GRUB2 EFI Support In Fedora 31 Likely To Include New Security Modules
Another change being sought for Fedora 31 is including some newer GRUB2 modules as part of the distribution's GRUB EFI boot-loader build to provide some additional security functionality.
Peter Jones and Javier Martinez Canillas, both of Red Hat, are looking to have Fedora 31's GRUB2 EFI package include the verify, cryptodisk, and LUKS modules. This inclusion is being pursued since those using UEFI SecureBoot cannot manually insert modules not already in the grubx64.efi and thus losing out on these possible options for improving the integrity of the early-launch code.
"This change will allow users to gain trust in the integrity of early-launch code either through verification of signatures (particularly useful for initramfs, which is particularly vulnerable to possible offline modification) or encryption of the boot partition." More details on the plans via this change proposal.
Peter Jones and Javier Martinez Canillas, both of Red Hat, are looking to have Fedora 31's GRUB2 EFI package include the verify, cryptodisk, and LUKS modules. This inclusion is being pursued since those using UEFI SecureBoot cannot manually insert modules not already in the grubx64.efi and thus losing out on these possible options for improving the integrity of the early-launch code.
"This change will allow users to gain trust in the integrity of early-launch code either through verification of signatures (particularly useful for initramfs, which is particularly vulnerable to possible offline modification) or encryption of the boot partition." More details on the plans via this change proposal.
24 Comments