[Bug 1052420] New: Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 Bug ID: 1052420 Summary: Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: x86-64 OS: openSUSE 42.3 Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: stakanov@freenet.de QA Contact: jsrain@suse.com Found By: --- Blocker: --- The help file says correctly: "Al momento dell'avvio, per la modifica o anche l'avvio di qualsiasi voce verrà richiesta la password. Se l'opzione Proteggi solo modifica della voce è selezionata sarà possibile avviare qualsiasi voce, ma per modificare le voci sarà necessaria la password (è lo stesso comportamento di GRUB1). Come effetto collaterale di tale opzione, ai parametri del kernel è aggiunto rd.shell=0, così da impedire un accesso non autorizzato alla shell initrd." So: if the option "protect only the modification of menu entries" is selecte, it will be possible to start any item, but, if you want to modify anything, it will be necessary to type the password for "root-grub-user". So: I did set password protected grub and protect only modification of the items. But this is not honored by grub. It asks for the password no matter what. Even if just letting time go by (and not modifying, not even pressing enter to select the item faster, in all cases you will be asked to set "root" and the password for root-grub you defined. Even without any modification. This is a strong incentive against the useful feature of password protected grub. What the software does: asks for the grub-root password every time. What the software should have done: asks for the password only in case of modification of the boot loader menu items. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c1
Jiri Srain
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c2
--- Comment #2 from Josef Reidinger
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c3
--- Comment #3 from Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c4
Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c5
--- Comment #5 from Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c6
Josef Reidinger
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
Jiri Srain
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c7
Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c8
Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c9
--- Comment #9 from Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c10
Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c11
Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c16
Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c17
--- Comment #17 from Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c18
Michael Chang
update-bootloader --reinit
It is required to reinstall trustedgrub2 manually in case the pcr value got changed unexpectedly so you're unable to unseal any secrets, if any .. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c19
--- Comment #19 from Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420
http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c20
Stakanov Schufter
Hi Stakanov,
Did you run ?
update-bootloader --reinit
It is required to reinstall trustedgrub2 manually in case the pcr value got changed unexpectedly so you're unable to unseal any secrets, if any ..
Thanks.
Hello Michael. I did run the command as of your indication. I restarted the system. As before, everything works, but the setting to not ask for the password if no changes are requested to grub is not honored. So what it does: you start, you unlock the bios, unlock the tpm with its password, you go to grub and you are presented with that CLI asking for the grub password. You give it, slot 0 has been unlocked, and then the boot goes on to the lvm were a second time a password is requested and then, I boot to the system. What it should do is to jump the password for grub, as it should ask for it if, e.g. I go into advanced and ask him to change a boot parameter. Unfortunately it always asks for that password. This is a bit weird because, in principle that bug was gone. The symbol table thing is gone perfectly but somewhere something changed so that the password request for grub at every boot does reappear. Should I try to uninstall trusted grub then reinstall it after a reboot? (In reply to Michael Chang from comment #18)
Hi Stakanov,
Did you run ?
update-bootloader --reinit
It is required to reinstall trustedgrub2 manually in case the pcr value got changed unexpectedly so you're unable to unseal any secrets, if any ..
Thanks.
Yes I did. But it does not change the behavior. I am asked the password for grub at every boot, it takes a long time, (about 15 seconds) then it claims: slot0 unlocked and proceeds as expected. Maybe I do have to uninstall it completely and reinstall it completely? -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com