I'm in the process of hardening a system to prevent tampering. What I'd like to do is to have a partially configured grub standalone (grub-mkstandalone) that will only boot menu entries from a PGP signed config file.
The part of this I'm having trouble with, is grub's behaviour of dropping to a recovery console if a config file is missing (and perhaps other circumstances that I'm not aware of). AFAIK this can be used by someone to specify their own kernel boot params which can be used for privilege escalation. Under no circumstances do I want the standalone EFI binary to allow a user at the terminal to specify their own Linux boot parameters, kernel files, or initrd. Is there a configuration option that can be embedded when in use grub-mkstandalone that will limit grub down to just the menu options loaded in a config file?
