Bootloader Grub 2.06 improves security

Published by: MRT

Published on:

Bootloader Grub 2.06 improves security

The latest version of the Linux boot loader Grub 2.06 promises two major innovations: The software now supports boot partitions that are encrypted with LUKS2. The update also contains several bug fixes and security enhancements. It’s the first new version of Grub in almost two years. It was originally supposed to appear in the summer of 2020, when a nasty security hole got in the way of the developers.

A bug called BootHole allowed attackers to hook themselves into the boot process and execute malicious code (). Initially, Linux distributors sealed their own Grub packages themselves. Unfortunately BootHole patches blocked Red Hat, CentOS, Debian and Ubuntu Grub2. Only with the now released version 2.06 Grub officially stuffs the BootHole and its colleague BootHole2.

The Grub developers have taken over further patches that Red Hat, Debian and a few other distributors had in the meantime inoculated into their own Grub packages. The distributors had tried to bridge the long release times of the bootloader. In addition, Grub is relieved of numerous bugs and the code is a bit tidy. It can now be compiled with the GCC 10 and Clang 10 C compilers.

Grub 2.06 now supports the security modules (XSM / FLASK) of the Xen hypervisor and Secure Boot Advanced Targeting (SBAT). The latter technology has become Developer of the bootloader Shim thought upto make attacks on the boot process even more difficult, as in the case of BootHoles. In simplified terms, the procedure automatically considers outdated versions of a program involved in the boot process to be unsafe. On top of that, Grub 2.06 offers a lockdown mechanism that is similar to the equivalent of the Linux kernel.

Encrypted data carriers mostly follow the LUKS standard under Linux. Its revised second version has existed since 2018, but Grub couldn’t do anything with the corresponding partitions. This changes now with Grub version 2.06. Boot partitions therefore no longer have to use the old LUKS.

Another security measure concerns the configuration of Grubs. The auxiliary tool used for this grub-mkconfig also calls the command line program os-prober help. This in turn recognizes all operating systems installed on the system and automatically generates suitable entries in the boot menu. Since this behavior could in principle be misused for an attack os-prober disabled by default in Grub 2.06.

The next version of Grub is expected to appear in the first half of 2022, with the bootloader then targeting the Version number Grub 2.11 will jump. This is done for practical reasons: Many scripts and tools apparently choke on the zero in the version information. “11” simplifies the parsing of the version number.


Disclaimer: This article is generated from the feed and not edited by our team.