Oh. Thats odd, that didn't seem to work for me before, but I can't reproduce my earlier results.
On Fri, 8 Sept 2023 at 23:12, Randy Goldenberg <[email protected]> wrote: > > https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html > > On Fri, Sep 8, 2023 at 2:08 PM Philip Couling <[email protected]> wrote: > >> I'm in the process of hardening a system to prevent tampering. >> >> What I'd like to do is to have a partially configured grub standalone >> (grub-mkstandalone) that will only boot menu entries from a PGP signed >> config file. >> >> The part of this I'm having trouble with, is grub's behaviour of dropping >> to a recovery console if a config file is missing (and perhaps other >> circumstances that I'm not aware of). AFAIK this can be used by someone to >> specify their own kernel boot params which can be used for privilege >> escalation. >> >> Under no circumstances do I want the standalone EFI binary to allow a user >> at the terminal to specify their own Linux boot parameters, kernel files, >> or initrd. >> >> Is there a configuration option that can be embedded when in use >> grub-mkstandalone that will limit grub down to just the menu options >> loaded >> in a config file? >> >
