[mjg59]

How would that work? If the public key is baked into the signed grub, the only person who can sign the config is whoever built grub. If the keypair is generated locally and the public half put on the ESP, an attacker can just replace it. Signed config works if you never need to modify the config, but for a general purpose OS you need to be able to modify the config.

[shasheene]

Sorry, I forgot that typical grub.cfg contains the root partition's UUID (and at least historically, the partition device node). While it is possible to configure GRUB to scan for a root partition rather than using a UUID, this is less secure (eg, GRUB residing on your hard drive could then accidentally select your root partition residing on a USB stick containing Linux live media).

Good point that in general, the operating system vendor does not know the grub.cfg on an installed system, and that an attacker with direct access to the ESP can modify the files that are present there.

A static grub.cfg that selects "the Linux root partition is the first partition on the device on which this GRUB bootloader is installed on" would work. I don't believe GRUB supports this kind of behavior (maybe it should). It seems worthwhile and possible to design a mechanism where a simple grub.cfg can be signed by the operating system vendor. Disabling the ability to arbitrarily modify kernel boot options on a general purpose operating system is not a big deal, and could be mitigated with extra GRUB boot menu items.