gnuboot-patches
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 8/8] manual: Add section about using GNU Boot.


From: Denis 'GNUtoo' Carikli
Subject: [PATCH v2 8/8] manual: Add section about using GNU Boot.
Date: Sun, 24 Nov 2024 18:10:54 +0100

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
neox: - fixed a typo
      - found duplicated see in "(see the @pxref{,,,guix,GNU Guix
        reference manual} for more details).", "See the
        @pxref{Security features}"
      - fixed duplicated see in "they are also documented in the
        @pxref{,,,grub,GNU GRUB manual} as well", "and @pxref{Building
        GNU Boot from [...]}"
Acked-by: Adrien Bourmault <neox@gnu.org>
---
ChangeLog v1->v2:
- Added neox's ack.
- Fixed @xref/@pxref usage and updated the
  commit message accordingly.
- Added "secure boot" and "threat modelling" to
  the concept index.
- Fixed Boot software -> boot software.
- Fixed @dfn missuse.
---
 manual/gnuboot.texi | 100 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 99 insertions(+), 1 deletion(-)

diff --git a/manual/gnuboot.texi b/manual/gnuboot.texi
index 0d99582d..f3089b82 100644
--- a/manual/gnuboot.texi
+++ b/manual/gnuboot.texi
@@ -55,6 +55,7 @@ This manual is for GNU Boot version @value{VERSION}.
 @menu
 * Overview::                                   General purpose and information.
 * Supported hardware and configurations::
+* Using GNU Boot::
 * Building GNU Boot from source::
 * Helping GNU Boot::                           How to contribute to GNU Boot
 * GNU Free Documentation License::             Copying and sharing this 
documentation.
@@ -676,7 +677,9 @@ ftp.gnu.org/gnu/gnuboot/).
 
 But depending on your threat model, it could be a good idea to build
 GNU Boot from source yourself instead, to avoid certain security
-attacks.
+attacks. @xref{Security features} section for more context with
+security and threat models and @ref{Building GNU Boot from source}
+for more details about the security attacks mentioned above.
 
 Once GNU Boot is downloaded or built, you will need to understand
 which files you need to install or upgrade. @xref{Supported hardware
@@ -691,6 +694,101 @@ instructions can be found in the GNU Boot website. We 
need help to
 migrate these instructions in the manual and make them easier to
 understand.
 
+@node Using GNU Boot
+@chapter Using GNU Boot
+
+@node Using GNU Boot with QEMU
+@section Using GNU Boot with QEMU
+
+The GNU Boot project also release images for QEMU.
+
+If you just want to try an image to see how it looks like you can use
+the following command:
+
+@example
+qemu-system-x86_64 -M pc \
+-bios grub_qemu-pc_2mb_corebootfb_usqwerty.rom
+@end example
+
+Here you need to replace
+@emph{grub_qemu-pc_2mb_corebootfb_usqwerty.rom} by the
+path to the image you want to try.
+
+For a more complete example, you can look in the GNU Boot source code
+as GNU Boot uses QEMU to run some automatic tests that boots Trisquel
+11 (aramo).
+
+Also note that the GNU Boot images for QEMU can be useful in some
+situations, but it doesn't fully replace tests run on real computers.
+
+For instance a distribution or operating system might work on QEMU but
+not work on real hardware due to an incomplete graphic driver for the
+real hardware GPU.
+
+@node Security features
+@section Security features
+@cindex secure boot
+@cindex threat modelling
+
+Note that security is a process. To really make it work you need to
+understand various threats and how to respond to them (this is called
+@dfn{threat modelling}), so what security feature to use or not to use
+depends on your life, use cases, etc.
+
+Also note that in general some security features also have downsides,
+such as making it harder to use the computer, making it harder to fix
+issues, etc, so not everybody might want these security features.
+
+As for security features typically found in other boot software, some
+computers vendor sell computers with what they call @dfn{secure
+boot}. When it cannot be turned off, it becomes an anti-feature and
+the @uref{https://www.fsf.org/,Free Software Foundation} calls it
+@dfn{restricted boot}.
+
+In 2012, the @uref{https://www.fsf.org/,Free Software Foundation}
+wrote
+@uref{https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/campaigns/secure-boot-vs-restricted-boot/whitepaper.pdf,a
+whitepaper}, on the topic and advised that:
+
+@verbatim
+The best solution currently available for operating system distributions
+includes:
+1. fully supporting user-generated keys, including providing tools and full
+documentation for booting and installing both modified and official
+versions of the distribution using this method;
+2. using a GPLv3-covered bootloader to help protect users against the
+dangers of Restricted Boot;
+3. avoiding requiring or encouraging users to trust Microsoft or any com-
+pany which makes proprietary software; and
+4. joining the FSF and the broader free software movement in pressuring
+computer distributors to facilitate easy and independent installation of
+free software operating systems on any computer.
+@end verbatim
+
+GNU Boot supports various security mechanism: GRUB is a GPLv3-covered
+bootloader that GNU Boot reuses, and it supports user-generated keys
+or other security mechanism that that don't require any signing
+keys.
+
+GNU Boot also obviously doesn't Trust keys from companies that make
+proprietary software.
+
+At the end when used correctly, the security features provided by GNU
+Boot thanks to the software it reuses (like GRUB) can provide similar
+or stronger security guarantees than the UEFI secure boot with
+different security features that you may or may not want want to use
+depending on your threat model.
+
+The GNU Boot Website contains various information on how to use such
+security features, but they are also documented in the
+@ref{,,,grub,GNU GRUB manual} as well in more details. Since the GRUB
+version GNU Boot uses might be older than the online GRUB manual, you
+can use Guix to install the manual of older GRUB versions
+(@pxref{,,,guix,GNU Guix reference manual} for more details).
+
+All the security mechanism described in the GRUB manual or GNU Boot
+website are compatible with users freedom.
+
 @node Building GNU Boot from source
 @chapter Building GNU Boot from source
 
-- 
2.46.0




reply via email to

[Prev in Thread] Current Thread [Next in Thread]