Coreboot with GRUB payload

I was wondering if anyone experimented in using GRUB directly as a coreboot payload instead of SeaBIOS or HEADS. GRUB is currently used as a coreboot layload in the libreboot distribution of coreboot. The advantages are a faster boot time and the ability to also encrypt the /boot partition leaving the internal disk fully encrypted. Athough it does not provide tamper proof (as of now) about the coreboot integrity, it does protect the integrity of the boot partition if the LUKS2 volume was created with integrity support (or if we consider hard enough to tamper LUKS encrypted data in a malicious, non disrupting way).

I am working on achieving this manually and eventually publishing a guide (an insight on the process needed to have an encrypted a /boot partition of a Qubes installation can be viewed here g/thinkpad-coreboot-qubes: Repository containing instructions and configuration files to run Qubes OS on X220 with coreboot. - Gogs ).

I am wondering if there could be enough interest to support this more officially, maybe directy in the script.

Purism is focused on making Pureboot its primary/only payload, so I can’t see us spending resources on grub. If there’s a simple config to compile with then adding as an option to the build from source option of the coreboot utility script is possible, but it would likely be unsupported

1 Like

Thanks, I understand your point. I am working on making it as easy as possible for whoever wants to try. As soon as I have a working version of my scripts i will update the thread.