This post is a quick report on vBoot deployment at the university lab. We've successfully deployed vBoot and Windows 7 x64 on 4 PCs and will deploy on other PCs as soon as we will be sure that everything works fine.

The deployment process consists of three parts: preparing HDD image, deploying it to the physical PCs and performing final touches.

Part I: prepare HDD image
I.1. Prepare VMware virtual machine with all necessary software (we use VMware only because we have one; I suppose that VMLite Workstation can be used as well)
I.2. Create a snapshot (we can use this snapshot to revert undesirable changes later) and then a full clone from that snapshot (full clone is necessary to consolidate all snapshots to a single VMDK file)
I.3. Run a SYSPREP with parameters /oobe and /generalize on a clone (SYSPREP will prepare Windows for cloning) and shutdown VM
I.4. Prepare VMDK with vbootctl (see section 8 of vmlite.com/vboot/instructions.html) and copy VMDK file to a portable HDD
I.5. Copy all vBoot files to a portable HDD too

Part II: deploy vBoot and image
II.1. Boot the PC to WinPE (we've used USB CDROM and Windows 7 x64 setup disk) and invoke command prompt with Shift+F10
II.2. Create necessary disk partitions, perform format and assign temporary drive letters with DISKPART (available in WinPE)
II.3. Install vBoot fro portable HDD with vbootedit64 (see section 2.2 of vmlite.com/vboot/instructions.html)
II.4. Modify grub.cfg according to your installation (we've created two entries -- one for the OS and another for the same OS in immutable mode with immutable being default and also set password protection)
II.5. Copy prepared VMDK image to the physical HDD (again it could be not only VMDK but also VDI, VHD, etc.)
II.6. Reboot and make sure that OS boots fine in normal mode as well as in immutable mode

Part III: perform final touches
III.1. Boot OS in normal mode
III.2. Check user settings and ensure that all programs work fine
III.3. Activate Windows
III.4. DONE

Should anyone have questions I will be glad to answer.

Thanks for the report.

That was only the beginning

Now I'd like to consider in more detail how to deploy vBoot using Windows 7 x64 setup disk.

I assume we have a clean PC without any partitions on a single HDD and a portable USB HDD with following folders:
* vboot -- unpacked vboot archive (downloaded from this site);
* images -- folder with HDD images;
* config -- folder with modified grub.cfg (with all entries set up as necessary, see attachment).

We will be using following HDD layout:
* partition 1 (label vBoot) -- vBoot files, 500 Mb;
* partition 2 (label ScratchPad) -- persistent user files (preserved between reboots), 150 Gb;
* partition 3 (label VHDs) -- disk images, all remaining space.


1. Boot from Windows setup disk

2. On first GUI screen press Shift+F10 to invoke command prompt

3. Run DISKPART.EXE and issue following commands (commands are in bold and my comments are in small italics); you can find more info on diskpart tool at support.microsoft.com/kb/300415

Select first (the only) HDD, indexes begin with 0
select disk 0
Create partition 1 (BTW, partition indexes begin with 1 in diskpart), size in Mb
Note: diskpart automatically selects a partition when you create one
create partition primary size=500
Quick format the partition to NTFS file system
format label="vBoot" quick
Mark the partition as active
active
Assign a drive letter
Note: on my system letter D: is assigned to the CDROM and letter X: is assigned to the ramdisk
assign letter=y
Now perform basically the same steps for the second partition
DO NOT make this partition active
Do not assign a drive letter as we do not need this partition right now
create partition primary size=150000
format label="ScratchPad" quick
And for the third partition
We do not specify any size so partition occupies all unpartitioned space
create partition primary
format label="VHDs" quick
assign letter=z
Now close diskpart
exit

At this point we have drive letters Y: and Z: pointing to partitions for vBoot and disk images respectively.

5. Connect portable USB HDD (I will assume it receives E: drive letter)

4. Invoke command
e:\vboot\vbootedit64.exe install /drive y: /mbr
to install vBoot to the master boot record and copy necessary files to the drive y:

5. Invoke command
copy e:\config\grub.cfg y:\vboot\grub
and overwrite existing config with the custom one (of course you have to edit grub.cfg according to your needs); you could replace grub.cfg in the original vboot folder on portable HDD too, but I prefer to keep vboot distribution clean and unmodified

6. Invoke command
copy e:\images\<your_hdd_image> z:\
to copy disk image to the respective partition

7. Close command prompt and abort Windows setup; the system will reboot and you should be able to boot OS from your image


The steps presented here are generic enough. You could tweak commands a little to install vBoot from Windows 7 x32 or Windows XP setup environments.

Note: the attached file renamed to grub.txt as forum doesn't allow uploading files with arbitrary extensions.

We've deployed vBoot at university lab. So the next topic I'd like to discuss is how to protect boot entries with a password.

Password protection mechanism is a part of GRUB2 loader which is vBoot based on. To enable password protection you have to add two simple entries to grub.cfg (actual entries are in bold and my comments are in small italics)):

Designate a user with full set of privileges
set superusers="admin"
Set passwords for users
In case of multiple users add multiple lines
Note: passwords are stored in plain text so restrict read access to grub.cfg in OS
password admin mypassword

The superuser will be able to boot any entry from the menu as well as use 'c' and 'e' hotkeys to invoke GRUB/vBoot command prompt or edit boot entry on the fly. Anonymous user will not be able to use 'c' and 'e' hotkeys.

To restrict certain boot entry to some user we should add --users <username> after the menuentry label, e.g.:

menuentry "Laboratory (unsafe)" --users user1 {
vboot harddisk="(hd0,3)/BMSTU_Laboratory.vmdk"
}

In this example only the user with login "user1" and superuser will be able to boot entry called "Laboratory (unsafe)".

For the complete example please refer to grub.txt in my previous post. In that example I've created two boot entries:
* entry "Laboratory" can be booted by any user (no password prompt)
* entry "Laboratory (unsafe)" can be booted only by "admin" user (vBoot will prompt for login and password)
For additional info on GRUB2 password protection please refer to ubuntuforums.org/showthread.php?t=1369019

Unfortunately at present there is no way to restrict usage of 's', 'r' and 'i' hotkeys (snapshot, revert and immutable respectively).

As I've mentioned in my previous post we have to restrict read/write access on grub.cfg in the operating system. Another solution (that we prefer) is to hide vboot partition entirely.

After we set up vBoot and Windows disk letters were mapped as follows:
* drive C: -- Windows files
* drive D: -- vBoot partition
* drive E: -- ScratchPad partition with swap
* drive F: -- VHDs partition
Windows automatically put swap on E: to separate system and swap drives (our vBoot partition is too small for swap).

We'd like to hide vBoot and VHDs partitions from windows users. The easiest way to achieve this is to unmap (or unassign) drive letters. So we did the following:
1. Disabled swap file entirely (to change ScratchPad drive letter) and rebooted
2. Removed vBoot and VHDs drive letters (with disk management MMC snap-in)
3. Changed ScratchPad drive letter to D:
4. Enabled swap on D: (ScratchPad) drive and rebooted again

Note the swap is on a physical partition. In my opinion this should speed the system up and reduce workload on vBoot driver.

This way we've secured our files (vBoot as well as HDD images) and created illusion that our system has only two drives. To change drive letters user has to be computer administrator.