Re: How to configure grubs to boot one of a closed set of setups

[Andrei Borzenkov]

On 08.09.2023 19:59, Philip Couling wrote:
> I'm in the process of hardening a system to prevent tampering.
>
> What I'd like to do is to have a partially configured grub standalone
> (grub-mkstandalone) that will only boot menu entries from a PGP signed
> config file.
>
> The part of this I'm having trouble with, is grub's behaviour of dropping
> to a recovery console if a config file is missing (and perhaps other
> circumstances that I'm not aware of). 

grub enters rescue shell if normal.mod could not be loaded. It is not 
configurable. Rescue shell offers small number of built-in commands, 
allowing you to try "insmod normal.mod" from some other place.

normal.mod drops to the CLI (it is not "recovery console", it is just 
normal grub command line) if either configuration file is not present or 
could not be read or if configuration file does not have any 
"menuentry"/"submenu", so there is no menu to show.

Dropping into CLI without configuration file can not be disabled. 
Dropping into CLI with empty menu can be controlled by grub 
authentication (see another reply).

> AFAIK this can be used by someone to
> specify their own kernel boot params which can be used for privilege
> escalation.

Standalone image normally includes full grub (all modules), sets grub 
$prefix to internal RAM disk and has grub configuration file in this RAM 
disk. Which means neither loading of normal.mod nor loading of grub.cfg 
should fail. Further attempts to escape into CLI are controlled by grub 
authentication.

> Under no circumstances do I want the standalone EFI binary to allow a user
> at the terminal to specify their own Linux boot parameters, kernel files,
> or initrd.
>
> Is there a configuration option that can be embedded when in use
> grub-mkstandalone that will limit grub down to just the menu options loaded
> in a config file?