mirror of
https://github.com/PrivSec-dev/privsec.dev.git
synced 2024-12-29 09:06:30 -05:00
Fix grub-install command
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
73676f3dc9
commit
d6c6d541b1
@ -423,7 +423,7 @@ On systems which use [`grub-btrfs`](https://github.com/Antynea/grub-btrfs) to mi
|
||||
- You should make `/boot` part of your root partition instead of a seperate one. In theory, if you have a seperate `/boot` partition, an evil maid attack can replace it with a malicious `/boot` partition and setup a fake `GRUB` decryption prompt for you to unlock the drive and subsequently compromising the rest of the system.
|
||||
- You will need to install `GRUB` with the `--no-shim-lock` option. The full command I use on my Arch Linux system is
|
||||
```bash
|
||||
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=`GRUB` --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock
|
||||
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs tpm" --disable-shim-lock
|
||||
```
|
||||
- You will need to enroll your own key as described [above](#enrolling-your-own-keys), sign the kernel and `GRUB` with your own keys, removing shim and MOK from the boot chain (if you are using them), and finally setting up hooks to automate these tasks every update. On Arch-based distributions, you can find the instructions on setting up the hooks in the [Arch Wiki](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Signing_the_kernel_with_a_pacman_hook).
|
||||
- You will need to disable the TPM module in your firmware to prevent `GRUB` from attempting to do [Measured Boot](https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html), which does not work with `grub-btrfs`. The discussion for this issue can be found [here](https://github.com/Antynea/grub-btrfs/issues/156).
|
||||
|
Loading…
Reference in New Issue
Block a user