set prefix=(memdisk)/boot/grub insmod nativedisk insmod ehci insmod ohci insmod uhci insmod usb insmod usbms insmod usbserial_pl2303 insmod usbserial_ftdi insmod usbserial_usbdebug # Serial and keyboard configuration, very important. serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 terminal_input --append serial terminal_output --append serial terminal_input --append at_keyboard terminal_output --append cbmemc gfxpayload=keep terminal_output --append gfxterm # Default to first option, automatically boot after 1 second set default="0" set timeout=2 # This is useful when using 'cat' on long files on GRUB terminal set pager=1 insmod png background_image (cbfsdisk)/background.png loadfont (memdisk)/dejavusansmono.pf2 ## Force kernel and other files used to be signed trust (cbfsdisk)/public.key set check_signatures=enforce ## CREATE SUPERUSER and SET PASSWORD #set superusers="user" #password_pbkdf2 user ##can set pw with keymap usqwerty function try_user_config { set root="${1}" for dir in boot grub grub2 boot/grub boot/grub2; do for name in libreboot_ autoboot_ librecore_ coreboot_ ''; do if [ -f /"${dir}"/"${name}"grub.cfg ]; then unset superusers configfile /"${dir}"/"${name}"grub.cfg fi done done } function search_grub { for i in 0 1; do # raw devices try_user_config "(${1}${i})" for part in 1 2 3 4 5; do # MBR/GPT partitions try_user_config "(${1}${i},${part})" done done } function try_isolinux_config { set root="${1}" for dir in '' /boot; do if [ -f "${dir}"/isolinux/isolinux.cfg ]; then syslinux_configfile -i "${dir}"/isolinux/isolinux.cfg elif [ -f "${dir}"/syslinux/syslinux.cfg ]; then syslinux_configfile -s "${dir}"/syslinux/syslinux.cfg fi done } function search_isolinux { for i in 0 1; do # raw devices try_isolinux_config "(${1}${i})" for part in 1 2 3 4 5; do # MBR/GPT partitions try_isolinux_config "(${1}${i},${part})" done done } menuentry 'Boot to custom signed OS [q]' --hotkey='q' --unrestricted { cryptomount -H (cbfsdisk)/luks_header (usb0,gpt1) cryptomount -H (cbfsdisk)/luks_header (usb0,msdos1) #try boot first since / might symlink to boot and break set root=(lvm/matrix-boot) if [ -f "/vmlinuz" ]; then if [ -f "/initrd.img" ]; then linux /vmlinuz initrd /initrd.img fi else echo "Trying to boot lvm/matrix-boot.." echo "Couldn't find kernel" echo "Trying to boot lvm/matrix-rootvol.." set root=(lvm/matrix-rootvol) if [ -f "/vmlinuz" ]; then if [ -f "/initrd.img" ]; then linux /vmlinuz initrd /initrd.img fi fi fi #echo "Couldn't find kernel or initrd, or it wasn't signed" #echo "Is the newest kernel signed? Is the luks header signed on boot flash?" } menuentry 'Boot to regular encrypted OS [x]' --hotkey='x' { #Simple setup to boot from encrypted boot partition #LUKS -> LVM -> logical volumes #LVM name matrix and boot volume rootvol or boot #Might get weird if multiple lvm devices connected set check_signatures=no cryptomount -a #try boot first since / might symlink to boot and break set root=(lvm/matrix-boot) if [ -f "/vmlinuz" ]; then if [ -f "/initrd.img" ]; then linux /vmlinuz initrd /initrd.img fi else echo "Trying to boot lvm/matrix-boot.." echo "Couldn't find kernel" echo "Trying to boot lvm/matrix-rootvol.." set root=(lvm/matrix-rootvol) if [ -f "/vmlinuz" ]; then if [ -f "/initrd.img" ]; then linux /vmlinuz initrd /initrd.img fi fi fi } menuentry 'Load Operating Systems (vanilla) [o]' --hotkey='o' { # GRUB2 handles (almost) every possible disk setup, but only the location of # /boot is actually important since GRUB2 only loads the user's config. # LVM, RAID, filesystems and encryption on both raw devices and partitions in # all various combinations need to be supported. Since full disk encryption is # possible with GRUB2 as payload and probably even used by most users, this # configuration tries to load the operating system in the following way: # 1. Look for user configuration on unencrypted devices first to avoid # unnecessary decryption routines in the following order: # 1) raw devices and MBR/GPT partitions search_grub ahci search_grub ata # 2) LVM and RAID which might be used accross multiple devices lvm="lvm/matrix-rootvol lvm/matrix-boot" raid="md/0 md/1 md/2 md/3 md/4 md/5 md/6 md/7 md/8 md/9" for vol in ${lvm} ${raid}; do try_user_config "(${vol})" done # 2. In case no configuration could be found, try decrypting devices. Look # on raw crypto devices as well as inside LVM volumes this time. # The user will be prompted for a passphrase if a LUKS header was found. for dev in ahci0 ata0 usb0 ${lvm}; do cryptomount "(${dev})" done # 3) encrypted devices/partitions for i in 0 1; do for part in 1 2 3 4 5; do for type in ahci ata; do cryptomount "(${type}${i},${part})" done done done # 3) encrypted devices/partitions search_grub crypto # 4) LVM inside LUKS containers for vol in ${lvm}; do try_user_config "(${vol})" done # Last resort, if all else fails set root=ahci0,1 for p in / /boot/; do if [ -f "${p}vmlinuz" ]; then linux ${p}vmlinuz root=/dev/sda1 rw if [ -f "${p}initrd.img" ]; then initrd ${p}initrd.img fi fi done # Last resort (for GA-G41-ES2L which uses IDE emulation mode for SATA) set root=ata0,1 for p in / /boot/; do if [ -f "${p}vmlinuz" ]; then linux ${p}vmlinuz root=/dev/sda1 rw if [ -f "${p}initrd.img" ]; then initrd ${p}initrd.img fi fi done } menuentry 'Search ISOLINUX menu (USB) [u]' --hotkey='u' { set check_signatures=no search_isolinux usb } menuentry 'Load test configuration [t]' --hotkey='t' { set check_signatures=no set root='(cbfsdisk)' configfile /grubtest.cfg } menuentry 'Search for GRUB2 configuration [s]' --hotkey='s' { set check_signatures=no search_grub usb } menuentry 'Poweroff [p]' --hotkey='p' --unrestricted { halt } menuentry 'Reboot [r]' --hotkey='r' --unrestricted { reboot }