[bug #67027] Patch proposal: simple configuration for unrestricted Linux boot menuentries

Mon, 14 Apr 2025 09:58:54 -0700 

URL:
  <https://savannah.gnu.org/bugs/?67027>

                 Summary: Patch proposal: simple configuration for
unrestricted Linux boot menuentries
                   Group: GNU GRUB
               Submitter: ysalmon
               Submitted: lun. 14 avril 2025 16:58:23
                Category: Security
                Severity: Major
                Priority: 5 - Normal
              Item Group: Feature Request
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name:
        Originator Email:
             Open/Closed: Open
         Discussion Lock: Any
                 Release: other
                 Release:
         Reproducibility: Every Time
         Planned Release: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: lun. 14 avril 2025 16:58:23    By: Anonymous
When a password is set, booting a menuentry also requires the password, unless
it has been marked --unrestricted.

A common use case is protecting from editing and protecting recovery entries,
but leaving ordinary entries accessible.

The attached version of 10_linux adds a 5th parameter to the linux_entry
function, which allow to set a security parameter (ie nothing, --unrestricted
or --users=...). This parameter is thes used in the main loop of the script to
use two environment variables : GRUB_SECURITY_LINUX_RECOVERY for recovery
entries and GRUB_SECURITY_LINUX_DEFAULT for other entries.

These are empty by default (which preserves existing behaviour) but can be set
in /etc/default/grub to eg. "--unrestricted" to unrestrict one or the other
type of entries.

The same scheme could be used, I presume, for os_prober.

Attached is also an example of /etc/default/grub file with a bit of
self-documentation.

Note : I tried to base these files on the latest master but could not, because
the git repo is giving 502 errors at the moment.






    _______________________________________________________
File Attachments:


-------------------------------------------------------
Name: 10_linux  Size: 14kio
<https://file.savannah.gnu.org/file/10_linux?file_id=57140>
-------------------------------------------------------
Name: grub  Size: 2kio
<https://file.savannah.gnu.org/file/grub?file_id=57141>

    AGPL NOTICE

These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://savannah.gnu.org/source/savane-2340056c6d974b2d5f885e4cfe1720b79c062450.tar.gz

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?67027>

_______________________________________________
Message posté via Savannah
https://savannah.gnu.org/

Attachment: signature.asc
Description: PGP signature

Reply via email to