6.0 KiB
layout | title | permalink |
---|---|---|
doc | Multibooting | /doc/multiboot/ |
Multibooting Qubes
Introduction
You should think carefully before dual booting Qubes on your box. Read the guidelines carefully.
One problem is that when you dual or multiboot, even if you are using encryption on your Qubes installation, /boot is still unprotected and could be maliciously modified by the other OS, possibly leading to Qubes itself being maliciously modified.
The other problem is firmware security - for example the other system could infect BIOS firmware, which might enable compromise or spying on the Qubes system.
You can use Anti Evil Maid, which would inform you if /boot had been modified, but it cannot prevent or fix the problem.
If you have considered these issues, tried out the live system and want to install Qubes alongside your existing OS, these notes should help.
They assume that you are installing Qubes on a PC where you already have another OS installed.
The first thing to do is STOP.
Before you do anything else back up all your data.
If possible do a full system backup.
Back up the MBR.
Back up /boot.
If you are really paranoid clone your disc.
Make sure you have install discs to hand for the existing operating system.
Qubes 3.0 does not support UEFI boot. If you are already using it the first step is to change boot mode.
Most PCs using UEFI firmware and bootloader can be configured to disable UEFI entirely and instead revert to legacy MBR boot mode.
Two separate steps are often required to achieve this:
- Enabling legacy boot mode
- Disabling Secure Boot
Qubes by default does not include other systems in the generated grub menu, because handling of other systems has been disabled. This means that you will have to manually add grub entries for any other OS.
The general approach is:
- Enable legacy boot mode
- Ensure current OS boots in legacy mode.
- Install Qubes
- Manually add boot stanzas to /etc/grub.d/40_custom
- Update grub
Windows
If you change boot mode to legacy boot almost certainly the Windows installation will not boot. You will either have to format the disk and reinitialise it, and then reinstall Windows in legacy boot mode, or use a utility like Easy Recovery Essentials which will change the existing installation to be bootable in both UEFI/GPT and BIOS/MBR mode in-place, without losing any data.
At this stage you can install Qubes.
As noted above the default configuration will not add an entry for Windows to the grub menu, so you will need to add one.
-
Boot into Qubes.
-
Identify the Windows system partition that has /bootmgr
In blkid output, the system partition is the one with LABEL='SYSTEM RESERVED' or LABEL='SYSTEM' and is only about 100 to 200 MB in size
-
Add this stanza to /etc/grub.d/40_custom,
menuentry "Windows" {
insmod part_msdos
insmod ntldr
insmod ntfs
ntldr (hd1,X)/bootmgr
}
(Change X to reflect the relevant system partition.)
Then update the grub config:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
There is no need to reinstall grub itself.
Linux
If you have had to change to legacy boot mode then you may have to reinstall grub in the existing OS. (Make sure that you use grub rather than a grub-efi version).
Micah Lee suggests installing grub to a partition, and then installing Qubes with grub installed in MBR.
If you take this approach then you need to add to /etc/grub.d/40_custom in Qubes dom0:
menuentry "Other Linux" {
set root=(hd1,X)
chainloader +1
}
(Change X to reflect the relevant partition where grub is installed.)
Then update the grub config:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
There is no need to reinstall grub itself.
Existing /boot partition, grub installed in MBR
Most distros will have already installed grub to the MBR.
It is possible to use the same /boot for both OS.
To do this, do NOT choose the automatic configuration option when installing
Qubes.
Select 'custom' layout, and assign the existing /boot partition as /boot.
Deselect the 'Format' option.
Then continue with the installation.
This will install the qubes boot files in /boot alongside the existing files,
but overwrite the grub.cfg file in /boot/grub2.
If the other distro uses legacy grub you can simply copy the relevant sections from /boot/grub/grub.cfg into /etc/grub.d/40_custom.
If the other distro uses grub2 then copy the relevant sections from the backup you made into /etc/grub.d/40_custom.
Then update the grub config:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
Troubleshooting
If you install Qubes without making any backups beforehand, don't worry. If you didn't overwrite the original partitions, then it is usually possible to recover your old systems relatively easily, as described above.
If you decided to use a shared /boot and dont have backups of your previous
grub config, it is quite easy to fix this.
This example may help.
- Boot into Qubes.
- Back up (at a minimum) /boot/grub2
- Identify the partition containing the other OS.
- Then mount the other OS and chroot in to it.
sudo mount /dev/sdX /mnt
sudo mount --bind /dev/sdY /mnt/boot
sudo mount --bind /dev /mnt/dev
sudo mount --bind /dev/pts /mnt/dev/pts
sudo mount --bind /proc /mnt/proc
sudo mount --bind /sys /mnt/sys
sudo chroot /mnt
- Update the grub config:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg.new
- Exit out the chroot, and reverse the mounts.
- Copy the relevant sections from /boot/grub2/grub.cfg.new in to /etc/grub.d/40_custom.
- Update the grub config:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg