thinkpad-coreboot-qubes/config/grub.cfg

set prefix=(memdisk)/boot/grub

insmod nativedisk
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbms
insmod part_msdos
insmod ext2
insmod lvm
insmod gcry_rijndael
insmod gcry_sha256
insmod luks
insmod cryptodisk
# insmod usbserial_pl2303
# insmod usbserial_ftdi
# insmod usbserial_usbdebug
insmod gfxmenu
insmod gfxterm_menu
insmod gfxterm_background
insmod chain
insmod jpeg

# Serial and keyboard configuration, very important.
# serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
# terminal_input --append  serial
# terminal_output --append serial
terminal_input --append at_keyboard
terminal_output --append cbmemc

gfxpayload=keep
terminal_output --append gfxterm

set menu_color_normal=white/black
set menu_color_highlight=white/cyan

# Default to first option, automatically boot after 1 second
set default="0>0"
set timeout=1

# This is useful when using 'cat' on long files on GRUB terminal
set pager=1

# Set a background image from CBFS
background_image (cbfsdisk)/background.jpg

# Set DejaVu Sans Mono as the default font
loadfont (cbfsdisk)/dejavusansmono.pf2

# Default keymap
keymap usqwerty

function try_user_config {
    set root="${1}"
    for dir in boot grub grub2 boot/grub boot/grub2; do
        for name in '' autoboot_ libreboot_ coreboot_; do
            if [ -f /"${dir}"/"${name}"grub.cfg ]; then
                unset superusers
                configfile /"${dir}"/"${name}"grub.cfg
            fi
        done
    done
}
function search_grub {
    for i in 0 1; do
        # raw devices
        try_user_config "(${1}${i})"
        for part in 1 2 3 4 5; do
            # MBR/GPT partitions
            try_user_config "(${1}${i},${part})"
        done
    done
}
function try_isolinux_config {
    set root="${1}"
    for dir in '' /boot; do
        if [ -f "${dir}"/isolinux/isolinux.cfg ]; then
            syslinux_configfile -i "${dir}"/isolinux/isolinux.cfg
        elif [ -f "${dir}"/syslinux/syslinux.cfg ]; then
            syslinux_configfile -s "${dir}"/syslinux/syslinux.cfg
        fi
    done
}
function search_isolinux {
    for i in 0 1; do
        # raw devices
        try_isolinux_config "(${1}${i})"
        for part in 1 2 3 4 5; do
            # MBR/GPT partitions
            try_isolinux_config "(${1}${i},${part})"
        done
    done
}

menuentry 'Qubes, with Xen hypervisor' --class qubes --class gnu-linux --class gnu --class os --class xen $menuentry_id_option 'xen-gnulinux-simple-1c874f0f-b41d-4120-8058-b327554c11bf' {
	set root='hd0,msdos1'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  55e7e06a-cad4-4a8d-ba89-9205493e87d7
	else
	  search --no-floppy --fs-uuid --set=root 55e7e06a-cad4-4a8d-ba89-9205493e87d7
	fi
	echo	'Loading Xen 4.8.3 ...'
        if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then
            xen_rm_opts=
        else
            xen_rm_opts="no-real-mode edd=off"
        fi
	multiboot	/xen-4.8.3.gz placeholder  console=none dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx ${xen_rm_opts}
	echo	'Loading Linux 4.14.18-1.pvops.qubes.x86_64 ...'
	module	/vmlinuz-4.14.18-1.pvops.qubes.x86_64 placeholder iomem=relaxed root=/dev/mapper/qubes_dom0-root ro rd.luks.uuid=luks-8453f049-6322-4e5d-b05a-a6c4688fd3a5 rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.preliminary_hw_support=1 rhgb quiet rd.qubes.hide_all_usb 
	echo	'Loading initial ramdisk ...'
	module	--nounzip   /initramfs-4.14.18-1.pvops.qubes.x86_64.img
}

menuentry 'Qubes, with Xen hypervisor FDE' --class qubes --class gnu-linux --class gnu --class os --class xen $menuentry_id_option 'xen-gnulinux-simple-1c874f0f-b41d-4120-8058-b327554c11bf' {
	cryptomount -a
	set root='lvm/qubes_dom0-boot'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  55e7e06a-cad4-4a8d-ba89-9205493e87d7
	else
	  search --no-floppy --fs-uuid --set=root 55e7e06a-cad4-4a8d-ba89-9205493e87d7
	fi
	echo	'Loading Xen 4.8.3 ...'
        if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then
            xen_rm_opts=
        else
            xen_rm_opts="no-real-mode edd=off"
        fi
	multiboot	/xen-4.8.3.gz placeholder  console=none dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx ${xen_rm_opts}
	echo	'Loading Linux 4.14.18-1.pvops.qubes.x86_64 ...'
	module	/vmlinuz-4.14.18-1.pvops.qubes.x86_64 placeholder iomem=relaxed root=/dev/mapper/qubes_dom0-root ro rd.luks.uuid=luks-8453f049-6322-4e5d-b05a-a6c4688fd3a5 rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.preliminary_hw_support=1 rhgb quiet rd.qubes.hide_all_usb 
	echo	'Loading initial ramdisk ...'
	module	--nounzip   /initramfs-4.14.18-1.pvops.qubes.x86_64.img
}

submenu 'Boot from a LUKS+LVM setup  [l]' --hotkey='l' {
    menuentry 'Linux-libre kernel' {
        cryptomount -a
        set root='lvm/matrix-system'
        linux /boot/vmlinuz-linux-libre root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
        initrd /boot/initramfs-linux-libre.img
    }
    menuentry 'Linux-libre-lts kernel' {
        cryptomount -a
        set root='lvm/matrix-system'
        linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
        initrd /boot/initramfs-linux-libre-lts.img
    }
    menuentry 'Linux-libre-grsec kernel' {
        cryptomount -a
        set root='lvm/matrix-system'
        linux /boot/vmlinuz-linux-libre-grsec root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
        initrd /boot/initramfs-linux-libre-grsec.img
    }
    menuentry 'Linux kernel' {
        cryptomount -a
        set root='lvm/matrix-system'
        linux /boot/vmlinuz-linux root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
        initrd /boot/initramfs-linux.img
    }
    menuentry 'Linux-lts kernel' {
        cryptomount -a
        set root='lvm/matrix-system'
        linux /boot/vmlinuz-linux-lts root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
        initrd /boot/initramfs-linux-lts.img
    }
    menuentry 'Linux-grsec kernel' {
        cryptomount -a
        set root='lvm/matrix-system'
        linux /boot/vmlinuz-linux-grsec root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
        initrd /boot/initramfs-linux-grsec.img
    }
}
menuentry 'Load operating system from HDD  [o]' --hotkey='o' {
# GRUB2 handles (almost) every possible disk setup, but only the location of
# /boot is actually important since GRUB2 only loads the user's config.

# LVM, RAID, filesystems and encryption on both raw devices and partitions in
# all various combinations need to be supported. Since full disk encryption is
# possible with GRUB2 as payload and probably even used by most users, this
# configuration tries to load the operating system in the following way:

# 1. Look for user configuration on unencrypted devices first to avoid
# unnecessary decryption routines in the following order:

#    1) raw devices and MBR/GPT partitions
    search_grub ahci
    search_grub ata
#    2) LVM and RAID which might be used accross multiple devices
    lvm="lvm/matrix-rootvol lvm/matrix-boot"
    raid="md/0 md/1 md/2 md/3 md/4 md/5 md/6 md/7 md/8 md/9"
    for vol in ${lvm} ${raid}; do
        try_user_config "(${vol})"
    done
# 2. In case no configuration could be found, try decrypting devices. Look
# on raw crypto devices as well as inside LVM volumes this time.

#    The user will be prompted for a passphrase if a LUKS header was found.
    for dev in ahci0 ata0 ${lvm}; do
        cryptomount "(${dev})"
    done
#    3) encrypted devices/partitions
    for i in 0 1; do
        for part in 1 2 3 4 5; do
            for type in ahci ata; do
                cryptomount "(${type}${i},${part})"
            done
        done
    done

#    3) encrypted devices/partitions
    search_grub crypto
#    4) LVM inside LUKS containers
    for vol in ${lvm}; do
        try_user_config "(${vol})"
    done

    # Last resort, if all else fails
    set root=ahci0,1
    for p in / /boot/; do
        if [ -f "${p}vmlinuz" ]; then
            linux ${p}vmlinuz root=/dev/sda1 rw
            if [ -f "${p}initrd.img" ]; then
                initrd ${p}initrd.img
            fi
        fi
    done

    # Last resort (for GA-G41-ES2L which uses IDE emulation mode for SATA)
    set root=ata0,1
    for p in / /boot/; do
        if [ -f "${p}vmlinuz" ]; then
            linux ${p}vmlinuz root=/dev/sda1 rw
            if [ -f "${p}initrd.img" ]; then
                initrd ${p}initrd.img
            fi
        fi
    done
}
submenu 'Search for systems on external media  [u]' --hotkey="u" {
    menuentry 'Search ISOLINUX menu (USB)  [u]' --hotkey='u' {
        search_isolinux usb
    }
    menuentry 'Search ISOLINUX menu (AHCI)  [a]' --hotkey='a' {
        search_isolinux ahci
    }
    menuentry 'Search ISOLINUX menu (CD/DVD)  [d]' --hotkey='d' {
        insmod ata
        for dev in ata0 ata1 ata2 ata3 ahci1; do
            try_isolinux_config "(${dev})"
        done
    }
    menuentry 'Search for GRUB2 configuration on external media  [s]' --hotkey='s' {
        search_grub usb
    }
    menuentry 'Load test configuration (grubtest.cfg) inside of CBFS  [t]' --hotkey='t' {
        set root='(cbfsdisk)'
        configfile /grubtest.cfg
    }
    menuentry 'Chainload bootloader on external media  [c]' --hotkey='c' {
        set root='(usb0)'
        chainloader +1
    }
}
menuentry 'Reboot  [r]' --hotkey='r' {
    reboot
}
menuentry 'Poweroff  [p]' --hotkey='p' {
    halt
}