GRUB: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
GRUB can be added to SeaBIOS as a floppy image to provide a | GRUB can be added to SeaBIOS as a floppy image to provide a reliable bootloader stored in the CBFS. GRUB can be used to verify kernel/initrd integrity and/or to support encrypted /boot partitions. | ||
== Verifying /boot == | == Verifying /boot == | ||
Revision as of 05:14, 19 January 2026
GRUB can be added to SeaBIOS as a floppy image to provide a reliable bootloader stored in the CBFS. GRUB can be used to verify kernel/initrd integrity and/or to support encrypted /boot partitions.
Verifying /boot
Prepare your GRUB image
If you have GPG signed files in /boot, GRUB can verify them each boot to prevent tampering.
file layout
Organize your files like this:
./generate.sh ./fdroot ./fdroot/boot/ ./fdroot/boot/grub ./fdroot/boot/grub/grub.cfg ./fdroot/boot/grub/boot.key
grub.cfg
Review your systems current grub.cfg (/boot/grub/grub.cfg) to find your root UUID and other information you may need. You will need to load all necessary modules before loading your GPG key. Here is an example grub.cfg used on Debian 13.
insmod part_gpt
insmod crypto
insmod cryptodisk
insmod geli
insmod ufs2
insmod search
insmod search_label
insmod usb_keyboard
insmod echo
insmod ls
insmod cat
insmod test
insmod configfile
insmod bsd
insmod reboot
insmod pbkdf2
insmod password
insmod password_pbkdf2
insmod gcry_rsa
insmod gcry_sha512
insmod gcry_rijndael
insmod verifiers
insmod play
insmod part_msdos
insmod mdraid1x
insmod lvm
insmod ext2
insmod diskfilter
insmod gzio
insmod ntfs
insmod linux
insmod drivemap
insmod chain
insmod loopback
trust /boot/grub/boot.key
set timeout_style=menu
set timeout=5
play 480 440 1
menuentry 'Debian GNU/Linux (signed)' {
set check_signatures=enforce
search --no-floppy --fs-uuid --set=root xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
echo 'Loading Linux ...'
linux /boot/latest/vmlinuz root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro
echo 'Loading initial ramdisk ...'
initrd /boot/latest/initrd.img
}
menuentry 'Debian GNU/Linux (unsigned)' {
set check_signatures=no
search --no-floppy --fs-uuid --set=root xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
echo 'Loading Linux ...'
linux /boot/latest/vmlinuz root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro
echo 'Loading initial ramdisk ...'
initrd /boot/latest/initrd.img
}
boot.key
This is the public key used to verify your files
generate.sh
#!/bin/bash
GRUB_MODULES+="usb_keyboard ls echo cat search_label search configfile part_gpt geli ufs2 cryptodisk gcry_rijndael bsd reboot pbkdf2 password password_pbkdf2 gcry_rsa gcry_sha512 test play verifiers"
GRUB_MODULES+=" part_msdos mdraid1x lvm ext2 diskfilter gzio ntfs linux drivemap chain part_acorn part_amiga part_apple part_bsd part_dfly part_dvh part_plan part_sun part_sunpc crypto loopback"
rm -f grub.img
grub-mkrescue --compress=gz -o grub.img --locale-directory=/usr/share/locale --locales=en@quot --fonts=none --install-modules="${GRUB_MODULES}" ./fdroot || exit
FDLEN=2949120
if [ $(stat -c %s "grub.img") -gt $FDLEN ]; then
echo "Generated GRUB image is too large for a 2.88MB floppy image. Please adjust script."
rm grub.img
exit 1;
fi
truncate -s $FDLEN grub.img
grub.img
Create your grub floppy image
chmod +x generate.sh ./generate.sh
Add your GRUB image to coreboot
In your coreboot compilation directory, add grub.img and create the bootorder file
bootorder
/rom@floppyimg/grub HALT
Attach grub.img and bootorder to coreboot
./build/cbfstool ./build/coreboot.rom add -f grub.img -n floppyimg/grub.lzma -t raw -c lzma ./build/cbfstool ./build/coreboot.rom add -f bootorder -n bootorder -t raw