I’m currently developing a secure boot chain for my work. I’d like to utilize GRUB to boot into Linux where integrity checks will be performed, then if the filesystem is verified, change a custom GRUB environment variable flag which will allow the user to continue our boot into Windows.
My initial idea was led a bit astray as the emedded configuration doc is wrong, but I’ve been trying to persevere nonetheless. I found this StackOverflow thread suggesting a workaround is to embed a cfg file that uses `configfile` to call the “actual” file which contains the scripting and whatever else that I need.
This is my process:
1. Create a grub image:
Code:
$GRUBDIR/grub-mkimage \
-O i386-pc -d $CORE -v \
-p $CORE \
-m $HOME/memdisk/memdisk.tar \ # Memdisk has multiple cfgs dedicated
-c $HOME/memdisk/embedded.cfg \ # to each boot entry (Windows and Linux)
-o $CORE/core.img \
part_gpt biosdisk ext2 memdisk ntfs tar echo sleep configfile search_fs_uuid loadenv search normal
2. Install using that image:
Code:
$GRUBDIR/grub-install $DRIVE \
--boot-directory=$MNTDIR/boot/ \
-d $CORE
3. Using Dracut, create the initramfs
Embedded.cfg:
Code:
configfile (memdisk)/grub.cfg
Grub.cfg:
Code:
load_env
if [ $Clean == "false" ]; then
configfile /boot/grub/windows.cfg
else
configfile /boot/grub/linux.cfg
fi
I looked through the GRUB documentation and it doesn't mention anything about singular brackets yet every grub.cfg I can find uses single brackets. GRUB has given me errors for using double brackets. I've tried "$Clean", $Clean, [[ "$Clean" == "false" ]].
Grubenv:
Code:
# GRUB Environment Block
Clean=false
###########...
On boot, I get this initial return:
Code:
Booting from Hard Disk...
GRUB loading.....
Welcome to GRUB!
error: can't find command `false'.
and I have absolutely no idea why it keeps thinking that "false" is a command rather than a string. I've tried a ton of different iterations, with and without quotes, I've tried making it a zero or one, I've tried caps/no-caps/mixed-caps, I've tried using "set Clean=false save_env" and yet nothing I do works.
To try and be ultimately clear:
I want to create a GRUB environment variable named Clean. If Clean is true, I want to use /boot/grub/windows.cfg. If Clean is false, I want to use /boot/grub/linux.cfg. Clean will be initially set to false, forcing the user to boot into our Linux kernel that will then verify the integrity of the filesystem. If the filesystem is verified, I want Clean to be set to true (on next boot only) to allow the user to boot into Windows. If/once the system shuts down past this point, whether graceful or ungraceful, Clean should be false to force the user to verify the filesystem once more.
I thoroughly feel like I’m missing one small detail for everything to fall into place, so if anyone has any advice, it would be greatly appreciated.
Thanks so much