On 08.09.2023 19:59, Philip Couling wrote:
I'm in the process of hardening a system to prevent tampering.
What I'd like to do is to have a partially configured grub standalone
(grub-mkstandalone) that will only boot menu entries from a PGP signed
config file.
The part of this I'm having trouble with, is grub's behaviour of dropping
to a recovery console if a config file is missing (and perhaps other
circumstances that I'm not aware of).
grub enters rescue shell if normal.mod could not be loaded. It is not
configurable. Rescue shell offers small number of built-in commands,
allowing you to try "insmod normal.mod" from some other place.
normal.mod drops to the CLI (it is not "recovery console", it is just
normal grub command line) if either configuration file is not present or
could not be read or if configuration file does not have any
"menuentry"/"submenu", so there is no menu to show.
Dropping into CLI without configuration file can not be disabled.
Dropping into CLI with empty menu can be controlled by grub
authentication (see another reply).
AFAIK this can be used by someone to
specify their own kernel boot params which can be used for privilege
escalation.
Standalone image normally includes full grub (all modules), sets grub
$prefix to internal RAM disk and has grub configuration file in this RAM
disk. Which means neither loading of normal.mod nor loading of grub.cfg
should fail. Further attempts to escape into CLI are controlled by grub
authentication.
Under no circumstances do I want the standalone EFI binary to allow a user
at the terminal to specify their own Linux boot parameters, kernel files,
or initrd.
Is there a configuration option that can be embedded when in use
grub-mkstandalone that will limit grub down to just the menu options loaded
in a config file?
