Security Handbook/Bootloader security

This section details Article description::tightening system security by hardening secondary bootloaders such as GRUB. == Tightening security ==

GRUB legacy
GRUB legacy supports two different ways of adding password protection to the boot loader. The first uses plain text, while the latter uses md5+salt encryption.

This will add the password. If no password is entered at boot, GRUB will simply use the default boot setting.

When adding an md5 password, the password must be converted into crypt format, which is the same format used in. For more information see. The encrypted password, for example, could look like this:

The password can be encrypted directly at the GRUB shell:

Cut and paste the password into the file:

The 5 seconds timeout becomes handy if the system is remote and should be able to reboot without any keyboard interaction. Learn more about GRUB passwords by executing.

GRUB2
Password protecting GRUB2 is performed in a similar way to GRUB legacy (listed above). First, the user space tool must be used in order to generate a pbkdf2 hash for the password:

Next create a few new GRUB users in the file. One of the users should be the superuser, the other user can have permissions to only boot specific boot entries.

To make boot options unrestricted (any GRUB2 user can boot unrestricted entries) add  to each menuentry line in the  configuration file. This will look something like the following:

{{FileBox|filename=/etc/grub.d/10_linux|title=Unrestricted boot entry|lang=bash|1= echo "menuentry '$(echo "$title" {{!}} grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" {{!}} sed "s/^/$submenu_indentation/" }}

To only let the superuser and a specific user (with a password) boot an entry, add the  option to the menuentry lines. The user "larry" is used in the example below:

{{FileBox|filename=/etc/grub.d/10_linux|title=Specific user boot entry|lang=bash|1= echo "menuentry '$(echo "$title" {{!}} grub_quote)' --users larry ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" {{!}} sed "s/^/$submenu_indentation/" }}

Finally, be sure to regenerate the file using the  command:

Encrypted /boot partition
In order to prevent the /boot partition from being manipulated it can be decrypted with GRUB. Further information about formatting the disc can be found on the Dm-crypt article.

The options are set in your grub configuration file:

Note: At the moment (2020-06-23) I see no option to embed the locale before decrypting.

LILO
LILO also supports two ways of handling passwords: global and per-image, both in clear text.

The global password is set at the top of the configuration file, and applies to every boot image:

The per-image password is set as below:

is the default option and will prompt for a password every time.

can be used to only prompt when kerenel parameters are specified on boot.

In order to enable the changes after editing, the command must be run.

UEFI
Securing the boot loader for UEFI systems is described in Sakaki's_EFI_Install_Guide/Configuring_Secure_Boot_under_OpenRC