Project

General

Profile

Forums » Troubleshooting »

Grub secure boot with GPG ( Libreboot)

sam - 2 months ago -

Hello everyone. Please tell me how to change grubtest.cfg correctly? Where in the configuration file should these lines be inserted?

trust (cbfsdisk)/boot.key
set check_signatures=enforce

I don’t understand what it means to insert before the menu entries (apparently they meant menuentry) https://libreboot.org/docs/linux/grub_hardening.html#gpg-keys

So

.......
  echo #Insert newline
}

set superusers="root" 
password_pbkdf2 root grub.pbkdf2.sha512.10000.RWE3274682SHFJSDF34820349023LJFSD08082049284.....

trust (cbfsdisk)/boot.key
set check_signatures=enforce

menuentry 'Load Parabola GNU/Linux-Libre (LTS)' {
insmod ahci
insmod part_msdos
insmod lvm
insmod cryptodisk
cryptomount -a
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:lvm
initrd /boot/initramfs-linux-libre.img
}

or so


.......
  echo #Insert newline

set superusers="root" 
password_pbkdf2 root grub.pbkdf2.sha512.10000.RWE3274682SHFJSDF34820349023LJFSD08082049284.....

menuentry 'Load Parabola GNU/Linux-Libre (LTS)' {

trust (cbfsdisk)/boot.key
set check_signatures=enforce

insmod ahci
insmod part_msdos
insmod lvm
insmod cryptodisk
cryptomount -a
set root='lvm/matrix-rootvol'
linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol cryptdevice=/dev/sda1:lvm
initrd /boot/initramfs-linux-libre.img
}

Replies (4)

RE: Grub secure boot with GPG ( Libreboot) - wael - 2 months ago -

Former/First one is what is meant by inserting before the menu-entries.

Grub secure boot with GPG ( Libreboot) - sam - 2 months ago -

Hello Wael. Thank you for your answer.
Finally I managed to write my question after many trials of registrations))

While I was waiting, I wrote detailed instructions about all the tests using Ht, here you can see this link => https://forums.hyperbola.info/viewtopic.php?id=1010

If you notice any errors or have any comments, write to me and I will correct it.
I am sure that this will be useful to many users, as I see a lot of unanswered questions on this topic!

RE: Grub secure boot with GPG ( Libreboot) - wael - 2 months ago -

Off of the top of my head, at least for changing the image:
Libreboot and its derivatives use a very specific scheme for the background, the image is either called background.png/jpg (both formats work AFAIK).
Though the devil is somewhat in the details, as GRUB is somewhat limited in what it can use (better consult GRUB documentation on that).
Assuming the ROM image is called boot.rom, you can use cbfstool to insert the image as such:

cbfstool boot.rom remove -n background.jpg
cbfstool boot.rom remove -n background.png
cbfstool boot.rom add -n background.png -f background.png -t raw

Note that I've put commands to remove both png and jpg since both might be present, though for the insertion it suffices to have just one type.
Obviously, to apply the changes you'll have to reflash the ROM - presuming that you haven't locked your flash descriptor, then you can do that by a soft-flash.

Grub secure boot with GPG ( Libreboot) - sam - 2 months ago -

Wael, thank you very much for the advice. Yes, I would change the background, to be honest, I like the old option)) maybe I haven’t chosen something else yet.

I would like to draw your attention (I already wrote about this in the instructions) that in the latest versions of Libreboot there is no grub.cfg file, but if you include it in flash memory, it works as a priority one.
This information is not on the Parabola wiki.

I can copy all the instructions here if needed for users to use.

    (1-4/4)