# # Bootless: evil-maid mitigator. # # # Load environment # if [ -s $prefix/grubenv ]; then load_env fi # # Basic config # set default="0" set timeout=5 # # Menu appearance # set menu_color_normal=white/blue set menu_color_highlight=yellow/red # # Handles boot from fully encrypted /boot volumes. # Usage: bootfde [source] [target] # function bootfde { # Loads raid, lvm and luks modules you can access kernel and initrd from # the inside your encrypted OS! insmod mdraid1x insmod lvm insmod luks set volume=${1} if [ "${2}" ]; then set version=${2} else set version=3.16.0-4-amd64 fi if [ "${3}" ]; then set source=${3} else set source=/dev/mapper/${1} fi if [ "${4}" ]; then set target=${4} else set target=root fi if [ "${version}" = 'default' ]; then set kernel="/vmlinuz" set initrd="/initrd.img" else set kernel="/boot/vmlinuz-${version}" set initrd="/boot/initrd.img-${version}" fi cryptomount lvm/${volume} set root=(crypto0) # Load the LVM module again after loading the encrypted volume # so Grub can detect LVM volumes inside crypto0. rmmod lvm insmod lvm # Complete kernel params available at # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html echo "Loading ${volume}..." linux ${kernel} root=/dev/mapper/${target} cryptopts=target=${target},source=${source} ro quiet rootwait=5 apparmor=1 security=apparmor echo 'Loading initial ramdisk ...' initrd ${initrd} } # # Handles boot from images stored in the USB stick. # Usage: bootfde [target] [rootfs] [distro] # function bootimg { set volume=${1} if [ "${2}" ]; then set version=${2} else set version=3.16.0-4-amd64 fi if [ "${3}" ]; then set target=${3} else set target=root fi if [ "${4}" ]; then set rootfs=${4} else set rootfs=${target} fi if [ "${5}" ]; then set distro=${5} else set distro=debian fi if [ "${version}" = default ]; then set kernel="/vmlinuz" set initrd="/initrd.img" else set kernel="/boot/custom/${distro}/vmlinuz-${version}" set initrd="/boot/custom/${distro}initrd.img-${version}" fi # Complete kernel params available at # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html echo "Loading ${1}..." linux ${kernel} root=/dev/mapper/${rootfs} cryptopts=target=${target},source=${volume} ro quiet rootwait=5 apparmor=1 security=apparmor echo 'Loading initial ramdisk ...' initrd ${initrd} } # # Default menu entry # menuentry "Memtest86+" { linux16 /boot/default/memtest/memtest86+.bin } # # Custom menu entries # if [ -e "/boot/custom/custom.cfg" ]; then menuentry "Custom configurations" { configfile /boot/custom/custom.cfg } fi