--- /dev/null
+set prefix=(memdisk)/boot/grub
+
+insmod nativedisk
+insmod ehci
+insmod ohci
+insmod uhci
+insmod usb
+insmod usbms
+insmod usbserial_pl2303
+insmod usbserial_ftdi
+insmod usbserial_usbdebug
+
+# Serial and keyboard configuration, very important.
+serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+terminal_input --append serial
+terminal_output --append serial
+terminal_input --append at_keyboard
+terminal_output --append cbmemc
+
+gfxpayload=keep
+terminal_output --append gfxterm
+
+# Default to first option, automatically boot after 1 second
+set default="0"
+set timeout=2
+
+# This is useful when using 'cat' on long files on GRUB terminal
+set pager=1
+insmod png
+
+background_image (cbfsdisk)/background.png
+loadfont (memdisk)/dejavusansmono.pf2
+
+## Force kernel and other files used to be signed
+trust (cbfsdisk)/public.key
+set check_signatures=enforce
+
+## CREATE SUPERUSER and SET PASSWORD
+#set superusers="user"
+#password_pbkdf2 user ##can set pw with
+
+keymap usqwerty
+function try_user_config {
+ set root="${1}"
+ for dir in boot grub grub2 boot/grub boot/grub2; do
+ for name in libreboot_ autoboot_ librecore_ coreboot_ ''; do
+ if [ -f /"${dir}"/"${name}"grub.cfg ]; then
+ unset superusers
+ configfile /"${dir}"/"${name}"grub.cfg
+ fi
+ done
+ done
+}
+function search_grub {
+ for i in 0 1; do
+ # raw devices
+ try_user_config "(${1}${i})"
+ for part in 1 2 3 4 5; do
+ # MBR/GPT partitions
+ try_user_config "(${1}${i},${part})"
+ done
+ done
+}
+function try_isolinux_config {
+ set root="${1}"
+ for dir in '' /boot; do
+ if [ -f "${dir}"/isolinux/isolinux.cfg ]; then
+ syslinux_configfile -i "${dir}"/isolinux/isolinux.cfg
+ elif [ -f "${dir}"/syslinux/syslinux.cfg ]; then
+ syslinux_configfile -s "${dir}"/syslinux/syslinux.cfg
+ fi
+ done
+}
+function search_isolinux {
+ for i in 0 1; do
+ # raw devices
+ try_isolinux_config "(${1}${i})"
+ for part in 1 2 3 4 5; do
+ # MBR/GPT partitions
+ try_isolinux_config "(${1}${i},${part})"
+ done
+ done
+}
+
+
+menuentry 'Boot to custom signed OS [q]' --hotkey='q' --unrestricted {
+ cryptomount -H (cbfsdisk)/luks_header (usb0,gpt1)
+ cryptomount -H (cbfsdisk)/luks_header (usb0,msdos1)
+
+ #try boot first since / might symlink to boot and break
+ set root=(lvm/matrix-boot)
+ if [ -f "/vmlinuz" ]; then
+ if [ -f "/initrd.img" ]; then
+ linux /vmlinuz
+ initrd /initrd.img
+ fi
+
+ else
+ echo "Trying to boot lvm/matrix-boot.."
+ echo "Couldn't find kernel"
+ echo "Trying to boot lvm/matrix-rootvol.."
+ set root=(lvm/matrix-rootvol)
+ if [ -f "/vmlinuz" ]; then
+ if [ -f "/initrd.img" ]; then
+ linux /vmlinuz
+ initrd /initrd.img
+ fi
+ fi
+
+ fi
+ #echo "Couldn't find kernel or initrd, or it wasn't signed"
+ #echo "Is the newest kernel signed? Is the luks header signed on boot flash?"
+}
+
+menuentry 'Boot to regular encrypted OS [x]' --hotkey='x' {
+#Simple setup to boot from encrypted boot partition
+#LUKS -> LVM -> logical volumes
+#LVM name matrix and boot volume rootvol or boot
+#Might get weird if multiple lvm devices connected
+ set check_signatures=no
+ cryptomount -a
+
+ #try boot first since / might symlink to boot and break
+ set root=(lvm/matrix-boot)
+ if [ -f "/vmlinuz" ]; then
+ if [ -f "/initrd.img" ]; then
+ linux /vmlinuz
+ initrd /initrd.img
+ fi
+
+ else
+ echo "Trying to boot lvm/matrix-boot.."
+ echo "Couldn't find kernel"
+ echo "Trying to boot lvm/matrix-rootvol.."
+ set root=(lvm/matrix-rootvol)
+ if [ -f "/vmlinuz" ]; then
+ if [ -f "/initrd.img" ]; then
+ linux /vmlinuz
+ initrd /initrd.img
+ fi
+ fi
+
+ fi
+}
+menuentry 'Load Operating Systems (vanilla) [o]' --hotkey='o' {
+# GRUB2 handles (almost) every possible disk setup, but only the location of
+# /boot is actually important since GRUB2 only loads the user's config.
+
+# LVM, RAID, filesystems and encryption on both raw devices and partitions in
+# all various combinations need to be supported. Since full disk encryption is
+# possible with GRUB2 as payload and probably even used by most users, this
+# configuration tries to load the operating system in the following way:
+
+# 1. Look for user configuration on unencrypted devices first to avoid
+# unnecessary decryption routines in the following order:
+
+# 1) raw devices and MBR/GPT partitions
+ search_grub ahci
+ search_grub ata
+# 2) LVM and RAID which might be used accross multiple devices
+ lvm="lvm/matrix-rootvol lvm/matrix-boot"
+ raid="md/0 md/1 md/2 md/3 md/4 md/5 md/6 md/7 md/8 md/9"
+ for vol in ${lvm} ${raid}; do
+ try_user_config "(${vol})"
+ done
+# 2. In case no configuration could be found, try decrypting devices. Look
+# on raw crypto devices as well as inside LVM volumes this time.
+
+# The user will be prompted for a passphrase if a LUKS header was found.
+ for dev in ahci0 ata0 usb0 ${lvm}; do
+ cryptomount "(${dev})"
+ done
+# 3) encrypted devices/partitions
+ for i in 0 1; do
+ for part in 1 2 3 4 5; do
+ for type in ahci ata; do
+ cryptomount "(${type}${i},${part})"
+ done
+ done
+ done
+
+# 3) encrypted devices/partitions
+ search_grub crypto
+# 4) LVM inside LUKS containers
+ for vol in ${lvm}; do
+ try_user_config "(${vol})"
+ done
+
+ # Last resort, if all else fails
+ set root=ahci0,1
+ for p in / /boot/; do
+ if [ -f "${p}vmlinuz" ]; then
+ linux ${p}vmlinuz root=/dev/sda1 rw
+ if [ -f "${p}initrd.img" ]; then
+ initrd ${p}initrd.img
+ fi
+ fi
+ done
+
+ # Last resort (for GA-G41-ES2L which uses IDE emulation mode for SATA)
+ set root=ata0,1
+ for p in / /boot/; do
+ if [ -f "${p}vmlinuz" ]; then
+ linux ${p}vmlinuz root=/dev/sda1 rw
+ if [ -f "${p}initrd.img" ]; then
+ initrd ${p}initrd.img
+ fi
+ fi
+ done
+}
+
+menuentry 'Search ISOLINUX menu (USB) [u]' --hotkey='u' {
+ set check_signatures=no
+ search_isolinux usb
+}
+menuentry 'Load test configuration [t]' --hotkey='t' {
+ set check_signatures=no
+ set root='(cbfsdisk)'
+ configfile /grubtest.cfg
+}
+menuentry 'Search for GRUB2 configuration [s]' --hotkey='s' {
+ set check_signatures=no
+ search_grub usb
+}
+menuentry 'Poweroff [p]' --hotkey='p' --unrestricted {
+ halt
+}
+menuentry 'Reboot [r]' --hotkey='r' --unrestricted {
+ reboot
+}
+
+
+
+
projects / inbyggd-frihet-wiki.git / commitdiff