https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
On Fri, Sep 8, 2023 at 2:08 PM Philip Couling <[email protected]> wrote: > I'm in the process of hardening a system to prevent tampering. > > What I'd like to do is to have a partially configured grub standalone > (grub-mkstandalone) that will only boot menu entries from a PGP signed > config file. > > The part of this I'm having trouble with, is grub's behaviour of dropping > to a recovery console if a config file is missing (and perhaps other > circumstances that I'm not aware of). AFAIK this can be used by someone to > specify their own kernel boot params which can be used for privilege > escalation. > > Under no circumstances do I want the standalone EFI binary to allow a user > at the terminal to specify their own Linux boot parameters, kernel files, > or initrd. > > Is there a configuration option that can be embedded when in use > grub-mkstandalone that will limit grub down to just the menu options loaded > in a config file? >
