GRUB

From 15h.org
Revision as of 05:13, 19 January 2026 by Mrothfuss (talk | contribs)
Jump to navigation Jump to search

GRUB can be added to SeaBIOS as a floppy image to provide a bug-free bootloader stored in the CBFS. GRUB can be used to verify kernel/initrd integrity and/or to support encrypted /boot partitions.

Verifying /boot

Prepare your GRUB image

If you have GPG signed files in /boot, GRUB can verify them each boot to prevent tampering.

file layout

Organize your files like this: 

./generate.sh
./fdroot
./fdroot/boot/
./fdroot/boot/grub
./fdroot/boot/grub/grub.cfg
./fdroot/boot/grub/boot.key

grub.cfg

Review your systems current grub.cfg (/boot/grub/grub.cfg) to find your root UUID and other information you may need. You will need to load all necessary modules before loading your GPG key. Here is an example grub.cfg used on Debian 13. 

insmod part_gpt
insmod crypto
insmod cryptodisk
insmod geli
insmod ufs2     
insmod search
insmod search_label
insmod usb_keyboard
insmod echo
insmod ls
insmod cat      
insmod test     
insmod configfile
insmod bsd
insmod reboot
insmod pbkdf2
insmod password
insmod password_pbkdf2
insmod gcry_rsa 
insmod gcry_sha512
insmod gcry_rijndael 
insmod verifiers
insmod play     
insmod part_msdos
insmod mdraid1x
insmod lvm
insmod ext2
insmod diskfilter
insmod gzio
insmod ntfs
insmod linux
insmod drivemap
insmod chain
insmod loopback

trust /boot/grub/boot.key

set timeout_style=menu
set timeout=5

play 480 440 1

menuentry 'Debian GNU/Linux (signed)' {
        set check_signatures=enforce
        search --no-floppy --fs-uuid --set=root xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

        echo    'Loading Linux ...'
        linux   /boot/latest/vmlinuz root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro
        echo    'Loading initial ramdisk ...'
        initrd  /boot/latest/initrd.img
}

menuentry 'Debian GNU/Linux (unsigned)' {
        set check_signatures=no
        search --no-floppy --fs-uuid --set=root xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

        echo    'Loading Linux ...'
        linux   /boot/latest/vmlinuz root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro
        echo    'Loading initial ramdisk ...'
        initrd  /boot/latest/initrd.img
}

boot.key

This is the public key used to verify your files


generate.sh 

#!/bin/bash

GRUB_MODULES+="usb_keyboard ls echo cat search_label search configfile part_gpt geli ufs2 cryptodisk gcry_rijndael bsd reboot pbkdf2 password password_pbkdf2 gcry_rsa gcry_sha512 test play verifiers"
GRUB_MODULES+=" part_msdos mdraid1x lvm ext2 diskfilter gzio ntfs linux drivemap chain part_acorn part_amiga part_apple part_bsd part_dfly part_dvh part_plan part_sun part_sunpc crypto loopback"

rm -f grub.img
grub-mkrescue --compress=gz -o grub.img --locale-directory=/usr/share/locale --locales=en@quot --fonts=none --install-modules="${GRUB_MODULES}" ./fdroot || exit

FDLEN=2949120
if [ $(stat -c %s "grub.img") -gt $FDLEN ]; then
    echo "Generated GRUB image is too large for a 2.88MB floppy image. Please adjust script."
    rm grub.img
    exit 1;
fi

truncate -s $FDLEN grub.img

grub.img

Create your grub floppy image 

chmod +x generate.sh
./generate.sh

Add your GRUB image to coreboot

In your coreboot compilation directory, add grub.img and create the bootorder file

bootorder 

/rom@floppyimg/grub
HALT

Attach grub.img and bootorder to coreboot 

./build/cbfstool ./build/coreboot.rom add -f grub.img -n floppyimg/grub.lzma -t raw -c lzma
./build/cbfstool ./build/coreboot.rom add -f bootorder -n bootorder -t raw
Retrieved from "https://15h.org/index.php?title=GRUB&oldid=1700"