Thursday, April 7, 2016

Dual boot for Windows 8.1 and Ubuntu with encryption galore, MBR version

word of warning - this is for patient people only. If you are known to chimp out after 4 hours of something refusing to work as it's supposed to - I'd suggest something different...

On to the magic, why would you do this?
I have a Lenovo x230 laptop to which I cheaply bought windows 8.1. Once you get Classic Shell installed, it even mostly feels like W7 which boots insanely fast. I'll gladly admit that I'm a windows guy, it's what I feel at least slightly comfortable working with since I practically grew up with it. Venturing into Linux territory usually means Google is working overtime and it takes a fuckton of time to get anything done, because everything is different. Don't even get me started on OS X.
That being said, Linux allows for certain unicorns that are not possible (or horribly difficult) on Windows because of the way the drivers work. Monitor mode for WiFi adapters is one of those things, extremely useful if you wish to do any type of poking with WiFi, good or bad. It's what allows Wifibroadcast to shove packets into the WiFi adapter without caring where or if even at all the end up at. It also allows receiving mangled packets (only some chipsets though, Atheros has long history of that).

Why would you do it like I did?
These days, a healthy dose of computer paranoia tends to be quite reasonable, given how much sensitive info can be extracted out of your daily use PC. Just the windows password is the equivalent of a 1 meter high decorative fence around your house. Enough to make normies understand that you don't want them rummaging through your stuff, but obviously very easy to defeat by multiple methods. So, if you want something a little more resilient, there's encryption.
Now common 256bit AES is enough to make even American 3-letter agencies pissed (btw it's approved for use on top-secret information), your average tech-sawwy criminal has no hope in hell of defeating the encryption itself, (it's much easier to literally beat the password out of the owner) at least not in his lifetime.
Naturally, the one thing I was satisfied with on previous OS versions doesn't really work for W8, so I have to use Bitlocker. Because of how this thing works, IT needs to be the first thing to boot, otherwise it's a no-go. Yes, having to boot most of windows only to tell it that you want linux and letting it reboot is kinda silly now that I think about it, but until M$ acknowledges that they could do a better job on the bootloader, it's the only way of running it like this.
If it weren't for the Bitlocker part, you can happily use the automated install and let linux configure everything for you. But if you need your tinfoil hat, it's hacking time!

Loosely following this guide, (loosely meaning not everything was exactly acording to this guide, there were others as well...), I created 2 partitions for Linux, one for root, the other for swap. The root one needs some space to be usable, exact figure depends on what you want install, but mine is roughly 20GB. Swap should be more then happy with 4GB, although I used 8GB. Don't know why (the machine has 8GB RAM), but I saw this once the win was set up and I didn't feel like doing it again (can't move the boot partition without breaking booting).
Then I let windows create it's boot partition and gave it some reasonable space for C:, roughly 50GB and let it install. Once that's done and you have most of the stuff installed, turn Bitlocker on, configure the TMP, then turn it off again. (where have I heard that before...oh right, I have the misfortune to do IT support for a living...).
Once that's done, I'd suggest making an image of the machine, because if you fuck up the following steps, it's really hard to fix. Much easier to just restore. I personally like Clonezilla. I tend carry in on a multiboot flash along with other goodies.
Install your Linux of choice, but you can't use the "auto" install, you have to do it manually. Tell it to use the bigger linux partition as /root and format it to EXT4 and to use the swap as...swap. Install everyhing. Once that's done, DO NOT let it place the bootloader into the MBR (if you do, windows will not boot), instead plop it into the /root partition.
If you've customised the crap out of the thing during install and windows STILL boots, make another image, saves time if you fuck up the bootloader.

Now comes the "fun" part. (link to source)
Boot some kind of linux from a flashdrive, somehow determine what is your partition of interest (gparted has a nice GUI; or just fdisk -l) and make note of it, it has to be the /root (or whatever you stashed the bootlader into). Do dd if=/dev/sda1 of=/tmp/linux.bin bs=512 count=1 , replacing sda1 with the patition with the bootloader.
This will make and copy linux.bin into the tmp folder (it's in /root). From there, copy it either to a flash drive or if you feel like it, plonk it straight into the root of C:. Boot into windows.
Launch cmd with admin rights and do bcdedit , it should dump the current state.
Now, do bcdedit /create /d “GRUB” /application BOOTSECTOR , you can replace the "GRUB" with whatever you want to name the entry (it will show up as the selection of what to boot). You will get a long GUID in curly brackets, copy that shit.
Now, do bcdedit /set {GUID} device boot , {GUID} is what you should have copied from the previous step.
Next do bcdedit /set {GUID} PATH \linux.bin
then bcdedit /displayorder {GUID} /addlast to put it below the win8 selection,
then bcdedit /timeout 10 , the number is timeout in seconds. I recommend less, 5s is plenty enough.
The final step is bcdedit /set {LinuxID} device partition=C: , this tells it which actual partition it can find the linux.bin.
Once you feel you did all that you should, do bcdedit again and check that the second entry looks something like this:
Real-mode Boot Sector
---------------------
identifier              {a33bafb4-fc1d-11e5-8259-3c970e62ae2e}
device                  partition=C:
path                    \linux.bin
description             Ubuntu
Obviously, the identifier will be diefferent and the description will be whatever you made it.
The device part is what took me almost 8 hours of trying various things, including different distros and what have you, only to realize that there is no way the system can know where to look for the bootloader. After extensively searching how to use the bcdedit /set , I found this, did it, tested it, found it working exactly as it should, did the "yatta!" and went on to post a comment to the M$ blog article, only to find THAT EXACT THING THAT TOOK SO LONG TO FIND was there all the time... read the comments...
If both systems boot, turn on bitlocker, make sure TPM is running (otherwise you'll have to manually input the long key every time) and let it encrypt.

Last but not least, make a partition on the remaing unused diskspace and format it to NTFS. Then install Truecrypt (or other encryption SW of your choice) on both systems and encrypt the partition, it will serve as a safe datastore that both systems can access.

Now make the final image of the machine and store it safe, unless you want to ever go through this again. Enjoy your reasonably secure dual boot system.

No comments:

Post a Comment