Headline
CVE-2022-3675: Setting a GRUB password :: Fedora Docs
Fedora CoreOS supports setting a GRUB bootloader password using a Butane config. When this feature is enabled, GRUB requires a password to access the GRUB command-line, modify kernel command-line arguments, or boot non-default OSTree deployments. Recent Fedora CoreOS releases have a misconfiguration which allows booting non-default OSTree deployments without entering a password. This allows someone with access to the GRUB menu to boot into an older version of Fedora CoreOS, reverting any security fixes that have recently been applied to the machine. A password is still required to modify kernel command-line arguments and to access the GRUB command line.
You can set up a password to prevent unauthorized users from accessing the GRUB command line, modifying kernel command-line arguments, or booting non-default OSTree deployments.
Creating the password hash
You can use grub2-mkpasswd-pbkdf2 to create a password hash for GRUB.
$ grub2-mkpasswd-pbkdf2
Enter password: <PASSWORD>
Reenter password: <PASSWORD>
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.5AE6255...
grub2-mkpasswd-pbkdf2 tool is a component of the grub2-tools-minimal package on Fedora.
Butane config
With the password hash ready, you can now create the Butane config.
The Butane grub section requires Butane spec version 1.5.0-experimental. After spec 1.5.0 is stabilized, version 1.5.0-experimental will no longer be accepted by Butane, so Butane configs will need to be updated to replace 1.5.0-experimental with 1.5.0. In addition, the corresponding Ignition config version will no longer be accepted by Ignition, so Ignition configs will need to be regenerated with a new version of Butane.
variant: fcos
version: 1.5.0-experimental
grub:
users:
- name: root
password_hash: grub.pbkdf2.sha512.10000.5AE6255...
The Butane config defines a GRUB superuser root and sets the password for that user using a hash.
You can now use this config to boot a Fedora CoreOS instance.