Add GRUB2 BLS post

_posts/2024/2024-10-10-grub2-bls.md

@@ -0,0 +1,76 @@
+---
+author: Alberto Planas
+date: 2024-09-20 09:00:00+02:00
+layout: post
+license: CC-BY-SA-3.0
+title: Presenting GRUB2 BLS
+categories:
+- Announcements
+- openSUSE
+- Tumbleweed
+- MicroOS
+- GRUB2
+tags:
+- openSUSE
+- Tumbleweed
+- MicroOS
+- sysadmin
+- rolling release
+- sdbootutil
+- GRUB
+- GRUB2
+- TPM
+- EFI
+- Full-Disk
+- encryption
+- systemd
+- YaST2
+---
+
+
+## GRUB2 with BLS is now in MicroOS and Tumbleweed
+
+Recently the openSUSE project released for MicroOS and Tumbleweed a
+new version of the GRUB2 package, with a new subpackage
+`grub2-$ARCH-efi-bls`.  This subpackage deliver a new EFI file,
+`grubbls.efi`, that can be used as replacement of the traditional
+`grub.efi`.
+
+The new PE binary is a version of GRUB2 that includes a set of patches
+from Fedora, that makes the bootloader follows the boot loader
+specification ([BLS](https://uapi-group.org/specifications/specs/boot_loader_specification/)).  This will make GRUB2 understand the boot
+entries from `/boot/efi/entries`, and dynamically generate the boot
+menu showed during boot time.
+
+This is really important for full disk encryption (FDE), because this
+means that now we can re-use all the architecture and tools designed
+for `systemd-boot`.  For example, installing or updating the boot
+loader can now be done with `sdbootutil install`, the
+`suse-module-tools` scriptlets will create new BLS entries when a new
+kernel is installed, and the `tukit` and `snapper` plugins will take
+care of doing the right thing when snapshots are created or removed.
+
+Reusing all those tools without change was a great win, but what is
+better is that some of the quirks that the classical GRUB2 presented
+when extending the event log are not present anymore.  Before this
+package, `sdbootutil` needed to take ownership of the `grub.conf`
+file, as this will be measured by GRUB2 *by executed lines*.  That is
+right, for each line that is read and executed by the GRUB2 parser, a
+new PCR#8 will take place, and because GRUB2 support conditional as
+other complex constructors, it is very hard to predict the final value
+of PCR#8 without imposing a very minimal and strict `grub.conf`.
+
+But with the new BLS subpackage this file, together with the fonts and
+graphical assets for the theme, and the required modules (like
+`bli.mod`) are now included in the internal `squashfs` inside the EFI
+binary.  GRUB2 will not measure those internal files, without
+decreasing the security guarantees, because is now the firmware the
+one that measures the full EFI when the bootloader is executed during
+the boot process.
+
+As today we cannot use YaST2 to install GRUB2 with BLS, but we can do
+that manually very easily.  We need to make a `systemd-boot`
+[installation](https://en.opensuse.org/Portal:MicroOS/FDE#Installation_with_YaST), replace `LOADER_TYPE` from `systemd-boot` to
+`grub2-bls`, install the new GRUB2 BLS package, and do `sdbootutil
+install`.  Another option is to play with one of the available images
+for [MicroOS](https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-kvm-and-xen-grub-bls.qcow2) or [Tumbleweed]( https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-kvm-and-xen-grub-bls.qcow2).