LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Adding GRUB Env Variable for Integrity Checks (https://www.linuxquestions.org/questions/linux-software-2/adding-grub-env-variable-for-integrity-checks-4175676570/)

DapperDeer 06-05-2020 01:34 PM
Adding GRUB Env Variable for Integrity Checks
 
I’m currently developing a secure boot chain for my work. I’d like to utilize GRUB to boot into Linux where integrity checks will be performed, then if the filesystem is verified, change a custom GRUB environment variable flag which will allow the user to continue our boot into Windows.

My initial idea was led a bit astray as the emedded configuration doc is wrong, but I’ve been trying to persevere nonetheless. I found this StackOverflow thread suggesting a workaround is to embed a cfg file that uses `configfile` to call the “actual” file which contains the scripting and whatever else that I need.

This is my process:
1. Create a grub image:
Code:
$GRUBDIR/grub-mkimage              \
            -O i386-pc -d $CORE -v      \
            -p $CORE                      \
            -m $HOME/memdisk/memdisk.tar  \ # Memdisk has multiple cfgs dedicated
            -c $HOME/memdisk/embedded.cfg \ # to each boot entry (Windows and Linux)
            -o $CORE/core.img            \
part_gpt biosdisk ext2 memdisk ntfs tar echo sleep configfile search_fs_uuid loadenv search normal
2. Install using that image:
Code:
$GRUBDIR/grub-install $DRIVE                    \
            --boot-directory=$MNTDIR/boot/      \
            -d $CORE
3. Using Dracut, create the initramfs

Embedded.cfg:
Code:
configfile (memdisk)/grub.cfg
Grub.cfg:
Code:
load_env

if [ $Clean == "false" ]; then
                                configfile /boot/grub/windows.cfg
else
                                configfile /boot/grub/linux.cfg
fi
I looked through the GRUB documentation and it doesn't mention anything about singular brackets yet every grub.cfg I can find uses single brackets. GRUB has given me errors for using double brackets. I've tried "$Clean", $Clean, [[ "$Clean" == "false" ]].

Grubenv:
Code:
# GRUB Environment Block
Clean=false
###########...
On boot, I get this initial return:

Code:
Booting from Hard Disk...
GRUB loading.....
Welcome to GRUB!

error: can't find command `false'.
and I have absolutely no idea why it keeps thinking that "false" is a command rather than a string. I've tried a ton of different iterations, with and without quotes, I've tried making it a zero or one, I've tried caps/no-caps/mixed-caps, I've tried using "set Clean=false save_env" and yet nothing I do works.

To try and be ultimately clear:
I want to create a GRUB environment variable named Clean. If Clean is true, I want to use /boot/grub/windows.cfg. If Clean is false, I want to use /boot/grub/linux.cfg. Clean will be initially set to false, forcing the user to boot into our Linux kernel that will then verify the integrity of the filesystem. If the filesystem is verified, I want Clean to be set to true (on next boot only) to allow the user to boot into Windows. If/once the system shuts down past this point, whether graceful or ungraceful, Clean should be false to force the user to verify the filesystem once more.

I thoroughly feel like I’m missing one small detail for everything to fall into place, so if anyone has any advice, it would be greatly appreciated.

Thanks so much

shruggy 06-06-2020 11:53 AM
1. Yes, I know, this is contrary to what GRUB documentation says, but all examples of grub.cfg I've seen use just = instead of ==, i.e.
Code:
if [ $Clean = "false" ]; then
2. What happens if you put $Clean in double quotes?
Code:
if [ "$Clean" = "false" ]; then
3. Did you check grub.cfg with grub-script-check*?

4. I suspect that Clean doesn't get set by load_env and is empty. Did you use grub-editenv* to change grubenv?

____
* On a Fedora/RHEL based system, the names of grub-* utilities would start with grub2- instead.


All times are GMT -5. The time now is 01:17 AM.