GRUB2 bootloader password protectection

xrkr · May 24, 2024, 11:11am

Hello All,

I am trying to password protect grub2 in my rocky linux 8 server. However it doesn’t work.

I followed the below link, but seems it doesn’t work.
https://docs.rockylinux.org/books/admin_guide/10-boot/#protecting-the-grub2-bootloader

# grub2-setpassword
Enter password:
Confirm password:
#
# ls -l /boot/grub2/user.cfg
ls: cannot access '/boot/grub2/user.cfg': No such file or directory
#
# ls -l /boot/efi/EFI/rocky/grub.cfg
-rwx------ 1 root root 6691 Feb 27 19:29 /boot/efi/EFI/rocky/grub.cfg
#
# grep -i "GRUB2_PASSWORD" /boot/efi/EFI/rocky/grub.cfg
  if [ -n "${GRUB2_PASSWORD}" ]; then
    password_pbkdf2 root ${GRUB2_PASSWORD}
#
# ls -l /boot/grub2/*
lrwxrwxrwx. 1 root root 24 Feb 11 17:42 /boot/grub2/grubenv -> ../efi/EFI/rocky/grubenv
#

I ran the command, but couldn’t see grub.cfg under /boot/grub2 directory, neither PASSWORD added in another grub.cfg file as mentioned above…

Am i missing something? Pls guide.

jlehtone · May 24, 2024, 11:40am

If you do boot with EFI (as you apparently do), then grubx64.efi reads
/boot/efi/EFI/rocky/grub.cfg

Do you get:

# grep -E "user|PASS" /boot/efi/EFI/rocky/grub.cfg 
### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
  source ${prefix}/user.cfg
  if [ -n "${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root ${GRUB2_PASSWORD}
### END /etc/grub.d/01_users ###

The prefix is most likely /boot/efi/EFI/rocky

What else is in there?

man grub2-setpassword says that you could run:

grub2-setpassword --output=/boot/efi/EFI/rocky/user.cfg

(If there is no such file yet.)

The kernel entries include grub_arg --unrestricted, i.e. once can boot entry without password, but requires one for edit.

system · July 23, 2024, 11:40am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.