Lead-up message 'Welcome to GRUB!' inverted text printed lowlevel via BIOS ?!?

Lead-up message 'Welcome to GRUB!' inverted text printed lowlevel via BIOS ?!?

[Robo L]

[-- Attachment #1: Type: text/plain, Size: 1060 bytes --]

Hi all,

Firstly I would like to thank everyone for the reply and Your time.

I would like to clarify the issue.
First I need to hide the very first Welcom message because I need to hide
GRUB for other users of MS Windows on my PC. I need it only for myself.
Richard: redirection is not good idea for me, becouse II need classical
console. I wrote a module with hidden password (secret process - no response
on console - silent) If match then redirect to boot linux. The nature of the
process is that another user on my PC not venture a guess that there is a
GRUB and secound linux OS!

As a second I would like to understand how it works with the printing,
because I spent much time reversed analysis and still I can not understand
who, where and when print the first inverted message "Welcome to GRUB!".

Who, where and how much bothers me more than the original problem.

btw: for test I remove all Welcome message from binary (search for full
disk, MBR too) files and message is still printing :-)

Robo
-- 
-----------------------------------------
E=mc2

[-- Attachment #2: Type: text/html, Size: 1151 bytes --]

Re: Lead-up message 'Welcome to GRUB!' inverted text printed lowlevel via BIOS ?!?

[Colin Watson]

On Sun, Feb 21, 2010 at 11:00:57AM +0100, Robo L wrote:
> As a second I would like to understand how it works with the printing,
> because I spent much time reversed analysis and still I can not understand
> who, where and when print the first inverted message "Welcome to GRUB!".

grep should have found it ... it's in kern/main.c, in the grub_main
function.

> btw: for test I remove all Welcome message from binary (search for full
> disk, MBR too) files and message is still printing :-)

This is free software.  Rebuild the source, don't edit the binary :-)

-- 
Colin Watson                                       [cjwatson@ubuntu.com]

Re: Lead-up message 'Welcome to GRUB!' inverted text printed lowlevel via BIOS ?!?

[Robo L]

[-- Attachment #1: Type: text/plain, Size: 327 bytes --]

Hi Colins,

I found this function and make comment long ago
After compilations welcome text not exist in binaries and GRUB still printed
Welcome.
Must be other function. I search in asm code, but still unsuccessfully.

Rebuild or reedit binaries is like a last kick of dead :-)

btw: This function do not print Inverted.

Robo

[-- Attachment #2: Type: text/html, Size: 871 bytes --]

Re: Lead-up message 'Welcome to GRUB!' inverted text printed lowlevel via BIOS ?!?

[Colin Watson]

On Sun, Feb 21, 2010 at 08:56:15PM +0100, Robo L wrote:
> I found this function and make comment long ago
> After compilations welcome text not exist in binaries and GRUB still printed
> Welcome.
> Must be other function. I search in asm code, but still unsuccessfully.

No, that's the only place it comes from.  If you're still seeing it,
then you haven't properly reinstalled the rebuilt version, somehow.
Perhaps you didn't run grub-install, or perhaps you ran it with the
wrong destination.

> btw: This function do not print Inverted.

It's called as follows:

  grub_setcolorstate (GRUB_TERM_COLOR_HIGHLIGHT);
  grub_printf ("Welcome to GRUB!\n\n");
  grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);

The grub_setcolorstate calls are what causes the message to be printed
in inverse video.

-- 
Colin Watson                                       [cjwatson@ubuntu.com]

Re: Lead-up message 'Welcome to GRUB!' inverted text printed lowlevel via BIOS ?!?

[richardvoigt]

On Sun, Feb 21, 2010 at 4:00 AM, Robo L <robo.om1ld@gmail.com> wrote:
>
> Hi all,
>
> Firstly I would like to thank everyone for the reply and Your time.
>
> I would like to clarify the issue.
> First I need to hide the very first Welcom message because I need to hide
> GRUB for other users of MS Windows on my PC. I need it only for myself.

I'm not entirely certain, but:

(1) I think GRUB is licensed under GPLv3 or higher only
(2) GPLv3 covers what were considered to be loopholes in GPLv2
(firmware enforced signature, software-as-a-service)
therefore
(3) Your use of GRUB (copying it into the boot record) requires you to
provide your users with notice of their GPL rights to your version of
GRUB.

So one can hardly say that "another user on my PC not venture a guess
that there is a GRUB" if you are required to tell them that GRUB is
there and offer them the source code.

> Richard: redirection is not good idea for me, becouse II need classical
> console. I wrote a module with hidden password (secret process - no response
> on console - silent) If match then redirect to boot linux. The nature of the
> process is that another user on my PC not venture a guess that there is a
> GRUB and secound linux OS!

Security through obscurity is never a good idea and especially not
when you have to give away the source code.

Licensing Re: Lead-up message 'Welcome to GRUB!' ...

[Isaac Dupree]

On 02/21/10 15:38, richardvoigt@gmail.com wrote:
> On Sun, Feb 21, 2010 at 4:00 AM, Robo L<robo.om1ld@gmail.com>  wrote:
>>
>> Hi all,
>>
>> Firstly I would like to thank everyone for the reply and Your time.
>>
>> I would like to clarify the issue.
>> First I need to hide the very first Welcom message because I need to hide
>> GRUB for other users of MS Windows on my PC. I need it only for myself.
>
> I'm not entirely certain, but:
>
> (1) I think GRUB is licensed under GPLv3 or higher only

yes

> (2) GPLv3 covers what were considered to be loopholes in GPLv2
> (firmware enforced signature, software-as-a-service)
> therefore

well, GPLv3 is not identical to GPLv2, but I don't think the differences 
are important to this issue.

> (3) Your use of GRUB (copying it into the boot record) requires you to
> provide your users with notice of their GPL rights to your version of
> GRUB.

No, I think it probably does not.  Firstly, because Robo L may not be 
"conveying" the program (see definition in GPLv3), and if not, cannot 
possibly be violating GPLv3.

http://www.fsf.org/licensing/licenses/gpl-faq.html#GPLRequireSourcePostedPublic

Secondly, even if installing it to the hard disk of a computer that is 
shared between you and other people (or other corporations) is 
"conveying", GPLv3 Section 5 says, "d) If the work has interactive user 
interfaces, each must display Appropriate Legal Notices; however, if the 
Program has interactive interfaces that do not display Appropriate Legal 
Notices, your work need not make them do so."

I didn't check whether mainstream GRUB interaction displays Appropriate 
Legal Notices.  ("Welcome to GRUB!" is most certainly NOT an Appropriate 
Legal Notice.)  If it doesn't, you're free.  If it does, I think you 
still do not need to display Appropriate Legal Notices until 
"interactive user interfaces" have been activated; say, by typing in the 
secret code that activates them.  In section 0. Definitions, "An 
interactive user interface displays “Appropriate Legal Notices” to the 
extent that it includes a convenient and prominently visible feature 
that [says it's GPLed, etc.].  If the interface presents a list of user 
commands or options, such as a menu, a prominent item in the list meets 
this criterion."  I don't see "interactive user interfaces" defined 
anywhere in the GPL or mentioned in GPL-FAQ, so I am hardly sure whether 
a secret password-entry system that only interacts by secretly reading a 
password (and then brings up the "real" interactive interface) would 
count as an interactive interface in its own right that must tell the 
user about itself even when they don't know the password... The 
Affero-GPL is written with further language about interaction, but as I 
guess that the normal GPL wouldn't make a GPL'd SSH server program have 
to break the SSH protocol in order to fulfill Legal Notices, there must 
be some limits on what is considered "interaction"...

I doubt the GPL was written with surreptitious installation of software 
on other people's computers in mind... well, maybe it was

>
> So one can hardly say that "another user on my PC not venture a guess
> that there is a GRUB" if you are required to tell them that GRUB is
> there and offer them the source code.
>
>> Richard: redirection is not good idea for me, becouse II need classical
>> console. I wrote a module with hidden password (secret process - no response
>> on console - silent) If match then redirect to boot linux. The nature of the
>> process is that another user on my PC not venture a guess that there is a
>> GRUB and secound linux OS!
>
> Security through obscurity is never a good idea and especially not
> when you have to give away the source code.

You have to give the source code when requested, or distribute it 
on-disk along with the binary... neither of which compromise security 
here.  It's not a secret algorithm; it's a secret that GRUB is there at 
all. (GPLv3 section 5.d , if obeyed strictly, might break this secret -- 
but that is all).

Depending what Robo L's threat model is, this "no messages until secret 
code entered" may be sufficient security.  Suppose it's to prevent other 
people from giving Robo a hard time about using Linux (they'd never 
suspect it in the first place! Or, they wouldn't mind terribly much if 
they found out.).  Or suppose it's part of spying on these people (and 
getting caught means Robo runs away but has succeeded in doing some 
spying in the meantime).

Re: Licensing Re: Lead-up message 'Welcome to GRUB!' ...

[richardvoigt]

On Mon, Feb 22, 2010 at 4:31 PM, Isaac Dupree
<ml@isaac.cedarswampstudios.org> wrote:
> On 02/21/10 15:38, richardvoigt@gmail.com wrote:
>>
>> On Sun, Feb 21, 2010 at 4:00 AM, Robo L<robo.om1ld@gmail.com>  wrote:
>>>
>>> Hi all,
>>>
>>> Firstly I would like to thank everyone for the reply and Your time.
>>>
>>> I would like to clarify the issue.
>>> First I need to hide the very first Welcom message because I need to hide
>>> GRUB for other users of MS Windows on my PC. I need it only for myself.
>>
>> I'm not entirely certain, but:
>>
>> (1) I think GRUB is licensed under GPLv3 or higher only
>
> yes
>
>> (2) GPLv3 covers what were considered to be loopholes in GPLv2
>> (firmware enforced signature, software-as-a-service)
>> therefore
>
> well, GPLv3 is not identical to GPLv2, but I don't think the differences are
> important to this issue.
>
>> (3) Your use of GRUB (copying it into the boot record) requires you to
>> provide your users with notice of their GPL rights to your version of
>> GRUB.
>
> No, I think it probably does not.  Firstly, because Robo L may not be
> "conveying" the program (see definition in GPLv3), and if not, cannot
> possibly be violating GPLv3.

You're right, the loophole I mentioned in #2 was plugged in AGPL in a
way that only covers over-the-network use and thus probably not Robo's
scenario.

>
> http://www.fsf.org/licensing/licenses/gpl-faq.html#GPLRequireSourcePostedPublic
>
> Secondly, even if installing it to the hard disk of a computer that is
> shared between you and other people (or other corporations) is "conveying",
> GPLv3 Section 5 says, "d) If the work has interactive user interfaces, each
> must display Appropriate Legal Notices; however, if the Program has
> interactive interfaces that do not display Appropriate Legal Notices, your
> work need not make them do so."
>
> I didn't check whether mainstream GRUB interaction displays Appropriate
> Legal Notices.  ("Welcome to GRUB!" is most certainly NOT an Appropriate
> Legal Notice.)  If it doesn't, you're free.  If it does, I think you still

I never meant to suggest that removing the message was forbidden, just
that if there is a requirement to offer source code to the users then
it's pointless to hide the message.

> do not need to display Appropriate Legal Notices until "interactive user
> interfaces" have been activated; say, by typing in the secret code that
> activates them.  In section 0. Definitions, "An interactive user interface

Anything that accepts a secret code and responds to it is an
interactive user interface.

> displays “Appropriate Legal Notices” to the extent that it includes a
> convenient and prominently visible feature that [says it's GPLed, etc.].  If
> the interface presents a list of user commands or options, such as a menu, a
> prominent item in the list meets this criterion."  I don't see "interactive
> user interfaces" defined anywhere in the GPL or mentioned in GPL-FAQ, so I
> am hardly sure whether a secret password-entry system that only interacts by
> secretly reading a password (and then brings up the "real" interactive
> interface) would count as an interactive interface in its own right that
> must tell the user about itself even when they don't know the password...
> The Affero-GPL is written with further language about interaction, but as I
> guess that the normal GPL wouldn't make a GPL'd SSH server program have to
> break the SSH protocol in order to fulfill Legal Notices, there must be some
> limits on what is considered "interaction"...
>
> I doubt the GPL was written with surreptitious installation of software on
> other people's computers in mind... well, maybe it was

It definitely covers putting a copy on someone else's computer.  But
Robo said he's installing it on his own computer.  And GPLv3 doesn't
seem to put restrictions on that like AGPLv3 does.

>
>>
>> So one can hardly say that "another user on my PC not venture a guess
>> that there is a GRUB" if you are required to tell them that GRUB is
>> there and offer them the source code.
>>
>>> Richard: redirection is not good idea for me, becouse II need classical
>>> console. I wrote a module with hidden password (secret process - no
>>> response
>>> on console - silent) If match then redirect to boot linux. The nature of
>>> the
>>> process is that another user on my PC not venture a guess that there is a
>>> GRUB and secound linux OS!
>>
>> Security through obscurity is never a good idea and especially not
>> when you have to give away the source code.
>
> You have to give the source code when requested, or distribute it on-disk
> along with the binary... neither of which compromise security here.  It's

I doubt that putting a copy on a hidden partition satisfies the GPL.
Here, let me sell you some GPL software on a DVD, oh yeah there's an
advertisement video on a second track and the source code is embedded
via stenography.

> not a secret algorithm; it's a secret that GRUB is there at all. (GPLv3
> section 5.d , if obeyed strictly, might break this secret -- but that is
> all).

The secret password to activate GRUB may be in the source code, or
possibly the algorithm for locating it on the disk is.  Using a
one-way hash could fix that problem of course.

>
> Depending what Robo L's threat model is, this "no messages until secret code
> entered" may be sufficient security.  Suppose it's to prevent other people
> from giving Robo a hard time about using Linux (they'd never suspect it in
> the first place! Or, they wouldn't mind terribly much if they found out.).
>  Or suppose it's part of spying on these people (and getting caught means
> Robo runs away but has succeeded in doing some spying in the meantime).

That last one sounds at least as illegal as GPL violation.  In most
places if computer use is being monitored then the user has to be
informed of the possibility.

Re: Licensing Re: Lead-up message 'Welcome to GRUB!' ...

[edgar.soldin]

What is this all about?

There are two topics here.
A) How can he remove the message?
B) Is removing it a violation of the license?

Answer to the first question A is already given.

Answer to B is short, but plain simple.
GPL gives everybody the right to modify the software as he/she wants to.
Only if the resulting software is given to others, the distributor is 
enforced to inform them of the license and offer the sourcecode. Hence, 
he is perfectly in his rights to remove the message. If the resulting 
grub is given to others he must inform them of the license and offer the 
sourcecode. A printed flyer naming software and license does it 
perfectly well. And again. Only if he distributes the software. Does he 
use it in his own company, the there is no need to tell anybody.
There is no obligation enforced by the GPL that says that a software 
name or license has to be printed on screen or such. It merely states

> d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.

It says if user interfaces show legal info, he's is not allowed to 
remove them. It doesn't say anything about the visibility of interfaces. 
Hence, if they are not shown (e.g. boot without pressing special keys), 
then there is no legal information.

Kind regards ede


On 23.02.2010 01:43, richardvoigt@gmail.com wrote:
> On Mon, Feb 22, 2010 at 4:31 PM, Isaac Dupree
> <ml@isaac.cedarswampstudios.org>  wrote:
>> On 02/21/10 15:38, richardvoigt@gmail.com wrote:
>>>
>>> On Sun, Feb 21, 2010 at 4:00 AM, Robo L<robo.om1ld@gmail.com>    wrote:
>>>>
>>>> Hi all,
>>>>
>>>> Firstly I would like to thank everyone for the reply and Your time.
>>>>
>>>> I would like to clarify the issue.
>>>> First I need to hide the very first Welcom message because I need to hide
>>>> GRUB for other users of MS Windows on my PC. I need it only for myself.
>>>
>>> I'm not entirely certain, but:
>>>
>>> (1) I think GRUB is licensed under GPLv3 or higher only
>>
>> yes
>>
>>> (2) GPLv3 covers what were considered to be loopholes in GPLv2
>>> (firmware enforced signature, software-as-a-service)
>>> therefore
>>
>> well, GPLv3 is not identical to GPLv2, but I don't think the differences are
>> important to this issue.
>>
>>> (3) Your use of GRUB (copying it into the boot record) requires you to
>>> provide your users with notice of their GPL rights to your version of
>>> GRUB.
>>
>> No, I think it probably does not.  Firstly, because Robo L may not be
>> "conveying" the program (see definition in GPLv3), and if not, cannot
>> possibly be violating GPLv3.
>
> You're right, the loophole I mentioned in #2 was plugged in AGPL in a
> way that only covers over-the-network use and thus probably not Robo's
> scenario.
>
>>
>> http://www.fsf.org/licensing/licenses/gpl-faq.html#GPLRequireSourcePostedPublic
>>
>> Secondly, even if installing it to the hard disk of a computer that is
>> shared between you and other people (or other corporations) is "conveying",
>> GPLv3 Section 5 says, "d) If the work has interactive user interfaces, each
>> must display Appropriate Legal Notices; however, if the Program has
>> interactive interfaces that do not display Appropriate Legal Notices, your
>> work need not make them do so."
>>
>> I didn't check whether mainstream GRUB interaction displays Appropriate
>> Legal Notices.  ("Welcome to GRUB!" is most certainly NOT an Appropriate
>> Legal Notice.)  If it doesn't, you're free.  If it does, I think you still
>
> I never meant to suggest that removing the message was forbidden, just
> that if there is a requirement to offer source code to the users then
> it's pointless to hide the message.
>
>> do not need to display Appropriate Legal Notices until "interactive user
>> interfaces" have been activated; say, by typing in the secret code that
>> activates them.  In section 0. Definitions, "An interactive user interface
>
> Anything that accepts a secret code and responds to it is an
> interactive user interface.
>
>> displays “Appropriate Legal Notices” to the extent that it includes a
>> convenient and prominently visible feature that [says it's GPLed, etc.].  If
>> the interface presents a list of user commands or options, such as a menu, a
>> prominent item in the list meets this criterion."  I don't see "interactive
>> user interfaces" defined anywhere in the GPL or mentioned in GPL-FAQ, so I
>> am hardly sure whether a secret password-entry system that only interacts by
>> secretly reading a password (and then brings up the "real" interactive
>> interface) would count as an interactive interface in its own right that
>> must tell the user about itself even when they don't know the password...
>> The Affero-GPL is written with further language about interaction, but as I
>> guess that the normal GPL wouldn't make a GPL'd SSH server program have to
>> break the SSH protocol in order to fulfill Legal Notices, there must be some
>> limits on what is considered "interaction"...
>>
>> I doubt the GPL was written with surreptitious installation of software on
>> other people's computers in mind... well, maybe it was
>
> It definitely covers putting a copy on someone else's computer.  But
> Robo said he's installing it on his own computer.  And GPLv3 doesn't
> seem to put restrictions on that like AGPLv3 does.
>
>>
>>>
>>> So one can hardly say that "another user on my PC not venture a guess
>>> that there is a GRUB" if you are required to tell them that GRUB is
>>> there and offer them the source code.
>>>
>>>> Richard: redirection is not good idea for me, becouse II need classical
>>>> console. I wrote a module with hidden password (secret process - no
>>>> response
>>>> on console - silent) If match then redirect to boot linux. The nature of
>>>> the
>>>> process is that another user on my PC not venture a guess that there is a
>>>> GRUB and secound linux OS!
>>>
>>> Security through obscurity is never a good idea and especially not
>>> when you have to give away the source code.
>>
>> You have to give the source code when requested, or distribute it on-disk
>> along with the binary... neither of which compromise security here.  It's
>
> I doubt that putting a copy on a hidden partition satisfies the GPL.
> Here, let me sell you some GPL software on a DVD, oh yeah there's an
> advertisement video on a second track and the source code is embedded
> via stenography.
>
>> not a secret algorithm; it's a secret that GRUB is there at all. (GPLv3
>> section 5.d , if obeyed strictly, might break this secret -- but that is
>> all).
>
> The secret password to activate GRUB may be in the source code, or
> possibly the algorithm for locating it on the disk is.  Using a
> one-way hash could fix that problem of course.
>
>>
>> Depending what Robo L's threat model is, this "no messages until secret code
>> entered" may be sufficient security.  Suppose it's to prevent other people
>> from giving Robo a hard time about using Linux (they'd never suspect it in
>> the first place! Or, they wouldn't mind terribly much if they found out.).
>>   Or suppose it's part of spying on these people (and getting caught means
>> Robo runs away but has succeeded in doing some spying in the meantime).
>
> That last one sounds at least as illegal as GPL violation.  In most
> places if computer use is being monitored then the user has to be
> informed of the possibility.
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/grub-devel