BIOS and Boot Loader Security

Password protection for the BIOS and the boot loader can prevent unauthorized users who have physical access to your systems from booting from removable media or attaining root through single user mode. But the security measures one should take to protect against such attacks depends both on the sensitivity of the information the workstation holds and the location of the machine.

For instance, if a machine is used in a trade show and contains no sensitive information, than it may not be critical to prevent such attacks. However, if an employee's laptop with private, non-password protected SSH keys for the corporate network is left unattended at that same trade show, it can lead to a major security breech with ramifications for the entire company.

On the other hand, if the workstation is located in a place where only authorized or trusted people have access, then securing the BIOS or the boot loader may not be necessary at all.

BIOS Passwords

The following are the two primary reasons for password protecting the BIOS of a computer[1]:

  1. Prevent Changes To BIOS Settings -- If an intruder has access to the BIOS, they can set it to boot off of a diskette or CD-ROM. This makes it possible for them to enter rescue mode or single user mode, which in turn allows them to seed nefarious programs on the system or copy sensitive data.

  2. Prevent Booting the System -- Some BIOSes allow you to password protect the boot process itself. When activated, an attacker would be forced to enter a password for the BIOS to launch the boot loader.

Because the methods for setting a BIOS password vary between computer manufacturers, you should consult the manual for your computer.

If you forget the BIOS password, it can often be reset either with jumpers on the motherboard or by disconnecting the CMOS battery. However, you should check the manual for your computer or motherboard before attempting this procedure.

Boot Loader Passwords

The following are the primary reasons for password protecting a Linux boot loader:

  1. Prevent Access To Single User Mode — If an attacker can boot into single user mode, he becomes the root user.

  2. Prevent Access To the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the edit the command's interface to change its configuration or to gather information using the cat command.

  3. Prevent Access To Non-Secure Operating Systems — If it is a dual boot system, an attacker can select at boot time an operating system, such as DOS, which ignores access controls and file permissions.

There are two boot loaders that ship with Red Hat Linux, GRUB and LILO. The next two sections will describe how to password protect these applications.

Password Protecting GRUB

You can configure GRUB to address the first two issues listed in the Section called Boot Loader Passwords by adding a password directive to its configuration file. To do this, first decide on a password, then open a shell prompt, log in as root, and type:

/sbin/grub-md5-crypt

When prompted, type the GRUB password and press [Enter]. This will return an MD5 hash of the password.

Next, edit the GRUB configuration file: /boot/grub/grub.conf. Open the file and below the timeout line in the main section of the document, add the following line:

password --md5 password-hash

Replace password-hash with the value returned by /sbin/grub-md5-crypt[2].

The next time you boot the system, the GRUB menu will not let you access the editor or command interface without first pressing [p] followed by the GRUB password.

Unfortunately, this solution does not prevent an attacker from booting into a non-secure operating system in a dual boot environment. For this you need to edit a different part of the /boot/grub/grub.conf file.

Look for the title line of the non-secure operating system and add a line that says lock directly beneath it.

For a DOS system, the stanza should begin something like the following:

title DOS
lock

WarningWarning
 

You must have a password line in the main section of the /boot/grub/grub.conf file for this to work properly. Otherwise an attacker will be able to access the editor interface and remove the lock line.

If you wish to have a different password for a particular kernel or operating system, add a lock line to the stanza followed by a password line.

Each stanza you protect with a unique password should begin with lines similar to the following example:

title DOS
lock
password --md5 password-hash

Finally, remember that the /boot/grub/grub.conf file is world-readable by default. It is a good idea to change this, as it has no affect on the functionality of GRUB, by typing the following command as root:

chmod 600  /boot/grub/grub.conf

Password Protecting LILO

LILO is a much simpler boot loader than GRUB and does not offer a command interface, so you need not worry about an attacker gaining interactive access to the system before the kernel is loaded. However, there is still a danger in booting in single-user mode or booting to an insecure operating system.

You can configure LILO to ask for a password before booting every operating system or kernel on the system by adding a password directive in the globally. To do this, open a terminal, log in as root, and edit /etc/lilo.conf. Before the first image stanza, add a password directive similar to this:

password=password

In the above directive, replace the word password with your password.

ImportantImportant
 

Anytime you edit /etc/lilo.conf, you must run the /sbin/lilo -v -v command for the changes to take affect. If you have configured a password and anyone other than root can read the file, LILO will install, but will alert you that the permissions on the configuration file are wrong.

If you do not want a global password, you can apply the password directive to a stanza listed in /etc/lilo.conf for any kernel or operating system to which you wish to restrict access. To do this, add the password directive immediately below the image line. When finished, the stanza will begin similar to the following:

image=/boot/vmlinuz-version
        password=password

If you want to allow booting a kernel or operating system without password verification, but do not want to allow users to add arguments without a password, you can add the restricted directive on the line below the password line within the stanza. Such a stanza will begin similar to this:

image=/boot/vmlinuz-version
        password=password
        restricted

If you use the restricted directive, you must have a password line in the stanza.

WarningWarning
 

The /etc/lilo.conf file is world-readable. If you are password protecting LILO, it essential that you only allow root to read and edit the file since all passwords are in plain text. To do this, type the following command as root:

chmod 600  /etc/lilo.conf

Notes

[1]

Since system BIOSes differ between manufacturers, some may not support password protection of either type, while others may support one type and not the other.

[2]

GRUB also accepts plain text passwords, but it is recommended you use the md5 version because /boot/grub/grub.conf is world-readable by default.