I've been tasked with creating a secure boot chain for my work. On boot, GRUB loads:
insmod part_msdos load_env --file (hd0,msdos1)/boot/grub/grubenv if [ "$Clean" = "true" ]; then Clean=false save_env Clean configfile /boot/grub/windows.cfg else configfile /boot/grub/linux.cfg fi
As you can see, it's a very simple menu that relies upon a variable "Clean" to be true. If it's not true, we only show our Linux boot entry which does integrity checks, changes the variable to true, and reboots.
However, grubenv needs to be writable, which I remembered way too late that I need my boot chain to work on a verified filesystem - grubenv can't be verified if it keeps changing.
So, I'm now trying to use GRUB4DOS to kexec into from Linux. GRUB4DOS however takes forever to load/initialize and so my question to you all:
What should I do? Is there a secure way I can boot from Linux to Windows that I'm not seeing? Kexec-ing to GRUB2 is apparently possible, but I've not been able to find any documentation on how to do that.
I would really appreciate any help/advice you can give,