Adding GRUB Env Variable for Integrity Checks
by DapperDeer from LinuxQuestions.org on (#54C7M)
I'm currently developing a secure boot chain for my work. I'd like to utilize GRUB to boot into Linux where integrity checks will be performed, then if the filesystem is verified, change a custom GRUB environment variable flag which will allow the user to continue our boot into Windows.
My initial idea was led a bit astray as the emedded configuration doc is wrong, but I've been trying to persevere nonetheless. I found this StackOverflow thread suggesting a workaround is to embed a cfg file that uses `configfile` to call the actual" file which contains the scripting and whatever else that I need.
This is my process:
1.Create a grub image:
Code:$GRUBDIR/grub-mkimage \
-O i386-pc -d $CORE -v \
-p $CORE \
-m $HOME/memdisk/memdisk.tar \ # Memdisk has multiple cfgs dedicated
-c $HOME/memdisk/embedded.cfg \ # to each boot entry (Windows and Linux)
-o $CORE/core.img \
part_gpt biosdisk ext2 memdisk ntfs tar echo sleep configfile search_fs_uuid loadenv search normal2.Install using that image:
Code:$GRUBDIR/grub-install $DRIVE \
--boot-directory=$MNTDIR/boot/ \
-d $CORE3.Using Dracut, create the initramfs
Embedded.cfg:
Code:configfile (memdisk)/grub.cfgGrub.cfg:
Code:load_env
if [ $Clean == "false" ]; then
configfile /boot/grub/windows.cfg
else
configfile /boot/grub/linux.cfg
fiI looked through the GRUB documentation and it doesn't mention anything about singular brackets yet every grub.cfg I can find uses single brackets. GRUB has given me errors for using double brackets. I've tried "$Clean", $Clean, [[ "$Clean" == "false" ]].
Grubenv:
Code:# GRUB Environment Block
Clean=false
###########...On boot, I get this initial return:
Code:Booting from Hard Disk...
GRUB loading.....
Welcome to GRUB!
error: can't find command `false'.and I have absolutely no idea why it keeps thinking that "false" is a command rather than a string. I've tried a ton of different iterations, with and without quotes, I've tried making it a zero or one, I've tried caps/no-caps/mixed-caps, I've tried using "set Clean=false save_env" and yet nothing I do works.
To try and be ultimately clear:
I want to create a GRUB environment variable named Clean. If Clean is true, I want to use /boot/grub/windows.cfg. If Clean is false, I want to use /boot/grub/linux.cfg. Clean will be initially set to false, forcing the user to boot into our Linux kernel that will then verify the integrity of the filesystem. If the filesystem is verified, I want Clean to be set to true (on next boot only) to allow the user to boot into Windows. If/once the system shuts down past this point, whether graceful or ungraceful, Clean should be false to force the user to verify the filesystem once more.
I thoroughly feel like I'm missing one small detail for everything to fall into place, so if anyone has any advice, it would be greatly appreciated.
Thanks so much
My initial idea was led a bit astray as the emedded configuration doc is wrong, but I've been trying to persevere nonetheless. I found this StackOverflow thread suggesting a workaround is to embed a cfg file that uses `configfile` to call the actual" file which contains the scripting and whatever else that I need.
This is my process:
1.Create a grub image:
Code:$GRUBDIR/grub-mkimage \
-O i386-pc -d $CORE -v \
-p $CORE \
-m $HOME/memdisk/memdisk.tar \ # Memdisk has multiple cfgs dedicated
-c $HOME/memdisk/embedded.cfg \ # to each boot entry (Windows and Linux)
-o $CORE/core.img \
part_gpt biosdisk ext2 memdisk ntfs tar echo sleep configfile search_fs_uuid loadenv search normal2.Install using that image:
Code:$GRUBDIR/grub-install $DRIVE \
--boot-directory=$MNTDIR/boot/ \
-d $CORE3.Using Dracut, create the initramfs
Embedded.cfg:
Code:configfile (memdisk)/grub.cfgGrub.cfg:
Code:load_env
if [ $Clean == "false" ]; then
configfile /boot/grub/windows.cfg
else
configfile /boot/grub/linux.cfg
fiI looked through the GRUB documentation and it doesn't mention anything about singular brackets yet every grub.cfg I can find uses single brackets. GRUB has given me errors for using double brackets. I've tried "$Clean", $Clean, [[ "$Clean" == "false" ]].
Grubenv:
Code:# GRUB Environment Block
Clean=false
###########...On boot, I get this initial return:
Code:Booting from Hard Disk...
GRUB loading.....
Welcome to GRUB!
error: can't find command `false'.and I have absolutely no idea why it keeps thinking that "false" is a command rather than a string. I've tried a ton of different iterations, with and without quotes, I've tried making it a zero or one, I've tried caps/no-caps/mixed-caps, I've tried using "set Clean=false save_env" and yet nothing I do works.
To try and be ultimately clear:
I want to create a GRUB environment variable named Clean. If Clean is true, I want to use /boot/grub/windows.cfg. If Clean is false, I want to use /boot/grub/linux.cfg. Clean will be initially set to false, forcing the user to boot into our Linux kernel that will then verify the integrity of the filesystem. If the filesystem is verified, I want Clean to be set to true (on next boot only) to allow the user to boot into Windows. If/once the system shuts down past this point, whether graceful or ungraceful, Clean should be false to force the user to verify the filesystem once more.
I thoroughly feel like I'm missing one small detail for everything to fall into place, so if anyone has any advice, it would be greatly appreciated.
Thanks so much