Booting Linux

Table of Contents

Overview ......................................................................................................................................... 2

Booting Linux .................................................................................................................................. 3

Linux Security Model -1 .................................................................................................................. 4

Linux Security Model -2 .................................................................................................................. 5

BIOS ................................................................................................................................................. 6

UEFI ................................................................................................................................................. 7

Booting Linux -1 .............................................................................................................................. 9

Booting Linux -2 ............................................................................................................................ 10

Booting Linux – The Kernel -1 ....................................................................................................... 12

Booting Linux – The Kernel -2 ....................................................................................................... 13

Notices .......................................................................................................................................... 15

Page 1 of 15

Overview

3

Overview

Booting Linux

Linux Recovery

Startup Scripts and Startup Processes

Processes and Signals

File System Overview

File and Process Security

Discretionary and Mandatory Access Control

Kernel Tuning

Host Access Control

**003 So first we'll cover booting Linux. Then we'll go into Linux recovery. Then we'll talk about the startup scripts and processes; the processes of singles, the file systems, the process of security, discretionary and mandatory access controls, kernel tuning and host access control in that order.

Page 2 of 15

Booting Linux

4

Booting Linux

**004 So first we'll go into booting Linux.

Page 3 of 15

Linux Security Model -1

5

Linux Security Model -1

No computer is completely secure.

There are vulnerabilities present in every operating system in existence today.

The ones that are known are typically quickly patched based upon severity.

The ones that aren’t known are the ones we must worry about more so than the ones we know about.

**005 So kind of an overall statement here is: No computer is completely secure. There's always going to be zero-day vulnerabilities. So your best hope is to mitigate it to the best of your abilities. And that's what we're going to try to cover through this entire class is how to best protect those computers despite the- despite the last minute vulnerabilities that could happen from attackers or from holes in its software. The ones that aren't known are the ones we must worry about more.

Page 4 of 15

Linux Security Model -2

6

Linux Security Model -2

What makes Linux a more secure operating system?• Linus’s Law – “Given enough eyeballs, all bugs are shallow”

— Open source that allows thousands of users and programmers to scrutinize code

• Granularity of setting security controls• Typically, superuser privileges are not granted by default.

**006 So Linux is generally, along with Unix, is generally considered more secure than some other OSs; mainly due to-- it's open source. So you have more people working on it and contributing to the OS. So it's a lot more likely that someone will find a buffer under run or a buffer under flow in the code and be able to help patch that quicker since it's not strictly a corporate entity with closed source. They also have a lot more built in security controls; and by default it's out of the box usually more secure where it's a concept of least privileged; while in earlier versions of

Page 5 of 15

other OSs you notice that you'd have full run of the OS, unless you locked it down specifically. Linux comes down more or less locked down.

BIOS

7

BIOS

Runs self diagnostic tests and detects CPU, memory, and key components

• Then loads graphics card and will display hardware identified

Some newer systems may have UEFI.

**007 So the first step in setting up our Linux computer is the BIOS. This is on any hardware; you'll see the BIOS. It runs your self-diagnostics test at a basic level on the hardware; detects your CPU, your memory. Then it will go into the next step to load your graphics card; and it'll display how much RAM you have, what kind of CPU you have. In newer systems we have what's called a UEFI.

Page 6 of 15

UEFI

8

UEFI

Unified Extensible Firmware Interface

Designed to pass control from BIOS to kernel securely and cannot be tampered with

Bootloader (GRUB) will load EFI system partition (ESP) located in /boot/efi/(distribution specific)/ folder.

• ESP is a vfat partition that is labeled with a Global Unique Identifier.• ESP contains EFI bootloaders and application software.

Ensures operating system integrity with key singing and checksums

**008 It stands for Unified Extensible Firmware Interface. This changes the original BIOS-- and well the most noticeable difference, in a lot of your UEFIs you'll see it has a GUI interface; because now it'll start loading device drivers that traditionally weren't around when BIOS came out. So you can start seeing high-res graphics, because it'll recognize the graphics card. And you'll start being able to use the mouse; which makes it easier to navigate than all those arrow keys. But another part of it is it is more secure because it does key signing and checksums.

Page 7 of 15

And also one of the big things you'll see out of UEFI is it can interface with the operating system and the operating system can interface back with it. So as you can see on the slide, the bootloader, which in Linux is Grub, will load the EFI partition; and that's an actual partition on the hard drive. Before the BIOS was strictly on the ROM. And this allows you from inside the OS itself to be able to modify settings in the BIOS. Before you could only modify most of the settings by rebooting and mashing and delete or F1 or whatever key it was.

Page 8 of 15

Booting Linux -1

9

Booting Linux -1

Linux first executes boot code stored in Read Only Memory (ROM), which figures out how to load the kernel.

Kernel probes hardware and software at this point.

First process (PID) 1 is the init process.

**009 So Linux first executes a boot code stored in ROM; and this figures out how to load the kernel. The kernel's the most important part of the OS. Every OS has a kernel. In Linux it's a lot more obvious; and it's actually called the kernel. But all OSs have a kernel. The kernel goes out and looks at what you have on your system; looks at your hardware and software, and mainly your device drivers. It needs to get all that basic stuff running so that the OS can continue booting. It also starts the very first process of the operating system, which is the

Page 9 of 15

init process. And that will always have a PID of 1; which is the Process ID. And we'll cover that a bit more in the next couple of slides.

Booting Linux -2

10

Booting Linux -2

Filesystems are checked and mounted.

Daemons are started (software or process that runs in the background).

Init scripts then execute by the init process.

**010 During the boot process the file system is also checked to make sure that it wasn't corrupt before it's mounted. If there are any errors in the file system, it'll halt and ask you to go into single user mode and try to fix those errors before you continue booting into the OS; because the OS will not run correctly if you have bad files.

Page 10 of 15

Then your daemons are started-- or think of them as services; user software processes that run in the background. A common daemon might be, in an application, would be like httpd or Apache, that's a process, that's a daemon. A lot more common ones are like your printer service; or just your file system generally, it's keeping track of the file system as the computer runs. These are necessary processes. And then the init scripts execute; which basically process your startup files, the actual custom startup files you write or ones necessary to complete running the OS. *011 So here's the boot order. First the boot loader is read from the Master Boot Record; which is on the hard drive; it's the first block on the hard drive telling you this is the OS to boot. Then the kernel is loaded and initialized. Then the kernel creates processes. If there was any errors, such as a file system error, then it'd boot into recovery mode. Or you can force it to boot into recovery mode; which is the equivalent of single user mode in Windows. And then the system will execute the startup scripts.

Page 11 of 15

Booting Linux – The Kernel -1

12

Booting Linux – The Kernel -1

First task is to get the program into memory

Kernel typically lives at /boot/vmlinuz on most distributions

Typically a two phase process involves• Boot loader is loaded into ROM.• Finds out how much RAM there is and sets aside some memory for

itself. This amount cannot be used for user-level processes.

**012 So the first task is to get the program into memory. So the kernel typically lives in /boot/vmlinuz-- with a 'z' at the end. When there's a new kernel, you can go-- you can see the current version of your kernel because it's an actual file that lives in that directory. So if you navigate to that directory you'll see the kernel file in there. And all the necessary files to support the kernel also live in that directory. Typically a two-phase process. Boot loader is loaded into ROM; and then it finds out how much RAM there is, sets aside memory to load the kernel

Page 12 of 15

into memory. This amount's reserved just for the kernel; because the kernel needs it to run-- it's the core of the OS. So it cannot be used for other processes.

Booting Linux – The Kernel -2

13

Booting Linux – The Kernel -2

Hardware• First job is to learn what hardware exists• If it finds hardware, it typically loads a kernel module for the device

driver.• Nearly all hardware is detected automatically.

Software (processes)• kjournald – file system journaling• kswapd – Memory swap if low memory• ksoftirqd – Software interrupts• khubd – USB devices

**013 So first it learns the hardware. So one of the unique things about Linux is whether it has a driver or not it's going to identify the hardware; and it'll know that's there. It doesn't mean it's always going to be fully capable within the OS but it'll identify it. And most of the times, unless-- one of the few instances where a driver

Page 13 of 15

won't work is some maybe cutting edge hardware, or especially high- end graphics cards, non-standard graphics cards, that's where you see the biggest conflicts in drivers. Most of the time it'll run out of the box no problem; especially on a standard PC. Another instance would be maybe if you have a high-end SCSI type controller on servers; if you- if you kind of built your own server, a lot of that kind of stuff might have some problems with drivers. But for the most part you can almost guarantee a basic bootup with Linux, without any special drivers; just with what's on the distribution CD. We were talking about some of the processes that run at startup. Kjournald: file system journaling; checks the integrity of the file system while the system's running. Your swap file-- kswapd. ksoftirqd manages your IRQs, the software interrupts. And then khubd is an example for your USB hub.

Page 14 of 15

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 15 of 15