Wednesday, November 19, 2008

Dual Boot Ubuntu with Safeboot FDE

Do you like running Linux yet your employer gives you a machine running Windows? Join the crowd. Did you employer take it one step further and install Windows using some form of Full Disk Encryption? Then read on as this post may be just what you're looking for.

Well, I started a new job developing software to run on Linux servers. My new employer gave me the options of either desktop or laptop, Mac or Windows. I thought I'd go for the Windows laptop so I could shrink the useless partition to minimal and then move forward with a real OS. This was somewhat of a mistake - I should have chosen to learn to use a Mac - oh well, 20/20 hind-sight.

So I get the laptop and as I dig into it, I find that my wise employer has installed Windows under a Full Disk Encryption partition using Safeboot (now owned by McAfee). It is certainly wise for them, companies need to protect their data on laptops as too many laptop users are complacent with their laptop security (and those who are diligent are still vulnerable). But of course for someone like me wanting to dual boot the system it becomes a major headache.

So, first problem - unable to squeeze the disk partition. Solution, buy a new, bigger hard drive. This turned into it's own headache as the laptop I asked for was one of the smaller, more compact ones and thus had the physically smallest hard drives currently available and it was currently a 60 Gig 4000 rpm drive (big and slow, yuck). With a little research I was able to find a 120 Gig 5200 rpm (big enough and better performance, OK).

So, I boot the laptop using a Live Linux CD (Ubuntu in my case), hook up a large external USB Hard Drive and capture the Windows drive onto the external drive (in hindsight, network storage would have been faster). Also, I had to break the Windows partition into smaller file chunks to store on the external drive - so I used the dd command with if=/dev/sda of=win_part_<##> bs=512 count=###### seek=(##*######). I don't recall the actual values I used for ## and ######, but you can calculate your own values such that the size of 512 x ###### is less than the max file size you can store (4 Gig in my case). And ## is a number sequence from 01-nn (where nn=16 in my case - 60 Gig / 4 Gig = 16) - your value for nn will be determined by how big a hard drive you are backing up and how big a chunk you can store on your external drive. Took me about 1.5 hours to backup a 60 Gig partition.

Anyway, with the Windows partition backed up, I shutdown the laptop, turned it off, pulled out the battery and removed the power cord. Then I swaped the hard drive - WARNING: Be Very Careful of Static Electricity - if you don't know what you are doing then have someone else do this part that does know.

Now with the new hard drive installed, I booted up under the Live Linux CD again. Then used the dd command to restore the Windows partition from the external drive to the new internal hard drive. Of course I exchange seek for skip, and swap input vs output files. Sadly, it took me 15 hours to restore from the external USB drive. Not sure why, so I wonder if using a network storage drive would have been faster?

Anyway, with the Windows partition restored to the new hard drive, I rebooted under Safeboot/Windows on the new laptop hard drive. If it boots successfully, then hooray the first phase is complete. If not, then you have to figure out where you went wrong. This phase worked just fine for me, so I did not have to do any troubleshooting nor revert back to the original hard drive (which would have really sucked as I would have needed to repeat this whole phase when I came back to it - another whole day gone - whew...).

I ran it in this configuration for a few days. making sure everything was working fine. If did, so the following weekend I went for phase two - installing Linux (ubuntu in my case).

The first step of phase two is to back up the first whole sector of your new internal hard drive (boot from the Live CD again). In my case that was 120 Gig / 255 head / 63 sectors - or approximately 9 Meg. I think I did overkill and backed up about 30 Meg. (dd if=/dev/sda of=/media/memstick/first4sectors.bin bs=512 count=65536)

Next, need to capture the Safeboot boot loader than is in the MBR (dd if=/dev/sda of=/media/memstick/safeboot.mbr bs=512 count=1). This will be used as part of chain loading with grub later.

Now go ahead and install Linux on the new hard drive. I set mine up with a 2 Gig swap following the Windows partition, then the Linux root partition following that. For me install ubuntu installed grub which clobbered the MBR (and then some) - hence the above back ups.

Once Linux was installed, I booted it to verify it worked OK.

Next, I used "fdisk /dev/sda" in the advanced mode to capture all the partition setting information - since this will get clobbered in the next step.

Then I restore the safeboot MBR plus more (like the entire first sector of the drive) with dd if=/media/memstick/first4sectors.bin of=/dev/sda bs=512 count=65536

Then I ran fdisk /dev/sda and fixed the partition info I just written down above. Except for one small thing - do not set the bootable flag on any partition except the first partition (the Safeboot/Windows Partition). If the bootable flag is set on other partitions, then the safeboot bootloader errors out and fails on boot.

So now we have a system that from the hard will boot into Windows (via Safeboot) but not Linux even though it is installed. We're almost done.

Next, copy the safeboot.mbr file into /boot/grub on your Linux partition. dd if=/media/memstick/safeboot.mbr of=/boot/grub/safeboot.mbr bs=512 count=1

Edit /boot/grub/menu.lst to use /boot/grub/safeboot.mbr in the chainloader line of the windows boot parameters. [Note: I'll upload my menu.lst here a little later as a sample]

Next, create a bootable CD with grub as the bootloader on the CD. [I'll add details for this step a bit later, along with my files as a sample].

So with this I always boot from my boot CD and choose either Windows(safeboot) or Linux upon booting. On my next post I'll describe some of the issues I found with safeboot, grub, and the MBR - along with what I hope someone else can figure out and improve upon.


==========

The MBR is the first 512 bytes on the hard drive. It contains a small boot loader plus the main partition information. As I found, safeboot uses a multi-part boot loader with the initial part being in the first 400 or so bytes of this MBR. The second part of this multi-part boot loader resides on the disk in the various 512 byte blocks that follow the MBR. Safeboots initial bootloader expects to find the second part of it's boot loader in these follow on 512 byte blocks.

Now, grub is also a multi-part boot loader with the initial part being in the first 400 or so bytes of this MBR. The second part of the grub boot loader resides on the disk in the various 512 byte blocks that follow the MBR. Grubs initial boot loader expects to find the second part of it's boot loader in these follow on 512 byte blocks.

There in lies the rub - both initial boot loaders expect to find the rest of their boot loader in the same location. Thus my need for booting from a boot CD instead.

I have read a little on the Internet that it is possible to configure the initial grub boot loader to look somewhere else for it's part 2 boot loader, but I have not been able to figure out how to configure it - nor do I know where on the disk it should be placed so as not to conflict with the safeboot boot loader. I am hoping someone with more knowledge of the hard drive layout can figure this one out.


==========

Some URL's I used to compile information to accomplish what I did for my safeboot/Windows:

LinuxQuestions.org Wiki page on Grub
http://wiki.linuxquestions.org/wiki/GRUB_boot_menu

The GNU Grub Manual, and Chain Loading
http://www.gnu.org/software/grub/manual/html_node/
http://www.gnu.org/software/grub/manual/html_node/General-boot-methods.html#General-boot-methods
http://www.gnu.org/software/grub/manual/html_node/Chain_002dloading.html#Chain_002dloading
http://www.gnu.org/software/grub/manual/html_node/Block-list-syntax.html#Block-list-syntax
http://www.gnu.org/software/grub/manual/html_node/File-name-syntax.html#File-name-syntax

Nixpanic's Blog - gave me hints about the safeboot boot loader working with grub
http://blog.nixpanic.net/2008/06/starting-safeboot-with-grub.html


==========

5 comments:

José Ernesto said...

hey man, please help!!

I installed ubuntu in a memstick and I didnt remember the mbr part and the safeboot mbr got overwritten so I'm unable to start windows.

Could you please send me the safeboot.mbr you backed up so I could try to restore mine?

my email is netux79 at yahoo.com

thanks in advance

Ernesto Ramirez

Ben said...

@Jose Ernesto:

His MBR won't do you any good. Each SafeBoot MBR is specific to the computer on which it was created.

Each time you install SafeBoot on a computer, unique identifiers (that are specific to your SafeBoot account on the server) are embedded in the MBR. That's why if you capture the MBR after installing SafeBoot, and then you remove/reinstall SafeBoot (which requires resetting your account on the server), the MBR hash will be different each time.

Jeremy said...

Hi. I know this is an old post, but it has good pagerank and is very useful.

I wanted to share a similar solution that I just did on an HP EliteBook 6930p laptop. This won't work for a lot of people but I thought I'd throw it out there anyway.

Instead of messing with partitions on the main hard drive, I purchased a second hard drive for the laptop's "upgrade bay" (multi-purpose removable media bay). I installed Linux on the "upgrade bay" HD, so I didn't have to mess with the evil corporate encrypted Windows drive at all (in fact, I removed the Windows drive just to be safe during installation).

This worked nicely, except Grub really didn't want to see the Safeboot MBR at all. With the new Grub version, menu.lst doesn't exist anymore and everything is automatic, so I wasn't even sure what to edit to try to add the Safeboot option manually. Fortunately, HP's bios has something called "Multiboot" which can be configured to present a boot drive selection menu on startup. That completely solved my problem: no grub needed at all.

Thanks again for the great post; I hope my contribution helps the one other random person in the entire universe with a similar setup as mine :)

I'm daqron on ubuntuforums.org if anyone has follow-up questions.

Cheers,
Jeremy

Hendy said...

I took a slightly different route, but ran across your post in the process. See my results HERE on the Arch Wiki. I'm extremely happy with my setup and it left all the company-installed stuff perfectly intact.

Jasmine wilson said...

Great post! I am agree with the writer's opinion.
Files removal scenario is usually a problem for the consumer.
However for the simplicity of end users, researchers have launched a solution for data damage issues.
User has to be well aware of possible information restoration methods making sure that they can handle the data deletion condition in a optimal way.
migrate outlook