GRUB
GRUB can be added to SeaBIOS as a floppy image to provide a bug-free bootloader stored in the CBFS. GRUB can be used to verify kernel/initrd integrity and/or to support encrypted /boot partitions.
Verifying /boot
If you have GPG signed files in /boot, GRUB can verify them each boot to prevent tampering.
grub.cfg
Review your systems current grub.cfg (/boot/grub/grub.cfg) to find your root UUID and other information you may need. You will need to load all necessary modules before loading your GPG key. Here is an example grub.cfg used on Debian 13.
insmod part_gpt
insmod crypto
insmod cryptodisk
insmod geli
insmod ufs2
insmod search
insmod search_label
insmod usb_keyboard
insmod echo
insmod ls
insmod cat
insmod test
insmod configfile
insmod bsd
insmod reboot
insmod pbkdf2
insmod password
insmod password_pbkdf2
insmod gcry_rsa
insmod gcry_sha512
insmod gcry_rijndael
insmod verifiers
insmod play
insmod part_msdos
insmod mdraid1x
insmod lvm
insmod ext2
insmod diskfilter
insmod gzio
insmod ntfs
insmod linux
insmod drivemap
insmod chain
insmod loopback
trust /boot/grub/boot.key
set timeout_style=menu
set timeout=5
play 480 440 1
menuentry 'Debian GNU/Linux (signed)' {
set check_signatures=enforce
search --no-floppy --fs-uuid --set=root xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
echo 'Loading Linux ...'
linux /boot/latest/vmlinuz root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro
echo 'Loading initial ramdisk ...'
initrd /boot/latest/initrd.img
}
menuentry 'Debian GNU/Linux (unsigned)' {
set check_signatures=no
search --no-floppy --fs-uuid --set=root xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
echo 'Loading Linux ...'
linux /boot/latest/vmlinuz root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro
echo 'Loading initial ramdisk ...'
initrd /boot/latest/initrd.img
}