Improved security in GRUB 2.06 bootloader
The newest version – 2.06 – of the GRUB bootloader used by most Linux distributions contains two new features, German IT news site heise reports. The software now supports boot partitions encrypted with LUKS2 and the update also contains several bug fixes and security improvements. This is the first new version of GRUB in nearly 2 years. It was originally to have been released in summer 2020, but developers were thwarted by a nasty security hole.
Attackers could gain access to the boot process and execute malicious code via a vulnerability named BootHole. To begin with Linux distributors patched their own GRUB packages. Unfortunately, BootHole patches for Red Hat, CentOS, Debian and Ubuntu blocked GRUB2. GRUB has now officially patched BootHole with the new version
GRUB developers have taken over the additional patches used in the meantime by Red Hat, Debian and a few other distributors to secure their own GRUB packages. The distributors had tried to bridge the gap in the lone release times between GRUB versions. In addition, several errors have been eliminated and GRUB’s code tidied up. GRUB can now be compiled with the GCC 10 and Clang 10 C compilers.
New security module
As a new feature, GRUB 2.06 supports the Xen hypervisor’s XSM/FLASK security module and Secure Boot Advanced Targeting (SBAT). The developers of the Shim bootloader came up with the latter technology to further complicate attacks on the boot process. In simple terms, the procedure automatically considers outdated versions of a program involved in the boot process to be unsafe. In addition to this, GRUB 2.06 offers a lockdown mechanism that is similar to the equivalent of the Linux kernel of the same name.