Embedding grub password in core image

[Rowan Moul]

Hello everyone,

I have the latest (2.04) grub installed with the following options:

grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB 
--modules="tpm gcry_sha256 gcry_sha512 gcry_rsa" --pubkey 
/root/bootkeys/secure-grub.pgp

Adding the —pubkey sets check_signatures=enforce, giving reasonable confidence 
that all the files that grub loads from my unencrypted /boot aren’t tampered 
with.
I have also added a password to my grub.cfg to prevent someone from just 
dropping to the grub shell and disabling check_signatures (as suggested in the 
grub manual).
Unfortunately I have discovered a flaw in this system. If grub cannot load my 
grub.cfg file (perhaps it doesn’t exist, or it just fails signature 
verification) then it also drops to a grub shell, allowing someone to turn of 
check_signatures and load whatever they want.
Thankfully I have additional measures to ensure a secure boot process, but I 
would still like to close this loophole by embedding the password command in 
the grub image rather than loading it with the rest of the main config. I see 
that grub-mkimage has a —config option that allows me to embed a config file, 
however this isn’t exposed in grub-install from what I can tell.
I don’t have a problem using grub-mkimage instead, but I am not clear on what 
auto-detection of drive paths and other features I may be missing out on by not 
using grub-install.
How can I use grub-mkimage to produce the same image that grub-install would 
have?

Alternatively, if there is a better solution to this loophole then I would love 
to hear it.

Thanks,

Rowan