On Sun, Sep 07, 2025 at 08:40:41AM -0500, Andrew Hamilton wrote: > Add some suggestions to the security section on maximizing the > security hardening of GRUB. > > Signed-off-by: Andrew Hamilton <[email protected]> > --- > docs/grub.texi | 45 +++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 45 insertions(+) > > diff --git a/docs/grub.texi b/docs/grub.texi > index 34b3484dc..55170e589 100644 > --- a/docs/grub.texi > +++ b/docs/grub.texi > @@ -8675,6 +8675,7 @@ environment variables and commands are listed in the > same order. > * Measured Boot:: Measuring boot components > * Lockdown:: Lockdown when booting on a secure setup > * TPM2 key protector:: Managing disk key with TPM2 key > protector > +* Hardening:: Configuration and customization to > maximize security > @end menu > > @node Authentication and authorisation > @@ -9363,6 +9364,50 @@ which increases the risk of password leakage during > the process. Moreover, the > superuser list must be well maintained, and the password used cannot be > synchronized with LUKS key rotation. > > +@node Hardening > +@section Hardening > + > +Security hardening involves additional / optional configuration and > +customization steps to GRUB to maximize security. The extent to which > +hardening can be accomplished depends on the threats attempting to be > +mitigated for a given system / device, the device architecture, and number > +of GRUB features required. The following is a listing of hardening steps > which > +may be considered: > + > +@itemize > +@item (EFI Only) Enable secure boot to enable lockdown mode. This will limit > +the attack surface of GRUB by limiting the commands and file systems > +supported. (@pxref{Lockdown}) > +@item (EFI Only) No-Execute capability of memory segments will be configured > +by GRUB as indicated by the UEFI. This makes some classes of vulnerabilities > +more difficult by providing support for marking memory as either writable or
s/difficult/difficult to exploit/ I will fix this for you. Reviewed-by: Daniel Kiper <[email protected]> Daniel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
