From f1c55982006fa5e2a8706f7460a4cd16e9f767d3 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 2 Jul 2016 18:29:19 -0300 Subject: Bootless: FDE support --- share/config/templates/bootless/custom.cfg | 29 +++++++++++++++++ share/config/templates/bootless/grub.cfg | 52 ++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 share/config/templates/bootless/custom.cfg create mode 100644 share/config/templates/bootless/grub.cfg (limited to 'share/config') diff --git a/share/config/templates/bootless/custom.cfg b/share/config/templates/bootless/custom.cfg new file mode 100644 index 0000000..5eaf786 --- /dev/null +++ b/share/config/templates/bootless/custom.cfg @@ -0,0 +1,29 @@ +# +# Menu appearance +# +set menu_color_normal=white/blue +set menu_color_highlight=yellow/red + +# +# Example: imagens stored in the USB stick: just put your images under custom/debian/images. +# +menuentry 'Example: Darkstar' { + set version=3.16.0-4 + set source=/dev/mapper/vg-root + set target=root + + echo 'Loading AMD64 Debian Desktop (Jessie)...' + linux /boot/custom/debian/vmlinuz-${version}-amd64 root=/dev/mapper/root cryptopts=target=${target},source=${source} ro quiet apparmor=1 security=apparmor + echo 'Loading initial ramdisk ...' + initrd /boot/custom/debian/initrd.img-${version}-amd64 +} + +# +# Example: Full Disk Encryption: images are loaded from encrypted partition. +# +menuentry 'Example: Darkstar FDE' { + set machine=darkstar + set version=3.16.0-4 + + bootfde ${machine} ${version} +} diff --git a/share/config/templates/bootless/grub.cfg b/share/config/templates/bootless/grub.cfg new file mode 100644 index 0000000..b4e9e25 --- /dev/null +++ b/share/config/templates/bootless/grub.cfg @@ -0,0 +1,52 @@ +# +# Bootless: evil-maid mitigator. +# + +# +# Load environment +# +if [ -s $prefix/grubenv ]; then + load_env +fi + +# +# Basic config +# +set default="0" +set timeout=5 + +# +# Menu appearance +# +set menu_color_normal=white/blue +set menu_color_highlight=yellow/red + +# +# Handles boot from fully encrypted /boot volumes. +# +function bootfde { + insmod luks + insmod lvm + + cryptomount lvm/${1}-root + set root=(crypto0) + + echo "Loading ${1}..." + linux /boot/vmlinuz-${2}-amd64 root=/dev/mapper/root cryptopts=target=root,source=/dev/mapper/${1}-root ro quiet + echo 'Loading initial ramdisk ...' + initrd /boot/initrd.img-${2}-amd64 +} + +# +# Default menu entry +# +menuentry "Memtest86+" { + linux16 /boot/default/memtest/memtest86+.bin +} + +# +# Custom menu entries +# +if [ -e "/boot/custom/custom.cfg" ]; then + configfile /boot/custom/custom.cfg +fi -- cgit v1.2.3