Download as PDF, PPTX
![What is UEFI?
• You need to buy new hardware that supports and includes UEFI.
• UEFI firmware can boot from drives of 2.2 TB or larger.
• UEFI can run in 32-bit or 64-bit mode.
• Your boot process is faster.
• UEFI screens can be slicker than BIOS settings screens, including graphics and
mouse cursor support.
• UEFI supports Secure Boot, which means the operating system can be checked
for validity to ensure no malware has tampered with the boot process.
• UEFI support networking features.
• UEFI is modular.
• Analyzing UEFI BIOSes from attacking [ BH 2014 ]
(https://youtu.be/CGBpil0S5NI)](https://image.slidesharecdn.com/linuxkernelbooting-201030123411/85/Linux-kernel-booting-15-320.jpg)
![What Is BootLoader?
• It is the part that starts the system up
and loads the operating system kernel
• Bootloader has two main jobs:
• [1] Initialize the system to a basic level
(MBR) and to [2] Load the kernel.](https://image.slidesharecdn.com/linuxkernelbooting-201030123411/85/Linux-kernel-booting-21-320.jpg)
![Load kernel image with GRUB
grub> kernel /bzImage-<version>
[Linux-bzImage, setup=0x1400, size=0x29672e]
grub> initrd /initrd-<version>.img
[Linux-initrd @ 0x5f13000, 0xcc199 bytes]
grub> boot
Uncompressing Linux... Ok, booting the kernel.
Refs install manual : http://tinycorelinux.net/install_manual.html](https://image.slidesharecdn.com/linuxkernelbooting-201030123411/85/Linux-kernel-booting-35-320.jpg)
![What is UEFI?
• You need to buy new hardware that supports and includes UEFI.
• UEFI firmware can boot from drives of 2.2 TB or larger.
• UEFI can run in 32-bit or 64-bit mode.
• Your boot process is faster.
• UEFI screens can be slicker than BIOS settings screens, including graphics and
mouse cursor support.
• UEFI supports Secure Boot, which means the operating system can be checked
for validity to ensure no malware has tampered with the boot process.
• UEFI support networking features.
• UEFI is modular.
• Analyzing UEFI BIOSes from attacking [ BH 2014 ]
(https://youtu.be/CGBpil0S5NI)](https://image.slidesharecdn.com/linuxkernelbooting-201030123411/75/Linux-kernel-booting-15-2048.jpg)
![What Is BootLoader?
• It is the part that starts the system up
and loads the operating system kernel
• Bootloader has two main jobs:
• [1] Initialize the system to a basic level
(MBR) and to [2] Load the kernel.](https://image.slidesharecdn.com/linuxkernelbooting-201030123411/75/Linux-kernel-booting-21-2048.jpg)
![Load kernel image with GRUB
grub> kernel /bzImage-<version>
[Linux-bzImage, setup=0x1400, size=0x29672e]
grub> initrd /initrd-<version>.img
[Linux-initrd @ 0x5f13000, 0xcc199 bytes]
grub> boot
Uncompressing Linux... Ok, booting the kernel.
Refs install manual : http://tinycorelinux.net/install_manual.html](https://image.slidesharecdn.com/linuxkernelbooting-201030123411/75/Linux-kernel-booting-35-2048.jpg)
More Related Content
Similar to Linux kernel booting
Linux kernel booting
- 1. The Linux KernelInternal
- 2. Agenda • Linux KernelBooting Process • How To Make Your Own Kernel OS • Anatomy of Linux Kernel Development • System Call • Kernel Security (Bugs/Vulnerability) And Kernel Fuzzing
- 3. Who Am I? •Cyber Security Researcher • Bug Bounty Program (Google, Twitter, Yahoo, Apple, Ebay, Blackberry, etc) • Linux Exploit Developer • Malware Analysis • Linux System Programmer • Linux Kernel/Device Developer • Windows System Programmer • Django Contributor
- 4. Type of OS •Personal OS : Linux, Unix, MaCOS , etc • Mobile OS : Android, iOS, WinPhone, UIQ, etc • Real-Time OS : VxWork (NASA), QNX, RTLinux, etc • Network OS : Router OS, Switch OS, etc • Distributed OS : Internet, Telephone networks
- 5.
- 6. Android Device LinuxKernels Source • Google: https://android.googlesource.com/kernel/msm/ • HTC: https://www.htcdev.com/devcenter/downloads • OnePluseOS : https://github.com/OnePlusOSS/android_kernel_oneplus_msm8996 • Moto X : https://github.com/MotorolaMobilityLLC/kernel- msm • Sony : https://github.com/sonyxperiadev/kernel
- 7. The Linux BootProcess
- 8. The Linux BootProcess • BIOS (Basic Input/Output System) The processor executes code at a well-known location In a personal computer (PC), which is stored in flash memory on the motherboard. booting Linux begins in the BIOS at address 0xFFFF0. When your computer boots—and after the POST finishes—the BIOS looks for a Master Boot Record, or MBR, stored on the boot device and uses it to launch the bootloader (GRUB).
- 9. The BIOS willsoon be dead • UEFI plans to completely replace it with UEFI on all their chipsets by 2020.
- 10. BIOS Tools • apt-cachesearch bios | grep –i bios • apt-get source phnxdeco (phonix tech) • Security advisory (Intel): https://edk2-docs.gitbooks.io/security-advisory/content/ • Security Tool: Platform Security Assessment Framework https://github.com/chipsec/chipsec • Attacking and Defending BIOS in 2015 • http://c7zero.info/stuff/AttackingAndDefendingBIOS-RECon2015.pdf
- 11. Bootkit Malware What isbootkit? Malware that executes before the operating system boots. Malwares: FIN1 : Network protocols and communication channels for command and control (C2C). Including: file transfer (http DLL web shell), screen capture, keystroke logging, process injection BOOTRASH : File Content : Core.sys, vfs.sys and etc Including : Services, Run keys, Scheduled tasks, Startup folders Article : https://www.fireeye.com/blog/threat-research/2015/12/fin1- targets-boot-record.html
- 12.
- 13. Normal boot processwindows
- 14.
- 15. What is UEFI? •You need to buy new hardware that supports and includes UEFI. • UEFI firmware can boot from drives of 2.2 TB or larger. • UEFI can run in 32-bit or 64-bit mode. • Your boot process is faster. • UEFI screens can be slicker than BIOS settings screens, including graphics and mouse cursor support. • UEFI supports Secure Boot, which means the operating system can be checked for validity to ensure no malware has tampered with the boot process. • UEFI support networking features. • UEFI is modular. • Analyzing UEFI BIOSes from attacking [ BH 2014 ] (https://youtu.be/CGBpil0S5NI)
- 16.
- 17. UEFI Rootkit Malware(LoJax) • How malware works: – Information dumping tool: – RwDrv.sys driver, attackers reads the information on your UEFI BIOS. This information is then saved to a text file. This step helps the malware understand the victim system. – System Firmware Image Creation : – Firmware Image of SPI Flash Memory where the UEFI/BIOS is located. This image is then again saved to a file. – Rootkit Installation: – The firmware image is infected. This infected Firmware image is then installed onto the SPI Flash Memory
- 18. OS drivers dangerousfor BIOS
- 19. Create malware isimportant for country
- 20. ICS (Industrial ControlSystems) malware • 2010 Stuxnet : This cyber weapon was created to target Iranian centrifuges. • 2013 Havex : Targeted energy grids, electricity firms, and many others. • 2015 BlackEnergy : It targeted critical infrastructure and destroyed files stored on workstations and servers. In Ukraine. • 2015 IronGate : It targeted Siemens control systems and had functionalities similar to Stuxnet’s. • 2016 Industroyer : The attack caused a second shutdown of Ukraine’s power grid. • 2017 Triton : The attack did not succeed
- 21. What Is BootLoader? •It is the part that starts the system up and loads the operating system kernel • Bootloader has two main jobs: • [1] Initialize the system to a basic level (MBR) and to [2] Load the kernel.
- 22.
- 23.
- 24. MBR (Master BootRecord) • MBR : The first 446 bytes are the primary boot loader, which contains both executable code and error message text The next sixty-four bytes are the partition table, which contains a record for each of four partitions The MBR ends with two bytes that are defined as the magic number (0xAA55)
- 25. Extracting the MBR #dd if=/dev/hda of=mbr.bin bs=512 count=1 # od -xa mbr.bin
- 26. Partition table informationof MBR • # file mbr.bin mbr.bin: x86 boot sector; partition 1: ID=0x83, active, starthead 32, startsector 2048, 19451904 sectors; partition 2: ID=0x5, starthead 254, startsector 19455998, 2093058 sectors, code offset 0x63
- 27. Second stage bootloader Splashscreen is commonly displayed, and Linux and an optional initial RAM disk (temporary root file system) are loaded into memory. second-stage, boot loader called the kernel loader. The task at this stage is to load the Linux kernel and optional initial RAM disk.
- 28. Second stage =GRUB and etc Type of bootloader : 1- Grub 2- LILO 3- GRand 4- …
- 29. GRUB Good knowledge ofLinux file system. Instead of using raw sectors on the disk, as LILO. GRUB can load a Linux kernel from an ext2 or ext3 file system
- 30. Stage 1 (MBR)+ Stage 1.5 + Stage 2 (GRUB) What is stage 1.5? stage 1.5 boot loader that understands the particular file system containing the Linux kernel image. Examples : CR-ROMs use the iso9660_stage_1_5 Ext2 or ext3 file system use the e2fs_stage1_5
- 31. GRUB *.cfg (Stage1.5 Stage 2 loaded)
- 32.
- 33. Understanding the VariousGrub Modules $ ls /boot/grub/x86_64-efi/ /boot/grub/x86_64-efi/915resolution.mod … Grub module : https://github.com/coreos/grub/tree/2.02-coreos/grub-core
- 34. Grub module error:file `/boot/grub/*/*.mod not found.
- 35. Load kernel imagewith GRUB grub> kernel /bzImage-<version> [Linux-bzImage, setup=0x1400, size=0x29672e] grub> initrd /initrd-<version>.img [Linux-initrd @ 0x5f13000, 0xcc199 bytes] grub> boot Uncompressing Linux... Ok, booting the kernel. Refs install manual : http://tinycorelinux.net/install_manual.html
- 37. Count of LineCode Ubuntu Kernel
- 38. Count of LineCode Main Kernel
- 39.
- 40. Underestand of KernelImage vmlinux: Plain linux ELF file just the way it was created by the linker, including symbols and everything. vmlinuz:Gzipped vmlinux file which got stripped of all its symbols zImage:bootsect.o + setup.o + misc.o + piggy.o (piggy.o contains the piggy-backed vmlinuz). zImage : is bootable because it can decompress and run the kernel it contains. bzImage: Same as zImage except that it is built slightly differently which enables it to carry bigger kernels.
- 41. Vmlinux to Vmlinuz(make bzImage)
- 42. Vmlinux • Vmlinux isa ELF format, • How to get ELF format? • Download kernel source of https://kernel.com and compiled, or use $ apt-get source linux
- 43. Vmlinuz • $ sudofile /boot/vmlinuz-4.15.0-041500rc8-generic • /boot/vmlinuz-4.15.0-041500rc8-generic: Linux kernel x86 boot executable bzImage, version 4.15.0- 041500rc8-generic (kernel@gloin) #201801142030 SMP Mon Jan 15 01:31:43 UTC 2018, RO-rootFS, swap_dev 0x7, Normal VGA
- 44.
- 45. Kernel Image Process •Kernel image (bzImage) load to Memory and kernel stage started … • Typically zImage compressed image, less than 512KB a bzImage (big compressed image, greater than 512KB) • When the bzImage (for an i386 image) is invoked, you begin at ./arch/i386/boot/head.S in the start assembly routine • The kernel is then decompressed (./arch/i386/boot/compressed/misc.c) through a call to a C function called decompress_kernel function • When the kernel is decompressed into memory, it is called. This is yet another startup_32 function, but this function is in ./arch/i386/kernel/head.S. • More info : https://www.slideshare.net/itembedded/linux-kernel-image
- 46.
- 47.
- 48.
- 49. Kernel Source Tree •Github linux kernel source tree : – https://github.com/torvalds/linux • Bootlin kernel source tree : – https://elixir.bootlin.com/linux/latest/source
- 50. Kernel Type Mode •Real Mode • Protected Mode • Long Mode
- 51. Architecture Linux KernelInitialization
- 52. Kernel Boot Paging(Virtual Memory)
- 53.
- 54. Real Mode Bootsector (header.S)
- 55. Kernel Real Mode(setup_header)
- 56. Kernel Real Mode(setup_header)
- 57.
- 58. Kernel Real ModeStack (header.S)
- 59. Kernel Real Modeto C (header.S -> main.c)
- 60. Kernel Real ModeMain.c
- 61. Copy header tozeropage
- 62.