How to protect GRUB2 from booting kernel without password in Linux


Linux, How To, Tips and Tricks

In my last article I shared the steps to set GRUB2 password for protecting the grub file so that non-authorized users cannot modify the grub entry at the boot loader stage. But what if you wish to protect GRUB2 from unauthorized access so no one else other than the specified user can boot the system from your kernel.

How to protect GRUB2 from booting kernel without password

GRUB2 offers two types of password protection:

  • Password is required for modifying menu entries but not for booting existing menu entries;
  • Password is required for modifying menu entries and for booting one, several, or all menu entries.

 

The steps to set password and protect GRUB2 for both the above use case is same. Setting a password using the grub2-setpassword prevents menu entries from unauthorized modification but not from unauthorized booting a kernel at boot up stage.

WARNING:
If you forget your GRUB2 password, you will not be able to boot the entries you reconfigure in the following procedure

 

Steps to protect GRUB2 from booting kernel without password

First of all create a password using grub2-setpassword and root user.

# grub2-setpassword
Enter password:
Confirm password:

This command will create (if already not existing) or update the content of /boot/grub2/user.cfg with the hash password

# cat /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.BB05A464F1E8C1AFC62CAE808679084D07B2DB9635934A8B7640BF84329455114E36001854108B7080D0A8A6335CBCBBA3E7B86BDF7468F307EE4EEFDCC294E2.CED195B269E2C60A94B5C61EFCF6B610383C306D5313CDB65DBE8063C7B8BDB1E571BD4661D398A7626878BF6055435658741D804F01A8E679DC69E8510B72A0

Open the /boot/grub2/grub.cfg file.

Find the boot entry that you want to protect with password by searching for lines beginning with menuentry.

Delete the --unrestricted parameter from the menu entry block, for example

menuentry 'Red Hat Enterprise Linux Server (3.10.0-862.6.3.el7.x86_64) 7.4 (Maipo)' --class red --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-862.6.3.el7.x86_64-advanced-eeec84ef-a61a-4907-adba-3a1ed52a144b' {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_msdos
        insmod part_msdos
        insmod diskfilter
        insmod mdraid1x
        insmod ext2
        set root='mduuid/8cde9b0cbcafd5dc9814309e952e758d'

 

After the changes the content should look like

menuentry 'Red Hat Enterprise Linux Server (3.10.0-862.6.3.el7.x86_64) 7.4 (Maipo)' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.10.0-862.6.3.el7.x86_64-advanced-eeec84ef-a61a-4907-adba-3a1ed52a144b' {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_msdos
        insmod part_msdos
        insmod diskfilter
        insmod mdraid1x
        insmod ext2
        set root='mduuid/8cde9b0cbcafd5dc9814309e952e758d'

Save and close the file.

NOTE:
The changes done in this file will be overwritten every time grub2-mkconfig is used to regenerate initramfs file. So every time you call grub2-mkconfig, you must re follow the above steps

Reboot your node to validate the changes. Once the system reaches the boot loader stage, it will prompt for username and password (assuming the default kernel access is restricted)

How to protect GRUB2 from booting kernel without password in Linux

 

Password protect all the kernel entries in GRUB2

If you wish to password protect all the kernel entries available in your grub2.cfg then you can delete --unrestricted parameter from /etc/grub.d/10_linux

Take a backup of existing file

# /etc/grub.d/10_linux /etc/grub.d/10_linux.bkp

Delete the content with --unrestricted

# sed -i "/^CLASS=/s/ --unrestricted//" /etc/grub.d/10_linux

Next create a GRUB2 password for the root user to protect GRUB2

# grub2-setpassword
Enter password:
Confirm password:

Lastly rebuild your initramfs and vmlinuz with the new changes

For BIOS-based machines:

# grub2-mkconfig -o /boot/grub2/grub.cfg

For UEFI-based machines:

# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Proceed with the reboot to validate the changes

 

Steps to remove GRUB2 password

To revert back the changes you must re-add the --unrestricted value in /etc/grub.d/10_linux (or if you have a backup file then overwrite the existing file

Once the correct 10_linux file is in place, rebuild the initramfs

For BIOS-based machines:

# grub2-mkconfig -o /boot/grub2/grub.cfg

For UEFI-based machines:

# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Next remove the grub2 password which was created using grub2-setpassword

# rm -f /boot/grub2/user.cfg

That is all, now you can reboot your node to validate the changes. The node will not prompt for any password any more at the boot loader stage.

 

Lastly I hope the steps from the article to protect GRUB2 from loading a kernel at boot up stage by unauthorized person without password in RHEL/CentOS 7 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment