fonts and +graphical assets for the theme, and the required modules (like +`bli.mod`) are now included in the internal `squashfs` inside the EFI +binary. GRUB2 will not measure those internal files, without +decreasing the security guarantees, because is now the firmware the +one that measures the full EFI when the bootloader is executed during +the boot process. + +As today we cannot use YaST2 to install GRUB2 with BLS, but we can do +that manually very easily. We need to make a `systemd-boot` +[installation](https://en.opensuse.org/Portal:MicroOS/FDE#Installation_with_YaST), replace `LOADER_TYPE` from `systemd-boot` to +`grub2-bls`, install the new GRUB2 BLS package, and do `sdbootutil +install`. Another option is to play with one of the available images +for [MicroOS](https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-kvm-and-xen-grub-bls.qcow2) or [Tumbleweed]( https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-kvm-and-xen-grub-bls.qcow2).