Boot sector

Last updated
This example show various components of GNU GRUB distributed over sectors of a hard disk. When GRUB is installed on a hard disk, boot.img is written into the boot sector of that hard disk. boot.img has a size of only 446 bytes. GNU GRUB components.svg
This example show various components of GNU GRUB distributed over sectors of a hard disk. When GRUB is installed on a hard disk, boot.img is written into the boot sector of that hard disk. boot.img has a size of only 446 bytes.

A boot sector is the sector of a persistent data storage device (e.g., hard disk, floppy disk, optical disc, etc.) which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware (e.g., the BIOS).

Contents

Usually, the first sector of the hard disk is the boot sector, regardless of sector size (512 or 4096 bytes) and partitioning flavor (MBR or GPT).

The purpose of defining one particular sector as the boot sector is inter-operability between firmware and various operating systems.

The purpose of chain loading first a firmware (e.g., the BIOS), then some code contained in the boot sector, and then, for example, an operating system, is maximal flexibility.

The IBM PC and compatible computers

On an IBM PC compatible machine, the BIOS selects a boot device, then copies the first sector from the device (which may be a MBR, VBR or any executable code), into physical memory at memory address 0x7C00. On other systems, the process may be quite different.

Unified Extensible Firmware Interface (UEFI)

The UEFI (not legacy boot via CSM) does not rely on boot sectors, UEFI system loads the boot loader (EFI application file in USB disk or in the EFI system partition) directly. [1] Additionally, the UEFI specification also contains "secure boot", which basically wants the UEFI code to be digitally signed.

Damage to the boot sector

In case a boot sector receives physical damage, the hard disk will no longer be bootable, unless used with a custom BIOS that defines a non-damaged sector as the boot sector. However, since the very first sector additionally contains data regarding the partitioning of the hard disk, the hard disk will become entirely unusable except when used in conjunction with custom software.

Partition tables

A disk can be partitioned into multiple partitions and, on conventional systems, it is expected to be. There are two definitions on how to store the information regarding the partitioning:

The presence of an IBM PC compatible boot loader for x86-CPUs in the boot sector is by convention indicated by a two-byte hexadecimal sequence 0x55 0xAA (called the boot sector signature) at the end of the boot sector (offsets 0x1FE and 0x1FF). This signature indicates the presence of at least a dummy boot loader which is safe to be executed, even if it may not be able actually to load an operating system. It does not indicate a particular (or even the presence of) file system or operating system, although some old versions of DOS 3 relied on it in their process to detect FAT-formatted media (newer versions do not). Boot code for other platforms or CPUs should not use this signature, since this may lead to a crash when the BIOS passes execution to the boot sector assuming that it contains valid executable code. Nevertheless, some media for other platforms erroneously contain the signature, anyway, rendering this check not 100% reliable in practice.

The signature is checked for by most system BIOSes since (at least) the IBM PC/AT (but not by the original IBM PC and some other machines). Even more so, it is also checked by most MBR boot loaders before passing control to the boot sector. Some BIOSes (like the IBM PC/AT) perform the check only for fixed disk/removable drives, while for floppies and superfloppies, it is enough to start with a byte greater or equal to 06h and the first nine words not to contain the same value, before the boot sector is accepted as valid, thereby avoiding the explicit test for 0x55, 0xAA on floppies. Since old boot sectors (e.g., very old CP/M-86 and DOS media) sometimes do not feature this signature despite the fact that they can be booted successfully, the check can be disabled in some environments. If the BIOS or MBR code does not detect a valid boot sector and therefore cannot pass execution to the boot sector code, it will try the next boot device in the row. If they all fail it will typically display an error message and invoke INT 18h. This will either start up optional resident software in ROM (ROM BASIC), reboot the system via INT 19h after user confirmation or cause the system to halt the bootstrapping process until the next power-up.

Systems not following the above described design are:

Operation

On IBM PC compatible machines, the BIOS is ignorant of the distinction between VBRs and MBRs, and of partitioning. The firmware simply loads and runs the first sector of the storage device. [3] If the device is a floppy or USB flash drive, that will be a VBR. If the device is a hard disk, that will be an MBR. It is the code in the MBR which generally understands disk partitioning, and in turn, is responsible for loading and running the VBR of whichever primary partition is set to boot (the active partition). The VBR then loads a second-stage bootloader from another location on the disk.

Furthermore, whatever is stored in the first sector of a floppy diskette, USB device, hard disk or any other bootable storage device, is not required to immediately load any bootstrap code for an OS, if ever. The BIOS merely passes control to whatever exists there, as long as the sector meets the very simple qualification of having the boot record signature of 0x55, 0xAA in its last two bytes. This is why it is easy to replace the usual bootstrap code found in an MBR with more complex loaders, even large multi-functional boot managers (programs stored elsewhere on the device which can run without an operating system), allowing users a number of choices in what occurs next. With this kind of freedom, abuse often occurs in the form of boot sector viruses.

Boot-sector viruses

Since code in the boot sector is executed automatically, boot sectors have historically been a common attack vector for computer viruses.

To combat this behavior, the system BIOS often includes an option to prevent software from writing to the first sector of any attached hard drives; it could thereby protect the master boot record containing the partition table from being overwritten accidentally, but not the volume boot records in the bootable partitions. [4] Depending on the BIOS, attempts to write to the protected sector may be blocked with or without user interaction. Most BIOSes, however, will display a popup message giving the user a chance to override the setting. The BIOS option is disabled by default because the message may not be displayed correctly in graphics mode and blocking access to the MBR may cause problems with operating system setup programs or disk access, encryption or partitioning tools like FDISK, which may not have been written to be aware of that possibility, causing them to abort ungracefully and possibly leaving the disk partitioning in an inconsistent state. [nb 1]

As an example, the malware NotPetya attempts to gain administrative privileges on an operating system, and then would attempt to overwrite the boot sector of a computer. [5] [6] The CIA has also developed malware that attempts to modify the boot sector in order to load additional drivers to be used by other malware. [7] Another Malware that overwrites boot sector is the MEMZ

See also

Notes

  1. One FDISK utility written to be aware of BIOS boot sector protection features is DR-DOS' FDISK R2.31 (and higher), which will detect this scenario and display additional interactive messages to guide the user through it. In contrast to other FDISK utilities, DR-DOS FDISK is not only a partitioning tool, but can also format freshly created partitions as FAT12, FAT16 or FAT32. This reduces the risk to accidentally format wrong volumes.

    Related Research Articles

    <span class="mw-page-title-main">BIOS</span> Firmware for hardware initialization and OS runtime services

    In computing, BIOS is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The BIOS firmware comes pre-installed on an IBM PC or IBM PC compatible's system board and exists in some UEFI-based systems to maintain compatibility with operating systems that do not support UEFI native operation. The name originates from the Basic Input/Output System used in the CP/M operating system in 1975. The BIOS originally proprietary to the IBM PC has been reverse engineered by some companies looking to create compatible systems. The interface of that original system serves as a de facto standard.

    <span class="mw-page-title-main">Booting</span> Process of starting a computer

    In computing, booting is the process of starting a computer as initiated via hardware such as a button on the computer or by a software command. After it is switched on, a computer's central processing unit (CPU) has no software in its main memory, so some process must load software into memory before it can be executed. This may be done by hardware or firmware in the CPU, or by a separate processor in the computer system.

    <span class="mw-page-title-main">Disk partitioning</span> Creation of separate accessible storage areas on a secondary computer storage device

    Disk partitioning or disk slicing is the creation of one or more regions on secondary storage, so that each region can be managed separately. These regions are called partitions. It is typically the first step of preparing a newly installed disk, before any file system is created. The disk stores the information about the partitions' locations and sizes in an area known as the partition table that the operating system reads before any other part of the disk. Each partition then appears to the operating system as a distinct "logical" disk that uses part of the actual disk. System administrators use a program called a partition editor to create, resize, delete, and manipulate the partitions. Partitioning allows the use of different filesystems to be installed for different kinds of files. Separating user data from system data can prevent the system partition from becoming full and rendering the system unusable. Partitioning can also make backing up easier. A disadvantage is that it can be difficult to properly size partitions, resulting in having one partition with too much free space and another nearly totally allocated.

    <span class="mw-page-title-main">GNU GRUB</span> Boot loader package

    GNU GRUB is a boot loader package from the GNU Project. GRUB is the reference implementation of the Free Software Foundation's Multiboot Specification, which provides a user the choice to boot one of multiple operating systems installed on a computer or select a specific kernel configuration available on a particular operating system's partitions.

    A boot disk is a removable digital data storage medium from which a computer can load and run (boot) an operating system or utility program. The computer must have a built-in program which will load and execute a program from a boot disk meeting certain standards.

    Logical block addressing (LBA) is a common scheme used for specifying the location of blocks of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; blocks are located by an integer index, with the first block being LBA 0, the second LBA 1, and so on.

    <span class="mw-page-title-main">Multi-booting</span> Act of installing multiple operating systems on a single computer

    Multi-booting is the act of installing multiple operating systems on a single computer, and being able to choose which one to boot. The term dual-booting refers to the common configuration of specifically two operating systems. Multi-booting may require a custom boot loader.

    <span class="mw-page-title-main">Bootloader</span> Software responsible for starting the Computer and Load other software to the CPU memory

    A bootloader, also spelled as boot loader or called bootstrap loader, is a computer program that is responsible for booting a computer. If it also provides an interactive menu with multiple boot choices then it's often called a boot manager.

    <span class="mw-page-title-main">UEFI</span> Operating system and firmware specification

    Unified Extensible Firmware Interface is a specification that defines the architecture of the platform firmware used for booting the computer hardware and its interface for interaction with the operating system. Examples of firmware that implement the specification are AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O. UEFI replaces the BIOS which was present in the boot ROM of all personal computers that are IBM PC compatible, although it can provide backwards compatibility with the BIOS using CSM booting. Intel developed the original Extensible Firmware Interface (EFI) specification. Some of the EFI's practices and data formats mirror those of Microsoft Windows. In 2005, UEFI deprecated EFI 1.10.

    <span class="mw-page-title-main">Cylinder-head-sector</span> Historical method for giving addresses to physical data blocks on hard disk drives

    Cylinder-head-sector (CHS) is an early method for giving addresses to each physical block of data on a hard disk drive.

    An Option ROM for the PC platform is a piece of firmware that resides in ROM on an expansion card, which gets executed to initialize the device and (optionally) add support for the device to the BIOS. In its usual use, it is essentially a driver that interfaces between the BIOS API and hardware. Technically, an option ROM is firmware that is executed by the BIOS after POST and before the BIOS boot process, gaining complete control of the system and being generally unrestricted in what it can do. The BIOS relies on each option ROM to return control to the BIOS so that it can either call the next option ROM or commence the boot process. For this reason, it is possible for an option ROM to keep control and preempt the BIOS boot process. The BIOS generally scans for and initializes option ROMs in ascending address order at 2 KB address intervals within two different address ranges above address C0000h in the conventional (20-bit) memory address space; later systems may also scan additional address ranges in the 24-bit or 32-bit extended address space.

    <span class="mw-page-title-main">GUID Partition Table</span> Computer disk partitioning standard

    The GUID Partition Table (GPT) is a standard for the layout of partition tables of a physical computer storage device, such as a hard disk drive or solid-state drive, using universally unique identifiers (UUIDs), which are also known as globally unique identifiers (GUIDs). Forming a part of the Unified Extensible Firmware Interface (UEFI) standard, it is nevertheless also used for some BIOSs, because of the limitations of master boot record (MBR) partition tables, which use 32 bits for logical block addressing (LBA) of traditional 512-byte disk sectors.

    A volume boot record (VBR) is a type of boot sector introduced by the IBM Personal Computer. It may be found on a partitioned data storage device, such as a hard disk, or an unpartitioned device, such as a floppy disk, and contains machine code for bootstrapping programs stored in other parts of the device. On non-partitioned storage devices, it is the first sector of the device. On partitioned devices, it is the first sector of an individual partition on the device, with the first sector of the entire device being a Master Boot Record (MBR) containing the partition table.

    <span class="mw-page-title-main">EFI system partition</span> Partition used by Unified Extensible Firmware Interface

    The EFIsystem partition or ESP is a partition on a data storage device that is used by computers that have the Unified Extensible Firmware Interface (UEFI). When a computer is booted, UEFI firmware loads files stored on the ESP to start operating systems and various utilities.

    In BSD-derived computer operating systems and in related operating systems such as SunOS, a disklabel is a record stored on a data storage device such as a hard disk that contains information about the location of the partitions on the disk. Disklabels were introduced in the 4.3BSD-Tahoe release. Disklabels are usually edited using the disklabel utility. In later versions of FreeBSD, this was renamed as bsdlabel.

    <span class="mw-page-title-main">Windows Boot Manager</span> Boot process used in modern Windows NT-based products

    The Windows Boot Manager (BOOTMGR) is the bootloader provided by Microsoft for Windows NT versions starting with Windows Vista and Windows Server 2008. It is the first program launched by the BIOS or UEFI of the computer and is responsible for loading the rest of Windows. It replaced the NTLDR present in older versions of Windows.

    The Linux booting process involves multiple stages and is in many ways similar to the BSD and other Unix-style boot processes, from which it derives. Although the Linux booting process depends very much on the computer architecture, those architectures share similar stages and software components, including system startup, bootloader execution, loading and startup of a Linux kernel image, and execution of various startup scripts and daemons. Those are grouped into 4 steps: system startup, bootloader stage, kernel stage, and init process. When a Linux system is powered up or reset, its processor will execute a specific firmware/program for system initialization, such as Power-on self-test, invoking the reset vector to start a program at a known address in flash/ROM, then load the bootloader into RAM for later execution. In personal computer (PC), not only limited to Linux-distro PC, this firmware/program is called BIOS, which is stored in the mainboard. In embedded Linux system, this firmware/program is called boot ROM. After being loaded into RAM, bootloader will execute to load the second-stage bootloader. The second-stage bootloader will load the kernel image into memory, decompress and initialize it then pass control to this kernel image. Second-stage bootloader also performs several operation on the system such as system hardware check, mounting the root device, loading the necessary kernel modules, etc. Finally, the very first user-space process starts, and other high-level system initializations are performed.

    The BIOS boot partition is a partition on a data storage device that GNU GRUB uses on legacy BIOS-based personal computers in order to boot an operating system, when the actual boot device contains a GUID Partition Table (GPT). Such a layout is sometimes referred to as BIOS/GPT boot.

    <span class="mw-page-title-main">DOS</span> Family of IBM PC-compatible operating systems

    DOS is a family of disk-based operating systems for IBM PC compatible computers. The DOS family primarily consists of IBM PC DOS and a rebranded version, Microsoft's MS-DOS, both of which were introduced in 1981. Later compatible systems from other manufacturers include DR-DOS (1988), ROM-DOS (1989), PTS-DOS (1993), and FreeDOS (1998). MS-DOS dominated the IBM PC compatible market between 1981 and 1995.

    A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MBRs was publicly introduced in 1983 with PC DOS 2.0.

    References

    1. "UEFI - OSDev Wiki". wiki.osdev.org. Retrieved 2020-09-26.
    2. Commodore 128 Programmer's Reference Guide. Bantam Books. 1986. pp.  446–667. ISBN   0-553-34292-4.
    3. Smith, Roderick W. (2010-04-14). "Migrate to GRUB 2". Ibm.com. Retrieved 2013-03-05.
    4. "Intel Desktop Boards BIOS Settings Dictionary" (PDF). Intel . Retrieved 2013-09-01.
    5. "New Ransomware Variant "Nyetya" Compromises Systems Worldwide". blog.talosintelligence.com. 27 June 2017. Retrieved 2018-05-28.
    6. "In an era of global malware attacks, what happens if there's no kill switch?". CIO Dive. Retrieved 2018-05-28.
    7. "CIA Developed Windows Malware That Alters Boot Sector to Load More Malware". Information Security Newspaper. 2017-09-01. Retrieved 2018-05-28.