How to configure grubs to boot one of a closed set of setups

help-grub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How to configure grubs to boot one of a closed set of setups

From:	Philip Couling
Subject:	How to configure grubs to boot one of a closed set of setups
Date:	Fri, 8 Sep 2023 17:59:54 +0100

I'm in the process of hardening a system to prevent tampering.

What I'd like to do is to have a partially configured grub standalone
(grub-mkstandalone) that will only boot menu entries from a PGP signed
config file.

The part of this I'm having trouble with, is grub's behaviour of dropping
to a recovery console if a config file is missing (and perhaps other
circumstances that I'm not aware of). AFAIK this can be used by someone to
specify their own kernel boot params which can be used for privilege
escalation.

Under no circumstances do I want the standalone EFI binary to allow a user
at the terminal to specify their own Linux boot parameters, kernel files,
or initrd.

Is there a configuration option that can be embedded when in use
grub-mkstandalone that will limit grub down to just the menu options loaded
in a config file?

[Prev in Thread]

Current Thread

[Next in Thread]

How to configure grubs to boot one of a closed set of setups, Philip Couling <=
- Re: How to configure grubs to boot one of a closed set of setups, Randy Goldenberg, 2023/09/08
  - Re: How to configure grubs to boot one of a closed set of setups, Philip Couling, 2023/09/09
- Re: How to configure grubs to boot one of a closed set of setups, Andrei Borzenkov, 2023/09/09

Prev by Date: Re: What does it mean when GRUB fails to find a kernel symbol?
Next by Date: Re: How to configure grubs to boot one of a closed set of setups
Previous by thread: What does it mean when GRUB fails to find a kernel symbol?
Next by thread: Re: How to configure grubs to boot one of a closed set of setups
Index(es):
- Date
- Thread