

Quick guide to securing GRUB - Sicp
http://linuxhive.blogspot.com/2011/09/linux-security-securing-grub.html

======
revelation
If someone has physical access to a computer, this isn't securing anything.

~~~
ajross
That's true in principle, but it requires the time, tools and privacy to open
the case and remove the media. In practice the ability to caually boot an
alternative OS (from a USB stick, say) is a hole worth plugging in a lot of
cases. This can be done easily enough with a BIOS password, but the problem is
that GRUB's default configuration defeats this by allowing the user direct
control over booting. I don't think it's insane, though you're right that this
can't produce a "secure" installation.

------
mike-cardwell
I assumed this article was going to be about TrustedGRUB and full disk
encryption: <https://projects.sirrix.com/trac/trustedgrub>

Personally, I use full disk encryption, but I keep the boot partition and boot
loader on an external USB drive that never leaves my side. More details on my
blog here:
[https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sop...](https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sophisticated_Attacks)

------
foxhill
the guide fails to mention the uninstallation method, which consists of
booting off of a USB pen drive and removing the line that was just added.
passworded bios? insert the hard drive in another machine instead.

this also doubles as the method in which this "security" measure would be
defeated.

------
NeutronBoy
If someone has physical access, the only effective barrier is full-disk
encryption.

