Boot-Chain Hardening (GRUB • UEFI • Secure Boot)

0) Threat model (why this matters)

If an attacker can edit the GRUB menu or inject parameters via PXE/provisioning, they can poke early-boot code paths (like IOMMU parsing). We:

lock GRUB; 2) enforce Secure Boot + kernel lockdown; 3) lock provisioning paths; 4) remove alternate boot vectors.

1) Enable & verify Secure Boot (+ Lockdown)

Check status (any distro):


mokutil --sb-state            # expect: SecureBoot enabled
cat /sys/kernel/security/lockdown  # expect: "integrity" or "confidentiality" (read-only)

If disabled: enable in firmware (UEFI Setup) → “Secure Boot: Enabled”.
Custom modules: if you use DKMS/custom drivers, sign them or use a Unified Kernel Image (UKI) workflow; avoid enrolling overly broad MOKs.

Optional stricter lockdown: add lockdown=confidentiality to your kernel cmdline (once GRUB is password-protected).

2) Protect GRUB (set superuser + hashed password)

Generate a PBKDF2 hash:


sudo grub-mkpasswd-pbkdf2
# paste the 'grub.pbkdf2.sha512....' hash

Add a GRUB superuser (GRUB2):


sudo tee -a /etc/grub.d/40_custom >/dev/null <<'EOF'
set superusers="grubadmin"
password_pbkdf2 grubadmin grub.pbkdf2.sha512.10000.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EOF

Require auth to edit/select entries: (Ubuntu/Debian)


sudo sed -i 's/^#\?GRUB_TIMEOUT_STYLE=.*/GRUB_TIMEOUT_STYLE=hidden/' /etc/default/grub
sudo sed -i 's/^#\?GRUB_TIMEOUT=.*/GRUB_TIMEOUT=0/' /etc/default/grub
sudo update-grub

RHEL/Alma/SUSE (GRUB cfg regeneration):


# BIOS:
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
# UEFI:
sudo grub2-mkconfig -o /boot/efi/EFI/$(ls /boot/efi/EFI | head -n1)/grub.cfg

Use when you need the menu:


# one-time next boot to a menu entry (no interactive editing needed)
sudo grub-reboot 1 && sudo reboot

Tip: Keep a sealed, offline copy of the hash and a break-glass bootable USB.

3) Lock file permissions & restrict boot devices


# GRUB & /boot must be root-only
sudo chown -R root:root /boot /etc/grub.d
sudo chmod -R go-rwx /etc/grub.d
sudo chmod 600 /boot/grub*/grub.cfg 2>/dev/null || true

# Remove unused boot entries (USB, CD) at firmware level
# Set UEFI BootOrder to disk only; disable "Boot from USB" unless needed.

4) Disable kexec (no in-OS kernel swapping)


echo "kernel.kexec_load_disabled=1" | sudo tee /etc/sysctl.d/99-hardening.conf
sudo sysctl --system

5) Harden PXE / provisioning (if used)

Disable PXE where not required; otherwise:
- Use UEFI Secure Boot-signed iPXE or vendor-signed boot loaders only.
- Serve boot artifacts over HTTPS with certificate pinning; avoid unauthenticated TFTP.
- Isolate provisioning on a dedicated VLAN, DHCP-scoped to known MACs.
- Store kernel/initrd on a read-only web root with CI-signed artifacts.
- Require change-control to modify kernel parameters in your provisioning templates.

6) Baseline & monitor


# Record a golden cmdline
cat /proc/cmdline | sudo tee /etc/cmdline.baseline

# Simple drift check (put in a cron/systemd timer)
if ! diff -q /etc/cmdline.baseline /proc/cmdline >/dev/null; then
  logger -p authpriv.alert "CMDLINE DRIFT DETECTED: $(cat /proc/cmdline)"
fi

7) Recovery plan (don’t lock yourself out)

Keep UEFI admin password in a sealed secret manager (two-person rule).
Maintain a signed rescue image (USB) you can boot when GRUB is protected.
Document the grubadmin password reset workflow.

Drop-in repo file

Add this to your repo as HARDENING.md, and include a helper script:

scripts/grub_harden.sh


#!/usr/bin/env bash
set -euo pipefail
HASH="${1:-}"  # pass the grub PBKDF2 hash as $1
[ -z "$HASH" ] && { echo "Usage: $0 <grub.pbkdf2.hash>"; exit 1; }

sudo tee -a /etc/grub.d/40_custom >/dev/null <<EOF
set superusers="grubadmin"
password_pbkdf2 grubadmin $HASH
EOF

if command -v update-grub >/dev/null; then
  sudo sed -i 's/^#\?GRUB_TIMEOUT_STYLE=.*/GRUB_TIMEOUT_STYLE=hidden/' /etc/default/grub
  sudo sed -i 's/^#\?GRUB_TIMEOUT=.*/GRUB_TIMEOUT=0/' /etc/default/grub
  sudo update-grub
else
  sudo grub2-mkconfig -o /boot/grub2/grub.cfg 2>/dev/null || true
  VENDOR=$(ls /boot/efi/EFI | head -n1 || echo "")
  [ -n "$VENDOR" ] && sudo grub2-mkconfig -o "/boot/efi/EFI/$VENDOR/grub.cfg"
fi

sudo chown -R root:root /boot /etc/grub.d
sudo chmod -R go-rwx /etc/grub.d
sudo chmod 600 /boot/grub*/grub.cfg 2>/dev/null || true
echo "[OK] GRUB hardened."

Get Full Threat Intelligence Access

Live CVE feeds, APT tracking, malware analysis, AI summaries & enterprise SOC integration

LAUNCH PLATFORM ▲ UPGRADE

▸▸ LATEST THREAT ADVISORIES

AI-PoweredCyber IntelligenceFor The Enterprise