[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to configure grubs to boot one of a closed set of setups
|
From: |
Philip Couling |
|
Subject: |
Re: How to configure grubs to boot one of a closed set of setups |
|
Date: |
Sat, 9 Sep 2023 09:33:05 +0100 |
Oh. Thats odd, that didn't seem to work for me before, but I can't
reproduce my earlier results.
On Fri, 8 Sept 2023 at 23:12, Randy Goldenberg <randy.goldenberg@gmail.com>
wrote:
>
> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
>
> On Fri, Sep 8, 2023 at 2:08 PM Philip Couling <couling@gmail.com> wrote:
>
>> I'm in the process of hardening a system to prevent tampering.
>>
>> What I'd like to do is to have a partially configured grub standalone
>> (grub-mkstandalone) that will only boot menu entries from a PGP signed
>> config file.
>>
>> The part of this I'm having trouble with, is grub's behaviour of dropping
>> to a recovery console if a config file is missing (and perhaps other
>> circumstances that I'm not aware of). AFAIK this can be used by someone to
>> specify their own kernel boot params which can be used for privilege
>> escalation.
>>
>> Under no circumstances do I want the standalone EFI binary to allow a user
>> at the terminal to specify their own Linux boot parameters, kernel files,
>> or initrd.
>>
>> Is there a configuration option that can be embedded when in use
>> grub-mkstandalone that will limit grub down to just the menu options
>> loaded
>> in a config file?
>>
>