Add some suggestions to the security section on maximizing the security hardening of GRUB.
Signed-off-by: Andrew Hamilton <[email protected]> --- docs/grub.texi | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/docs/grub.texi b/docs/grub.texi index 5b23ae47b..c115bd5e8 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -9213,6 +9213,7 @@ environment variables and commands are listed in the same order. * TPM2 key protector:: Managing disk key with TPM2 key protector * Signing certificate and hash files:: Certificate and hash file signing * Signing GRUB itself:: Ensuring the integrity of the GRUB core image +* Hardening:: Configuration and customization to maximize security @end menu @node Authentication and authorisation @@ -10160,6 +10161,50 @@ dd if=core.elf.signed of=/dev/sda1 As with UEFI secure boot, it is necessary to build-in the required modules, or sign them if they are not part of the GRUB image. +@node Hardening +@section Hardening + +Security hardening involves additional / optional configuration and +customization steps to GRUB to maximize security. The extent to which +hardening can be accomplished depends on the threats attempting to be +mitigated for a given system / device, the device architecture, and number +of GRUB features required. The following is a listing of hardening steps which +may be considered: + +@itemize +@item (EFI Only) Enable secure boot to enable lockdown mode. This will limit +the attack surface of GRUB by limiting the commands and file systems +supported. (@pxref{Lockdown}) +@item (EFI Only) No-Execute capability of memory segments will be configured +by GRUB as indicated by the UEFI. This makes some classes of vulnerabilities +more difficult to exploit by providing support for marking memory as either +writable or executable. +@item (EFI Only) While building GRUB, the stack protector feature may be +enabled during the configuration step. This feature can make certain +vulnerabilities caused by stack buffer overflows more difficult to exploit. +This can be enabled by including the "--enable-stack-protector" flag to the +configure script: +@example +# @kbd{./configure --enable-stack-protector} +@end example +Please reference the file @file{INSTALL} for detailed instructions on how to +build GRUB. +@item Minimize the installed modules included with the GRUB installation. +For instance, if a specific file system is used for a given system, modules +for other file systems may be excluded. @pxref{Modules} for a list of +modules. +@item Minimize boot sources. In the GRUB configuration, reduce the possible +boot sources to the minimum needed for system operation. For instance, if +booting only from an internal drive, remove support for network booting +and booting from removable media. +@item Disable network support in GRUB if not required. Ensure network +interfaces are not configured in the GRUB configuration and consider +setting environment variable @samp{feature_net_search_cfg} to @samp{n} in an +embedded GRUB config file in order to disable attempting to use the +network for obtaining a GRUB config file. +@end itemize + + @node Platform limitations @chapter Platform limitations -- 2.43.0 _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
