Securing Bootloader with Authentications

As the bootloader boots up, securing it must be number 1 priority. Some flexible bootloader like GRUB can open up a lot of powerful access points to the operating system. This section guides you on how to secure bootloader with authentications.

Identified Threats

(T-18) Bootloader is Configurable to Boot Into Root Account

(T-19) No mechanism to Ensure Bootloader Integrity

Actions Required

Secure bootloader with Encrypted Password

Enable Secure Boot

Identified Threats

These are the identified threats related to Debian Software.

(T-18) Bootloader is Configurable to Boot Into Root Account

As bootloader is configurable (e.g. LILO and GRUB) during Stage-1 booting, attacker can configure it boot malicious kernel or drop to root account upon boot up.

(T-19) No mechanism to Ensure Bootloader Integrity

There is no existing mechanism to ensure integrity for bootloader.

Actions Required

Here are the list if actions to counter the issues.

Secure bootloader with Encrypted Password

One can secure the bootloader like Grub using certified Algorithm such as pbkdf2 or encrypting LILO (if you're using LILO).

IMPORTANT NOTE:

The handbook recommends the use of md5 which is not a password hashing algorithm. Grub now supports PBKDF2 algorithm which is a proper one. Hence, DO NOT USE MD5 FOR PASSWORD RELATED MATTERS.

Enable Secure Boot

Secure boot (SB) is now available starting from Debian Buster. Hence, one should enable SB before installation.

That's all for hardening Debian by securing bootloader with authentications.

Back to Debian Security Hardening