Adding GRUB Env Variable for Integrity Checks

DapperDeer · 06-05-2020, 01:34 PM

I’m currently developing a secure boot chain for my work. I’d like to utilize GRUB to boot into Linux where integrity checks will be performed, then if the filesystem is verified, change a custom GRUB environment variable flag which will allow the user to continue our boot into Windows.

My initial idea was led a bit astray as the emedded configuration doc is wrong, but I’ve been trying to persevere nonetheless. I found this StackOverflow thread suggesting a workaround is to embed a cfg file that uses `configfile` to call the “actual” file which contains the scripting and whatever else that I need.

This is my process:
1. Create a grub image:

Code:

$GRUBDIR/grub-mkimage               \
            -O i386-pc -d $CORE -v       \
            -p $CORE                      \
            -m $HOME/memdisk/memdisk.tar  \ # Memdisk has multiple cfgs dedicated 
            -c $HOME/memdisk/embedded.cfg \ # to each boot entry (Windows and Linux)
            -o $CORE/core.img             \
part_gpt biosdisk ext2 memdisk ntfs tar echo sleep configfile search_fs_uuid loadenv search normal

2. Install using that image:

Code:

$GRUBDIR/grub-install $DRIVE                    \
            --boot-directory=$MNTDIR/boot/      \
            -d $CORE

3. Using Dracut, create the initramfs

Embedded.cfg:

Code:

configfile (memdisk)/grub.cfg

Grub.cfg:

Code:

load_env

if [ $Clean == "false" ]; then 
                                configfile /boot/grub/windows.cfg
else
                                configfile /boot/grub/linux.cfg
fi

I looked through the GRUB documentation and it doesn't mention anything about singular brackets yet every grub.cfg I can find uses single brackets. GRUB has given me errors for using double brackets. I've tried "$Clean", $Clean, [[ "$Clean" == "false" ]].

Grubenv:

Code:

# GRUB Environment Block
Clean=false
###########...

On boot, I get this initial return:

Code:

Booting from Hard Disk...
GRUB loading.....
Welcome to GRUB!

error: can't find command `false'.

and I have absolutely no idea why it keeps thinking that "false" is a command rather than a string. I've tried a ton of different iterations, with and without quotes, I've tried making it a zero or one, I've tried caps/no-caps/mixed-caps, I've tried using "set Clean=false save_env" and yet nothing I do works.

To try and be ultimately clear:
I want to create a GRUB environment variable named Clean. If Clean is true, I want to use /boot/grub/windows.cfg. If Clean is false, I want to use /boot/grub/linux.cfg. Clean will be initially set to false, forcing the user to boot into our Linux kernel that will then verify the integrity of the filesystem. If the filesystem is verified, I want Clean to be set to true (on next boot only) to allow the user to boot into Windows. If/once the system shuts down past this point, whether graceful or ungraceful, Clean should be false to force the user to verify the filesystem once more.

I thoroughly feel like I’m missing one small detail for everything to fall into place, so if anyone has any advice, it would be greatly appreciated.

Thanks so much

shruggy · 06-06-2020, 11:53 AM

1. Yes, I know, this is contrary to what GRUB documentation says, but all examples of grub.cfg I've seen use just = instead of ==, i.e.

Code:

if [ $Clean = "false" ]; then

2. What happens if you put $Clean in double quotes?

Code:

if [ "$Clean" = "false" ]; then

3. Did you check grub.cfg with grub-script-check*?

4. I suspect that Clean doesn't get set by load_env and is empty. Did you use grub-editenv* to change grubenv?

____
* On a Fedora/RHEL based system, the names of grub-* utilities would start with grub2- instead.