Security Handbook/Bootloader security

From Gentoo Wiki
Jump to:navigation Jump to:search
Security Handbook
Pre-installation concerns
Bootloader security
Mounting partitions
User and group limitations
File permissions
TCP wrappers
Kernel security
Network security
Securing services
Chrooting and virtual servers
Intrusion detection
Staying up-to-date

This section details tightening system security by hardening secondary bootloaders such as GRUB.

Password protecting the boot loader

GRUB legacy

GRUB legacy supports two different ways of adding password protection to the boot loader. The first uses plain text, while the latter uses md5+salt encryption.

FILE /boot/grub/grub.conf
timeout 5
password changeme

This will add the password changeme. If no password is entered at boot, GRUB will simply use the default boot setting.

When adding an md5 password, the password must be converted into crypt format, which is the same format used in /etc/shadow. For more information see man crypt. The encrypted password changeme, for example, could look like this: $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.

The password can be encrypted directly at the GRUB shell:

root #/sbin/grub
GRUB version 0.92 (640K lower / 3072K upper memory)

   [ Minimal BASH-like line editing is supported. For the first word, TAB lists
     possible command completions. Anywhere else TAB lists the possible
     completions of a device/filename. ]
grub> md5crypt

Password: ********
(Typed changeme at the prompt)
Encrypted: $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.

grub> quit

Cut and paste the password into the /boot/grub/grub.conf file:

FILE /boot/grub/grub.conf
timeout 5
password --md5 $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.

The 5 seconds timeout becomes handy if the system is remote and should be able to reboot without any keyboard interaction. Learn more about GRUB passwords by executing info grub.


Password protecting GRUB2 is performed in a similar way to GRUB legacy (listed above). First, the grub2-mkpasswd-pbkdf2 user space tool must be used in order to generate a pbkdf2 hash for the password:

root #grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.abcdef...

Next create a few new GRUB users in the /etc/grub.d/40_custom file. One of the users should be the superuser, the other user can have permissions to only boot specific boot entries.

FILE /etc/grub.d/40_custom
set superusers="root"
password_pbkdf2 root
password_pbkdf2 larry grub.pbkdf2.sha512.10000.ccc

To make boot options unrestricted (any GRUB2 user can boot unrestricted entries) add --unrestricted to each menuentry line in the /etc/grub.d/10_linux configuration file. This will look something like the following:

FILE /etc/grub.d/10_linuxUnrestricted boot entry
echo "menuentry '$(echo "$title" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"

To only let the superuser and a specific user (with a password) boot an entry, add the --users option to the menuentry lines. The user "larry" is used in the example below:

FILE /etc/grub.d/10_linuxSpecific user boot entry
echo "menuentry '$(echo "$title" | grub_quote)' --users larry ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"

Finally, be sure to regenerate the grub.cfg file using the grub2-mkconfig command:

root #grub-mkconfig -o /boot/grub/grub.cfg
Encrypted /boot partition

In order to prevent the /boot partition from being manipulated it can be decrypted with GRUB. Further information about formatting the disc can be found on the Dm-crypt article.

The options are set in your grub configuration file:

FILE /etc/default/grub
GRUB_PRELOAD_MODULES="cryptodisk lvm luks"

Note: At the moment (2020-06-23) I see no option to embed the locale before decrypting.


LILO also supports two ways of handling passwords: global and per-image, both in clear text.

The global password is set at the top of the configuration file, and applies to every boot image:

FILE /etc/lilo.conf

The per-image password is set as below:

FILE /etc/lilo.conf

mandatory is the default option and will prompt for a password every time.

restricted can be used to only prompt when kerenel parameters are specified on boot.

In order to enable the changes after editing /etc/lilo.conf, the lilo command must be run.

root #lilo


Securing the boot loader for UEFI systems is described in User:Sakaki/Sakaki's_EFI_Install_Guide/Configuring_Secure_Boot_under_OpenRC