Fedora's GRUB2 EFI Build To Offer Greater Security Options
Written by Michael Larabel in Fedora on 24 June 2019 at 02:35 AM EDT. 3 Comments
FEDORA --
In addition to disabling root password-based SSH log-ins by default, another change being made to Fedora 31 in the name of greater security is adding some additional GRUB2 boot-loader modules to be built-in for their EFI boot-loader.

GRUB2 security modules for verification, Cryptodisk, and LUKS will now be part of the default GRUB2 EFI build. They are being built-in now since those using the likes of UEFI SecureBoot aren't able to dynamically load these modules due to restrictions in place under SecureBoot. So until now using SecureBoot hasn't allowed users to enjoy encryption of the boot partition and the "verify" module with ensuring better integrity of the early boot-loader code.

At last Friday's FESCo meeting, the ticket was approved for including these modules in the default GRUB2 EFI build starting with Fedora 31 due out in October.

For future releases they may also look at automated signature verification as part of grub2-mkconfig as well as allowing cryptodisk to be configured from the Anaconda installer.
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Fedora News
Popular News This Week