Secure the Grub Boot Loader

To add the Grub boot loader to the security posture, perform the following steps.

About this task

Securing the Grub boot loader is an important addition to the security posture for the operating system where EFA is deployed. There are two general phases for securing the boot loader:
  • Set a password in the Grub configuration to harden against modifications to the Linux kernel boot-time command line.
  • Set a password for the ‘root‘ user to protect against attempts to acquire single-user mode at boot.


  1. Set a password in the Grub configuration:
    1. Acquire root and then run the grub-mkpasswd-pbkdf2 command (full output is shown below).
    2. Append the password hash and the string set superusers="root" to the file /etc/grub.d/40_custom.
    3. Add --unrestricted to the "CLASS=" definition line in /etc/grub.d/10_linux.
    4. Run the command update-grub.
      root@tpvm:~# grub-mkpasswd-pbkdf2
      Enter password:
      Reenter password:
      PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.72C8CE3112C007A315A94DD7A63B58392DD00653ACAF8795C8528D83967FA24105B0B53D0092522460532AF05C60EE3E0C7EAC95213E865DF31580A341188ABC.843EF94A9C8EE8AC1776F5B88261D1B6DE437A70AEABE3C814764596F696EE5F7FDF912E63B4D47AE3E7BB468A6B639F00051D142698142EF158E6C141CF38B7
      root@tpvm:~# cat >> /etc/grub.d/40_custom
      set superusers="root"
      password_pbkdf2 root grub.pbkdf2.sha512.10000.A577D1C8F13C93B82EA5E25E834D5BD88ECB94A5B42F2DABE4FB7A235F3A25A12E6542CB5DA9620B2E0342FE28A4F066BE1B99F2EFBE8C0688FBE11FDB3138DD.2C7C81C7FA0404C768DDCE097B3AA8DD08C042B4FDBA089C0837F91B6C8864EE83B19CBC6D4C5C126E76FA20BE93789920913B12CAC841CA65EA3BAD5921F8D5
      root@tpvm:~# <edit /etc/grub.d/10_linux to make the CLASS line look like the following>
      root@tpvm:~# grep CLASS /etc/grub.d/10_linux | head -n 1
      CLASS="--class gnu-linux --class gnu --class os --unrestricted"
      root@tpvm:~ # update-grub
      Sourcing file `/etc/default/grub'
      Generating grub configuration file ...
      Found linux image: /boot/vmlinuz-5.4.0-48-generic
      Found initrd image: /boot/initrd.img-5.4.0-48-generic
      Found linux image: /boot/vmlinuz-5.3.0-40-generic
      Found initrd image: /boot/initrd.img-5.3.0-40-generic
      Found linux image: /boot/vmlinuz-4.15.0-118-generic
      Found initrd image: /boot/initrd.img-4.15.0-118-generic
      Found linux image: /boot/vmlinuz-4.15.0-88-generic
      Found initrd image: /boot/initrd.img-4.15.0-88-generic
  2. Set a password for the ‘root‘ user by running the following commands:
    root@tpvm~:# passwd
    Enter new UNIX password:
    Retype new UNIX password:
    passwd: password updated successfully