Chain load Grub from Windows Boot Manager?
On last post I got Windows Boot Manager to load GRUB (or what seems like it) on QEMU. Since then I was trying to cross-compile a newer version of GRUB for ARM and then load this newer version, instead of the original EFI partition I used when writing that post. That was harder than I first thought.
I didn’t get it to work. For now I’ll stick with that original GRUB imagine, knowing that the though of it will bug for a while - I got really curious to know how that image was made. I thought of recording whatever I found so far, in case I decide to continue investigating this in the future, or someone else is trying the same thing.
UEFI loaders are PE files. So I first started to compare the PE headers from the RoL’s GRUB image (from the last post) with the one I built:
RoL’s image headers
DOS Header
Magic number: 0x5a4d (MZ)
Bytes in last page: 144
Pages in file: 3
Relocations: 0
Size of header in paragraphs: 4
Minimum extra paragraphs: 0
Maximum extra paragraphs: 65535
Initial (relative) SS value: 0
Initial SP value: 0xb8
Initial IP value: 0
Initial (relative) CS value: 0
Address of relocation table: 0x40
Overlay number: 0
OEM identifier: 0
OEM information: 0
PE header offset: 0xd8
COFF/File header
Machine: 0x1c4 IMAGE_FILE_MACHINE_ARMV7
Number of sections: 7
Date/time stamp: 1471559823 (Thu, 18 Aug 2016 22:37:03 UTC)
Symbol Table offset: 0
Number of symbols: 0
Size of optional header: 0xe0
Characteristics: 0x122
Characteristics names
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
Optional/Image header
Magic number: 0x10b (PE32)
Linker major version: 11
Linker minor version: 0
Size of .text section: 0x3a00
Size of .data section: 0x2e00
Size of .bss section: 0
Entrypoint: 0x1691
Address of .text section: 0x1000
Address of .data section: 0x6000
ImageBase: 0x400000
Alignment of sections: 0x1000
Alignment factor: 0x200
Major version of required OS: 0
Minor version of required OS: 0
Major version of image: 0
Minor version of image: 0
Major version of subsystem: 1
Minor version of subsystem: 0
Size of image: 0xc000
Size of headers: 0x400
Checksum: 0xd560
Subsystem required: 0x10 (IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION)
DLL characteristics: 0
DLL characteristics names
Size of stack to reserve: 0x100000
Size of stack to commit: 0x1000
Size of heap space to reserve: 0x100000
Size of heap space to commit: 0x1000
My GRUB image headers
DOS Header
Magic number: 0x5a4d (MZ)
Bytes in last page: 144
Pages in file: 3
Relocations: 0
Size of header in paragraphs: 4
Minimum extra paragraphs: 0
Maximum extra paragraphs: 65535
Initial (relative) SS value: 0
Initial SP value: 0xb8
Initial IP value: 0
Initial (relative) CS value: 0
Address of relocation table: 0x40
Overlay number: 0
OEM identifier: 0
OEM information: 0
PE header offset: 0x80
COFF/File header
Machine: 0x1c2 IMAGE_FILE_MACHINE_THUMB
Number of sections: 4
Date/time stamp: 1420070400 (Thu, 01 Jan 2015 00:00:00 UTC)
Symbol Table offset: 0
Number of symbols: 0
Size of optional header: 0xe0
Characteristics: 0x30e
Characteristics names
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
Optional/Image header
Magic number: 0x10b (PE32)
Linker major version: 0
Linker minor version: 0
Size of .text section: 0xb800
Size of .data section: 0xa99a00
Size of .bss section: 0
Entrypoint: 0x400
Address of .text section: 0x400
Address of .data section: 0xbc00
ImageBase: 0
Alignment of sections: 0x200
Alignment factor: 0x200
Major version of required OS: 0
Minor version of required OS: 0
Major version of image: 0
Minor version of image: 0
Major version of subsystem: 0
Minor version of subsystem: 0
Size of image: 0xaa5e00
Size of headers: 0x400
Checksum: 0
Subsystem required: 0xa (IMAGE_SUBSYSTEM_EFI_APPLICATION)
DLL characteristics: 0
DLL characteristics names
Size of stack to reserve: 0x10000
Size of stack to commit: 0x10000
Size of heap space to reserve: 0x10000
Size of heap space to commit: 0x10000
I used the PEV toolkit to get those headers.
Some things are quite obvious. I’ll go through them. To begin with, the machine header are different. Both are ARM, but one is ARMv7 and the other is Thumb. I couldn’t really compile GRUB such to match ARMv7, even passing -march=armv7 to GCC. I am probably doing something wrong.
It is curious though. When you compile GRUB, you get a set of tools like grub-mkstandalone. Those tools are compile to your BUILD platform, that is, the platform you are building on (x86 in my case). This makes sense, because you will use these tools to then generate the final GRUB image. This image is generate, as far as I understood, from the modules that are build as part of GRUB. However, those modules are ELF files, according to /bin/file:
acpi.mod: ELF 32-bit LSB relocatable, ARM, EABI5 version 1 (SYSV), not stripped
So I imagine that grub-mkstandalone actually concatenates all the modules required and transform them in a PE file when building the final imagine. So would be it the responsible to set the PE machine header to ARMV7 and my cross-compilation doesn’t really matter? I have no clue :(
Here’s how I cross-compile GRUB, should you need to do something similar:
./autoconfig
./configure --with-platform=efi --prefix=/usr --target=arm-none-eabi
make CFLAGS="-march=armv7 -Wno-unused-value"
make DESTDIR=/tmp/grub install
cd /tmp/grub
/tmp/grub/usr/bin/grub-mkstandalone -o boot.img -O arm-efi -d /tmp/grub/usr/lib/grub/arm-efi
Long story short, I am not sure how much a problem that is, after all. If I bypass Windows Boot Manager and makes UEFI load my GRUB image directly, it works. So I don’t really know how much Windows Boot Manager cares about this header.
The other two red flags were the headers Checksum and Subsystem required. This forum post was the closed I came to a solution. It talks about how the Subsystem required needs to be set to IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION. I tried manually changing that header to match it, along side with fixing the checksum (using this code that seemed to give valid checksum when I compared with valid PE files I have). None of that helped.
Another interesting point discussed on that forum thread and that also caught my eye was the fact that the entry point for both PE files differed. Not quite sure how much that could be because of the different instruction set (if at all), but that may indicate that the RoL’s GRUB was generated in a very different way than I am doing, and fiddling with headers might not be enough.
Anyways, that’s how far I got. If you have any points on the topic, do let me know!
