Now I could sign the font files... but I don't want to. Font files and grub config are located under /boot/grub, and therefore encrypted. An attacker doing something like removing my hard drive would not be able to modify them.
I don't want to go through the effort of encrypting font files, does anyone know if there is a version of grub that doesn't do this?
Actually, preferably, I would like a version of grub that doesn't verify ANYTHING. Since everything but grub's efi file is encrypted, it would be so much simpler to only do secure boot for that.
And yes, I do understand there are security benefits to being able to prevent an attacker that has gained some level of running access to do something like replacing your kernel. But I'm less concerned about that vector of attack, I would simply like to make it so that my laptops aren't affected by evil maid attacks, without losing benefits from timeshift or whatnot.
If you're going for secure boot, I'd advise against GRUB.
Use an UKI, dm-verity and get one part of your disk encryption key from your TPM 2.0 (choose PCRs carefully). Is that not compatible with timeshift?
Also see safeboot.dev, even if that's just for Ubuntu 20.04.
Timeshift snapper rollbacks are nice but they can only work with grub. And that legacyware keeps finding a new way to shoot itself in the foot.
Make daily automated backups to an external drive and/or cloud. You probably don't need the hassle of relying on both timeshift and grub at the same time to work.
My important data is backed up to several usb drives, and kept in sync between two computers via syncthing. Soon I will back it up to my college's box cloud, using rclone's crypt feature.
But this isn't about data. This is about me being able to tinker without worry, breaking down to even the lowest level of my system. In addition to that, I don't want to have to waste time manually restoring a system snapshot/backup, as I will soon be busy with other things like classes. I want a one step process.
Why not tinker in a VM if that's the case? An even better solution for your need of an easy, just works distro that is impossible to FUBAR would be something like Fedora Silverblue or MicroOS.
I think this post is you learning the hard way, there's no such thing as a one step process in Linux.
Dunno why this is downvoted, this is unironically a last resort of mine. I don't want to maintain a fork of grub but if it comes down to it, I may do something similar to this except the sed trick doesn't seem to work anymore.
EDIT: sed trick does work. I just forgot to install grub with --disable-shim-lock.