CIA Lab 2- Booting 2 + OS Arch

###### tags: `finished` :::success # CIA Lab 2- Booting 2 + OS Arch ::: ## 1. Booting the OS :::info 1. What is a UEFI OS loader and where does the Ubuntu OS loader reside on the system? Hint: See the UEFI specification. ::: UEFI OS loader - it's just an executable file of a certain format, which comes with a config. the bootloader file can be found at /usr/lib/systemd/boot/efi/, rename it and copy it to /EFI/boot/ on the EFI partition. :::info 2. Describe in order all the steps required for booting the computer (until the OS loader starts running.) Ubuntu uses the UEFI OS loader to load and run the GRUB boot loader. ::: 1. Creating a GPT partition table on the disk 2. Creating a FAT32 partition 3. Download any UEFI loader from the Internet (one binary file) 4. Rename and put this file on the created partition at /EFI/boot/ 5. Create a text config, put it where the loader expects to see it 6. After restarting, we see the loader menu :::info 3. What is the purpose of the GRUB boot loader in a UEFI system? ::: UEFI loads the bootloader image from a file, and therefore imposes certain requirements on the partition table, partition, file system, and the contents of the downloaded file, so we use GRUB to make work easier on the one hand (since it is multi-system and can be loaded from any disk), and on the other - it supports many functions, for example, full disk encryption. :::info 4. How does the Ubuntu OS loader load the GRUB boot loader? ::: As the system boots, the firmware loads the binary file of the shim. Ubuntu installs its own Boot Entry during installation and can update it at any time when updating the GRUB bootloader. Since the binary file is signed by Microsoft; it is confirmed and accepted by the firmware when checking certificates already available in the firmware. The next thing the shim loads is an image of the second GRUB stage. :::info 5. Explain how the GRUB boot loader, in turn, loads and run the kernel by answering these 3 questions: a. What type of filesystem is the kernel on? b. What type(s) of filesystem does UEFI support? c. What does the GRUB boot loader, therefore, have to do to load the kernel? ::: a. The kernel runs an initialization script inside the "initrd" file system, which loads the hardware drivers and finds the root partition. b. The UEFI supports FAT12, FAT16, and FAT32 file systems. c. Since Ubuntu is a distribution with a versioned kernel, the bootloader configuration generator is automatically called every time the kernel is updated, since the names of the vmlinuz and initrd boot images change with each update. Therefore, the script dynamically generates a separate submenu with all available Ubuntu kernels GRUB configs, and separately for Ubuntu remembers the last selected kernel. :::info 6. Do you need an OS loader and/or boot loader to load a Linux kernel with UEFI? Explain why or why not. ::: The boot manager will attempt to load UEFI drivers and UEFI applications (including UEFI OS boot loaders) in an order defined by the global NVRAM variables. The variable might also contain paths to the OS partition and directory along with other configuration specific directories. The NVRAM can also contain load options that are passed directly to the UEFI image. Therefore, usually the OS kernel is located in the same place as the UEFI OS Loader. :::info 7. In an MBR-based system, the GRUB bootloader is distributed over the disk in multiple parts. a. How many parts (or stages) does GRUB have in such a system, and what is their task? b. Where are the different stages found on the disk? ::: a. It has 3 stages. Their task is to detect and load the kernel and initrd. This is due to BIOS calls and available parts of stage 1.5. b. Stage 1 in the MBR, stage 1.5 in the remainder of the first cylinder of the disk and stage 2 in the file on the disk. ## 2. Initializing the OS :::info 1. Describe the entire startup process of Ubuntu in the default installation. The subquestions below are leaders to help you along, they must be answered but by no means represent the entire startup process of Ubuntu. . . a. What is the first process started by the kernel? b. Where is the configuration kept for the started process? c. It starts multiple processes. How is the order of execution defined? d. ... ::: a. The kernel is looking for an initialization daemon process (init) to run the user environment and related processes. But since version 15 and higher, Ubuntu uses the **systemd** daemon. b. In `/etc/systemd/system`. c. Systemd provides parallelization capabilities, uses socket and D-Bus activation for starting services and implements transactional dependency-based service control logic. The main command used to control `systemd` is `systemctl` d. The initial procedure performs minimal hardware configuration, fully unpacks the image into the upper memory and takes note of any RAM disk if it is configured. e. Then the `startup_32()` process is started from `./arch/i386/boot/head`. f. The kernel startup function (process 0) sets memory management and determines the CPU type, and then switches to calling `start_kernel()`. g. At the stage when the kernel is running, systemd is connected, whose resources are modules. Modules are categorized by the type of resource they represent and are defined by files known as module files. For service management tasks, the target module will be service modules that have module files with the `.service` suffix, but this is not necessary. ## 3. Basic OS interaction :::info **➢Binaries and scripts** Make a table listing five different binaries or interpreter scripts, and their type (Hint: use the “file” command in “/usr/bin”) ::: ``` /usr/bin# file * ``` | Name | Type | | -------- | -------- | | xzgrep | POSIX shell script | | sotruss |Bourne-Again shell script| |run-mailcap |Perl script text executable | | py3clean |Python script |zsh5 |Paul Falstad's zsh script <center> ![](https://i.imgur.com/Bmfk9DF.png) Figure 1 - Example of command </center> :::info **➢ Tracing binaries** 1. Read the “strace” man page. 2. Use “strace” to find what other systems call besides “stat” “zsh” uses before executing an “execve” system call to start a given binary (e.g. “/bin/ls”)? (Hint: use the “-c” option of “zsh”) ::: <center> ![](https://i.imgur.com/qb7RtHW.png) Figure 2 - Example of command ![](https://i.imgur.com/osAsIx9.png) Figure 3 - Example of command </center> :::info **➢ Stracing strace** 1. Run “strace /bin/pwd” and save the result 2. Also run “strace strace /bin/pwd” and save the result. How are these outputs related? Explain the “2” in “write(2, ...” ::: <center> ![](https://i.imgur.com/yOq154T.png) Figure 4 - Example of command ![](https://i.imgur.com/RzFWF1x.png) Figure 5 - Example of command </center> They are connected by the fact that we intercept ptrace system calls while we scan which processes strace itself is running. For example, here we see a piece of running ptrace, which is just used by strace to capture data. <center> ![](https://i.imgur.com/2ViHvXW.png) Figure 6 - Example of command </center> **write(2, ...)**. This is the file descriptor obtained as a result of the open call. This is an integer, where "2" means standard output. :::info **➢ ELF format** 1. Read the “readelf” man page. Make sure you make your terminal as wide a possible. 2. Execute “readelf -Wh <<your favorite ELF binary>>”. Match the results for the ELF header with the information on ELF’s Wikipedia page. Is this a definitive source for the ELF format? If not, what is? ::: <center> ![](https://i.imgur.com/nBVFijB.png) Figure 7 - ZSH </center> Is this an unfinished article that lacks more information? I realized that in this article there is no description of the expected type of machine, the type of destination of the file (for example, 4= CORE, 3 = EXEC, that is, the executable file), and that not all fields can be viewed through `readelf`. For example, with the help of this program, we cannot find out which process the file is intended for, `hexdump` can be used for the full header. :::info 3. Also inspect the section and program headers, using the command “`readelf -WlS <<your favorite ELF binary>>`”. ::: <center> ![](https://i.imgur.com/PiZjB56.png) ![](https://i.imgur.com/3bhCWZW.png) Figure 8 - ZSH </center> :::info a. Explain which of the two header types (section or program) is used in which context (loader/runtime or linker/relocation)? ::: Program headers or segments are used for the linker and allow code execution. The second type - sections - is intended for commands and data. :::info b. Explain the use of each of the following sections: .text, .data, .rodata and .bss. (Hint: Consider Type and Flg) ::: Let's use `readelf -S zsh`: <center> **![](https://i.imgur.com/Uf5NSod.png)** Figure 9 - ZSH </center> **.text** - сontains executable code. It will be packaged into a segment with read and execute rights. It is loaded once and its content does not change (flag = AX = alloc execute). **.data** - initialized data, with read and write permissions (flag = WA = write alloc) **.rodata** - initialized data, with read-only rights (flag = A = alloc) **.bss** - uninitialized data, with read/write permissions (flag = WA = write alloc) *PROGBITS implies that the partition is stored in the disk image, and is not allocated and initialized at boot. Attribute NOBITS is provided as an alias for NOPROGBITS. :::info c. What does the program header with Type INTERP contain? ::: It contains the path name and segments of the interpreter file to create the source image of the process. :::info 4. Read your favorite ELF binary with hexdump utility. a. show the virtual address and physical address. b. show/explain the entry point of the ELF binary ::: <center> ![](https://i.imgur.com/mGd4Uqz.png) Figure 10 - VMA & LMA </center> VMA or virtual memory address. This is the address that the section will have when starting the output file. And the LMA or the address of the boot memory where the partition will be loaded. The difference of addresses could be in .data, where VMA indicates the location in RAM, and LMA - in ROM for initial values. But not in my case. :::info 5. Find the loaded libraries of your shell by executing “`lsof -p $$`”. Also, look at the memory image of your shell by executing “`cat /proc/$$/maps`”. Why is for instance the libc library mapped into memory multiple times? ::: <center> ![](https://i.imgur.com/9N3enHG.jpg) ![](https://i.imgur.com/WiUJ4rB.png) Figure 11 - Libraries & memory image </center> Because it is possible to display the same file several times (if we pay attention to column 3 - the starting offset). Access flags are also displayed here: With read and execute permission (main code that cannot be changed) With read permission (persistent data area without code) With read / write permission (it combines volatile data areas and shared object movement tables) ## References: 1. [Grub2/Troubleshooting](https://help.ubuntu.com/community/Grub2/Troubleshooting#Search_.26_Set) 2. [Reload unit files](https://bugzilla.redhat.com/show_bug.cgi?id=615527) 3. [Systemd](https://www.freedesktop.org/wiki/Software/systemd/) 4. [ptrace(2)](https://man7.org/linux/man-pages/man2/ptrace.2.html) 5. [Write()](https://en.wikipedia.org/wiki/Write_(system_call)) 6. [Program Interpreter](https://docs.oracle.com/cd/E19683-01/816-1386/6m7qcoblk/index.html#chapter6-71736) 7. [Proc(5)](https://linux.die.net/man/5/proc)