[Bug 1052420] New: Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot - openSUSE Bugs - openSUSE Mailing Lists

newer
[Bug 1120255] New: libselinux...

[Bug 1052420] New: Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

older
[Bug 1114251] NVIDIA driver...

bugzilla_noreply＠novell.com

6 Aug 2017 6 Aug '17

10:55

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 Bug ID: 1052420 Summary: Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: x86-64 OS: openSUSE 42.3 Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: stakanov@freenet.de QA Contact: jsrain@suse.com Found By: --- Blocker: --- The help file says correctly: "Al momento dell'avvio, per la modifica o anche l'avvio di qualsiasi voce verrà richiesta la password. Se l'opzione Proteggi solo modifica della voce è selezionata sarà possibile avviare qualsiasi voce, ma per modificare le voci sarà necessaria la password (è lo stesso comportamento di GRUB1). Come effetto collaterale di tale opzione, ai parametri del kernel è aggiunto rd.shell=0, così da impedire un accesso non autorizzato alla shell initrd." So: if the option "protect only the modification of menu entries" is selecte, it will be possible to start any item, but, if you want to modify anything, it will be necessary to type the password for "root-grub-user". So: I did set password protected grub and protect only modification of the items. But this is not honored by grub. It asks for the password no matter what. Even if just letting time go by (and not modifying, not even pressing enter to select the item faster, in all cases you will be asked to set "root" and the password for root-grub you defined. Even without any modification. This is a strong incentive against the useful feature of password protected grub. What the software does: asks for the grub-root password every time. What the software should have done: asks for the password only in case of modification of the boot loader menu items. -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 3.7 KB)

Reply

Sign in to reply online Use email software

Show replies by date

bugzilla_noreply＠novell.com

19 Oct 19 Oct

11:04

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c1 Jiri Srain changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jreidinger@suse.com, | |mchang@suse.com, | |stakanov@freenet.de Flags| |needinfo?(stakanov@freenet. | |de) --- Comment #1 from Jiri Srain --- Can you, please, attach the YaST log? Could be also useful to check whether YaST wrote the settings correctly to the GRUB configuration files... -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

11:20

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c2 --- Comment #2 from Josef Reidinger --- Also please attach content of /etc/grub.d/42_password ( you can remove salted pwd in file ). As if it contain unrestricted_menu set to yes, it is grub2 issue if grub2-mkconfig passes properly -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

13:02

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c3 --- Comment #3 from Stakanov Schufter --- first attachment: yast2.log I have a problem. File size is 59 MB as compressed file. Way too much for the bugzilla. Where should I upload. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

13:04

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c4 Stakanov Schufter changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsrain@suse.com Flags| |needinfo?(jsrain@suse.com) --- Comment #4 from Stakanov Schufter --- Created attachment 745192 --> http://bugzilla.opensuse.org/attachment.cgi?id=745192&action=edit 42_password from /etc as requested. You said: "As if it contain unrestricted_menu set to yes, it is grub2 issue if grub2-mkconfig passes properly" For what I see it does. Please advice me how to handle the size problem of yast2logs. Thank you -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

13:21

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c5 --- Comment #5 from Stakanov Schufter --- Created attachment 745196 --> http://bugzilla.opensuse.org/attachment.cgi?id=745196&action=edit yast2logs trying one more time. yast2logs -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

13:34

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c6 Josef Reidinger changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(stakanov@freenet. |needinfo?(mchang@suse.com) |de), | |needinfo?(jsrain@suse.com) | --- Comment #6 from Josef Reidinger --- michael please can you check it? From YaST POV it is properly configured for unrestricted menu. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

24 Oct 24 Oct

11:39

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 Jiri Srain changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|jsrain@suse.com |mchang@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

27 Oct 27 Oct

04:34

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c7 Michael Chang changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mchang@suse.com) |needinfo?(stakanov@freenet. | |de) --- Comment #7 from Michael Chang --- I've verified on openSUSE Leap 42.3 and "protect only modification" works as usual. Please attach your /etc/sysconfig/bootloader. I wonder are you using TPM variation of grub2 (aka TrustedGrub2) ? Thanks. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

11:42

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c8 Stakanov Schufter changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(stakanov@freenet. | |de) | --- Comment #8 from Stakanov Schufter --- Yes, I am using a tpm (1.2) and trustet grub + trousers. content of /etc/sysconfig/bootloader: ## Path: System/Bootloader ## Description: Bootloader configuration ## Type: list(grub,grub2,grub2-efi,none) ## Default: grub2 # # Type of bootloader in use. # For making the change effect run bootloader configuration tool # and configure newly selected bootloader # # LOADER_TYPE="grub2" ## Path: System/Bootloader ## Description: Bootloader configuration ## Type: yesno ## Default: "no" # # Enable UEFI Secure Boot support # This setting is only relevant to UEFI which supports Secure Boot. It won't # take effect on any other firmware type. # # SECURE_BOOT="no" ## Path: System/Bootloader ## Description: Bootloader configuration ## Type: yesno ## Default: "no" # # Enable Trusted Boot support # Only available for legacy (non-UEFI) boot. # TRUSTED_BOOT="yes" The system has as said a TPM 1.2 but no UEFI as it is precedent to the UEFI (how would I call UEFI "MS-geddon"?). Laptop is Lenovo X201 Spec page: https://support.lenovo.com/de/it/solutions/pd010141 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

11:44

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c9 --- Comment #9 from Stakanov Schufter --- Sorry. Spec page wrong language: https://support.lenovo.com/gb/en/solutions/pd010141 That is the English one. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

30 Oct 30 Oct

09:29

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c10 Michael Chang changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(stakanov@freenet. | |de) --- Comment #10 from Michael Chang --- Thanks for confirmation. I've built trustedgrub2 with the needed patch to enable unrestricted menu as default. Would you please test trustedgrub2 package in the repo ? https://download.opensuse.org/repositories/home:/michael-chang:/branches:/Ba... After package install, run "update-bootloader --reinit" to reinstall bootloader. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

22 Jun 22 Jun

09:23

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c11 Michael Chang changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #11 from Michael Chang --- Close as resolved fix because patch has been submitted to openSUSE:Factory. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

20 Jul 20 Jul

09:59

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 Stakanov Schufter changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(stakanov@freenet. | |de) | -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

21 Dec 21 Dec

09:28

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c16 Stakanov Schufter changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- Assignee|mchang@suse.com |stakanov@freenet.de Flags| |needinfo?(stakanov@freenet. | |de) --- Comment #16 from Stakanov Schufter --- Created attachment 793238 --> http://bugzilla.opensuse.org/attachment.cgi?id=793238&action=edit 42_password after update I have unfortunately to reopen this bug as the patch does not work. I am prompted for password at every boot. So something changed since the time the patch was done. I join the attachment of 42_password after the application of the update. I will then post also yast2log. Please inform me if you need anything else. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

09:31

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c17 --- Comment #17 from Stakanov Schufter --- Created attachment 793240 --> http://bugzilla.opensuse.org/attachment.cgi?id=793240&action=edit etc_sysconfig_bootloader content after update as of title, etc/sysconfig/bootloader after applying the update. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

09:49

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c18 Michael Chang changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(stakanov@freenet. | |de) | --- Comment #18 from Michael Chang --- Hi Stakanov, Did you run ?

update-bootloader --reinit

It is required to reinstall trustedgrub2 manually in case the pcr value got changed unexpectedly so you're unable to unseal any secrets, if any .. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

09:54

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c19 --- Comment #19 from Stakanov Schufter --- Created attachment 793243 --> http://bugzilla.opensuse.org/attachment.cgi?id=793243&action=edit yast2logs after update this is yast2logs after the update. To recall the situation: trusted grub is set to ask for password only when you try to change anything, otherwise it should run through w/o prompt. Currently it does promt no matter what (but does work at least - so no damage). -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

22 Dec 22 Dec

09:31

New subject: [Bug 1052420] Secure Grub does not honor settings made in yast about "secure grub" / password protected grub and asks for password at every boot

http://bugzilla.opensuse.org/show_bug.cgi?id=1052420 http://bugzilla.opensuse.org/show_bug.cgi?id=1052420#c20 Stakanov Schufter changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(mchang@suse.com) --- Comment #20 from Stakanov Schufter --- (In reply to Michael Chang from comment #18)

Hi Stakanov,

Did you run ?

...
update-bootloader --reinit

It is required to reinstall trustedgrub2 manually in case the pcr value got changed unexpectedly so you're unable to unseal any secrets, if any ..

Thanks.

Hello Michael. I did run the command as of your indication. I restarted the system. As before, everything works, but the setting to not ask for the password if no changes are requested to grub is not honored. So what it does: you start, you unlock the bios, unlock the tpm with its password, you go to grub and you are presented with that CLI asking for the grub password. You give it, slot 0 has been unlocked, and then the boot goes on to the lvm were a second time a password is requested and then, I boot to the system. What it should do is to jump the password for grub, as it should ask for it if, e.g. I go into advanced and ask him to change a boot parameter. Unfortunately it always asks for that password. This is a bit weird because, in principle that bug was gone. The symbol table thing is gone perfectly but somewhere something changed so that the password request for grub at every boot does reappear. Should I try to uninstall trusted grub then reinstall it after a reboot? (In reply to Michael Chang from comment #18)

Hi Stakanov,

Did you run ?

...
update-bootloader --reinit

It is required to reinstall trustedgrub2 manually in case the pcr value got changed unexpectedly so you're unable to unseal any secrets, if any ..

Thanks.

Yes I did. But it does not change the behavior. I am asked the password for grub at every boot, it takes a long time, (about 15 seconds) then it claims: slot0 unlocked and proceeds as expected. Maybe I do have to uninstall it completely and reinstall it completely? -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

1984

Age (days ago)

2487

Last active (days ago)

Download

18 comments

1 participants

tags

participants (1)

bugzilla_noreply＠novell.com