manual: Add section about using GNU Boot.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> neox: - fixed a typo - found duplicated see in "(see the @pxref{,,,guix,GNU Guix reference manual} for more details).", "See the @pxref{Security features}" - fixed duplicated see in "they are also documented in the @pxref{,,,grub,GNU GRUB manual} as well", "and @pxref{Building GNU Boot from [...]}" Acked-by: Adrien Bourmault <neox@gnu.org>
2024-11-24 18:10:54 +01:00 · 2024-11-24 18:10:54 +01:00 · c85fbae78f
parent 3f9b38739f
commit c85fbae78f
1 changed files with 99 additions and 1 deletions
--- a/manual/gnuboot.texi
+++ b/manual/gnuboot.texi
@ -55,6 +55,7 @@ This manual is for GNU Boot version @value{VERSION}.
@menu
 * Overview::					General purpose and information.
 * Supported hardware and configurations::
+* Using GNU Boot::
 * Building GNU Boot from source::
 * Helping GNU Boot::				How to contribute to GNU Boot
 * GNU Free Documentation License::		Copying and sharing this documentation.
@ -680,7 +681,9 @@ ftp.gnu.org/gnu/gnuboot/).

 But depending on your threat model, it could be a good idea to build
 GNU Boot from source yourself instead, to avoid certain security
-attacks.
+attacks. @xref{Security features} section for more context with
+security and threat models and @ref{Building GNU Boot from source}
+for more details about the security attacks mentioned above.

 Once GNU Boot is downloaded or built, you will need to understand
 which files you need to install or upgrade. @xref{Supported hardware
@ -695,6 +698,101 @@ instructions can be found in the GNU Boot website. We need help to
 migrate these instructions in the manual and make them easier to
 understand.

+@node Using GNU Boot
+@chapter Using GNU Boot
+
+@node Using GNU Boot with QEMU
+@section Using GNU Boot with QEMU
+
+The GNU Boot project also release images for QEMU.
+
+If you just want to try an image to see how it looks like you can use
+the following command:
+
+@example
+qemu-system-x86_64 -M pc \
+-bios grub_qemu-pc_2mb_corebootfb_usqwerty.rom
+@end example
+
+Here you need to replace
+@emph{grub_qemu-pc_2mb_corebootfb_usqwerty.rom} by the
+path to the image you want to try.
+
+For a more complete example, you can look in the GNU Boot source code
+as GNU Boot uses QEMU to run some automatic tests that boots Trisquel
+11 (aramo).
+
+Also note that the GNU Boot images for QEMU can be useful in some
+situations, but it doesn't fully replace tests run on real computers.
+
+For instance a distribution or operating system might work on QEMU but
+not work on real hardware due to an incomplete graphic driver for the
+real hardware GPU.
+
+@node Security features
+@section Security features
+@cindex secure boot
+@cindex threat modelling
+
+Note that security is a process. To really make it work you need to
+understand various threats and how to respond to them (this is called
+@dfn{threat modelling}), so what security feature to use or not to use
+depends on your life, use cases, etc.
+
+Also note that in general some security features also have downsides,
+such as making it harder to use the computer, making it harder to fix
+issues, etc, so not everybody might want these security features.
+
+As for security features typically found in other boot software, some
+computers vendor sell computers with what they call @dfn{secure
+boot}. When it cannot be turned off, it becomes an anti-feature and
+the @uref{https://www.fsf.org/,Free Software Foundation} calls it
+@dfn{restricted boot}.
+
+In 2012, the @uref{https://www.fsf.org/,Free Software Foundation}
+wrote
+@uref{https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/campaigns/secure-boot-vs-restricted-boot/whitepaper.pdf,a
+whitepaper}, on the topic and advised that:
+
+@verbatim
+The best solution currently available for operating system distributions
+includes:
+1. fully supporting user-generated keys, including providing tools and full
+documentation for booting and installing both modified and official
+versions of the distribution using this method;
+2. using a GPLv3-covered bootloader to help protect users against the
+dangers of Restricted Boot;
+3. avoiding requiring or encouraging users to trust Microsoft or any com-
+pany which makes proprietary software; and
+4. joining the FSF and the broader free software movement in pressuring
+computer distributors to facilitate easy and independent installation of
+free software operating systems on any computer.
+@end verbatim
+
+GNU Boot supports various security mechanism: GRUB is a GPLv3-covered
+bootloader that GNU Boot reuses, and it supports user-generated keys
+or other security mechanism that that don't require any signing
+keys.
+
+GNU Boot also obviously doesn't Trust keys from companies that make
+proprietary software.
+
+At the end when used correctly, the security features provided by GNU
+Boot thanks to the software it reuses (like GRUB) can provide similar
+or stronger security guarantees than the UEFI secure boot with
+different security features that you may or may not want want to use
+depending on your threat model.
+
+The GNU Boot Website contains various information on how to use such
+security features, but they are also documented in the
+@ref{,,,grub,GNU GRUB manual} as well in more details. Since the GRUB
+version GNU Boot uses might be older than the online GRUB manual, you
+can use Guix to install the manual of older GRUB versions
+(@pxref{,,,guix,GNU Guix reference manual} for more details).
+
+All the security mechanism described in the GRUB manual or GNU Boot
+website are compatible with users freedom.
+
@node Building GNU Boot from source
@chapter Building GNU Boot from source