Hello everyone, I have the latest (2.04) grub installed with the following options:
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --modules="tpm gcry_sha256 gcry_sha512 gcry_rsa" --pubkey /root/bootkeys/secure-grub.pgp Adding the —pubkey sets check_signatures=enforce, giving reasonable confidence that all the files that grub loads from my unencrypted /boot aren’t tampered with. I have also added a password to my grub.cfg to prevent someone from just dropping to the grub shell and disabling check_signatures (as suggested in the grub manual). Unfortunately I have discovered a flaw in this system. If grub cannot load my grub.cfg file (perhaps it doesn’t exist, or it just fails signature verification) then it also drops to a grub shell, allowing someone to turn of check_signatures and load whatever they want. Thankfully I have additional measures to ensure a secure boot process, but I would still like to close this loophole by embedding the password command in the grub image rather than loading it with the rest of the main config. I see that grub-mkimage has a —config option that allows me to embed a config file, however this isn’t exposed in grub-install from what I can tell. I don’t have a problem using grub-mkimage instead, but I am not clear on what auto-detection of drive paths and other features I may be missing out on by not using grub-install. How can I use grub-mkimage to produce the same image that grub-install would have? Alternatively, if there is a better solution to this loophole then I would love to hear it. Thanks, Rowan
