Re: Change Full Disk Encryption Password Prompt Font and/or Background Image (stage 1)?

[Hans Gruber]

 Hello,
Sorry for the mistakes about the keyboard layouts.
On each laptop I also use a full disk encryption installation including boot 
partition, all partitions (boot, swap, home, root, ...) inside an LVM layer and 
everything inside the luks container. 
I'm assuming that you have x64 EFI. 
I'm assuming your boot partition is also encrypted because you wrote "full disk 
encryption".

The /boot/grub/grub.cfg (on boot partition) is read only after that you have 
entered your passphrase (this file is only available after decryption) and your 
custom font can only be loaded after this step. So, your custom font and 
background will be loaded at this time only (not before). The first grub stage 
is done by the grubx64.efi (which is an embedded grub containing some modules 
as video, crypto, filesystem, etc .. and a config file all inside a memdisk) 
which will reside normally on the ESP partition. 
In this case you need to be sure that your custom font and background are 
included in the /boot/grub/ (boot partition) and that grub can load them using 
your standard configuration tools (eg /etc/default/grub and the update-grub on 
Ubuntu) or by modifying your /boot/grub/grub.cfg (which is not recommended 
because this file will be regenerated by your distribution after a kernel 
update).

if you want to have a custom font or background loaded when you are entering 
your passphrase, these custom font or background need to be available during 
the first grub stage and loaded before that your boot partition will be opened 
and decrypted after typing your passphrase.In this case, you need to create a 
custom embedded grubx64.efi file which will include all your custom font, 
background and config or make these files accessible by the new grubx64.efi 
file (outside of it, not included in the memdisk inside the efi file) using a 
custom config (warning, even if your custom materials are embedded inside your 
new grub efi file, so inside the memdisk or outside of the efi file you need to 
create a a custom config file because grub is always loading by default 
$prefix/grub.cfg which will be inside the memdisk of the grub efi file) and put 
them for example on your ESP partition where the original file grubx64.efi is 
located. then your custom grubx64.efi will read your custom config including 
font and background, before doing the cryptomount to open the encrypted 
partition and then loading the /boot/grub.grub.cfg (sort of second stage).
What I have done ... I have created a custom grubx64.efi (with another name 
grubx64kb.efi, new config file, new memdisk content, ...) without replacing or 
deleting the orginal one, so in case of modification of the original 
grubx64.efi on the ESP partition by distrib updates, mine is not replaced. The 
original could also be a fallback. At start up I'm loading my customized 
grubx64kb.efi (using bios or refind) which will do the same tasks as the 
original one but with a modified configuration file. My purpose was to load a 
custom keyboard layout to type strong passphrase.

If you need more help, please tell me which stage you are trying to customize.
RegardsHans
 



    Le dimanche 14 mars 2021 à 19:51:06 UTC+1, Cullen Ross 
<cullenrss@gmail.com> a écrit :  
 
 Hi Hans,

Thanks for the response! Sorry if there is some confusion, I'm not trying
to set the keyboard layout. Thanks for the suggestions though!

Regarding fonts, I'm not sure which modules need to be loaded. I'm looking
at `moddep.lst` like you mentioned and there are a handful of various video
modules. My video card is intel if that helps. From what I understand, do I
place modules <some_video_module>, gfxterm, font in `GRUB_PRELOAD_MODULES`?
The gfxterm module requires the font and video modules, so do I place those
in front of gfxterm in the `GRUB_PRELOAD_MODULES` setting? Finally, where
do I put the `loadfont` command and where can the font file be if the disk
is encrypted? Perhaps in /boot/grub?

Lastly, if gfxterm is loaded early, does this mean I can issue a command to
set the image background?

Thank you so much!

Best,
Cullen

On Sun, Mar 14, 2021 at 2:18 PM Hans Gruber <moocan2112@yahoo.fr> wrote:

> Hello,
>
> About custom keyboard layout at grub2 first stage here is what I have used
> and done.
>
> https://wiki.archlinux.org/index.php/GRUB/Tips_and_tricks#Manual_configuration_of_core_image_for_early_boot
>
> https://wiki.archlinux.org/index.php/Talk:GRUB#Custom_keyboard_layout
>
> About custom fonts you don't need to rename your custom font to unicode.pf2
> You have inside your /boot/grub/${grub_cpu}-${grub_platform} folder of
> your linux distributions usefull *.lst files including the moddep.lst which
> is listing all modules and their dependencies.
>
> To load a custom font you need video modules, gfxterm as output, font
> modules and then do a loadfont yourcustomfont.pf2 file.
> You can find all Grub2 console command in grub2 manual.
> https://www.gnu.org/software/grub/manual/grub/grub.html
> <https://www.gnu.org/software/grub/manual/grub/grub.html#regexp>
>
> Hope this help.
> If you need further help.
>
> Regards
> Hans
>
>
>
>
>
> Le dimanche 14 mars 2021 à 17:58:00 UTC+1, Cullen Ross <
> cullenrss@gmail.com> a écrit :
>
>
> Hello everyone,
>
> This is my first time here, so I apologize if this has been answered before
> or if I'm not properly following etiquette.
>
> I've recently set up my laptop for full disk encryption, so when I start my
> machine, I'm greeted by GRUB's password prompt. Additionally, I've been
> theming grub to match a universal font and background image that I have. So
> far, I have everything set up the way I want except for the initial
> password prompt (I believe this is considered to be stage 1 of GRUB?). I'm
> trying to change the font from the default one so that it matches the font
> I've set everywhere else. Is it possible to change it? The only resource
> I've found that talks about changing stage 1 settings is here:
>
> https://superuser.com/questions/974833/change-the-keyboard-layout-of-grub-in-stage-1
> . Obviously this wasn't quite helpful because I'm not changing keyboard
> layouts. Could someone explain how to change the stage 1 password prompt
> font if it's possible? I've also tried replacing the system installed
> `unicode.pf2` with the font I want (renamed to unicode.pf2) and then
> reinstalling grub with `grub-install` but that didn't work.
>
> Additionally, if it's possible to set a background image at stage 1 could
> someone explain how to do that as well?
>
> Thank you so much for any and all assistance!
> Best,
> Cullen
>