Next: loadfont, Previous: list_trusted, Up: Command-line commands [Contents][Index]
Load all variables from the environment block file into the environment. See The GRUB environment block.
The --file option overrides the default location of the environment block.
The --skip-sig option skips signature checking even when the
value of environment variable check_signatures is set to
enforce (see check_signatures).
If one or more variable names are provided as arguments, they are interpreted as a whitelist of variables to load from the environment block file. Variables set in the file but not present in the whitelist are ignored.
The --skip-sig option should be used with care, and should
always be used in concert with a whitelist of acceptable variables
whose values should be set. Failure to employ a carefully constructed
whitelist could result in reading a malicious value into critical
environment variables from the file, such as setting
check_signatures=no, modifying prefix to boot from an
unexpected location or not at all, etc.
When used with care, --skip-sig and the whitelist enable an administrator to configure a system to boot only signed configurations, but to allow the user to select from among multiple configurations, and to enable “one-shot” boot attempts and “savedefault” behavior. See Using GPG-style digital signatures in GRUB, for more information.
If the environment variable check_appended_signatures value is set to
yes and GRUB is in lockeddown mode, the user is not allowed to set
check_appended_signatures to no and appendedsig_key_mgmt
to static or dynamic either directly using load_env
command or via environment block file. See Using appended signatures in GRUB, for
more information.
Next: loadfont, Previous: list_trusted, Up: Command-line commands [Contents][Index]