Securing Bootloader with Authentications
As the bootloader boots up, securing it must be number 1 priority. Some flexible bootloader like GRUB can open up a lot of powerful access points to the operating system. This section guides you on how to secure bootloader with authentications.
Identified Threats
These are the identified threats related to Debian Software.
(T-18) Bootloader is Configurable to Boot Into Root Account
As bootloader is configurable (e.g. LILO and GRUB) during Stage-1 booting, attacker can configure it boot malicious kernel or drop to root account upon boot up.
(T-19) No mechanism to Ensure Bootloader Integrity
There is no existing mechanism to ensure integrity for bootloader.
Actions Required
Here are the list if actions to counter the issues.
Secure bootloader with Encrypted Password
One can secure the bootloader like Grub using certified Algorithm such as pbkdf2 or encrypting LILO (if you're using LILO).
IMPORTANT NOTE:
The handbook recommends the use of md5 which is not a password hashing algorithm. Grub now supports PBKDF2 algorithm which is a proper one. Hence, DO NOT USE MD5 FOR PASSWORD RELATED MATTERS.
Enable Secure Boot
Secure boot (SB) is now available starting from Debian Buster. Hence, one should enable SB before installation.
That's all for hardening Debian by securing bootloader with authentications.