I recently came across the Linux password change method via the GRUB by entering single user mode. After some digging around I found some articles on how to secure it with a sha512 hashed password.While this sounds like a good option to secure GRUB I also read you can simply change it using a Linux installation.
So how can you go about securing the password in a way that cannot be modified or removed through the use of a Linux installation?
So how can you go about securing the password in a way that cannot be modified or removed through the use of a Linux installation?
This is not possible. If someone has physical access to your device, they can do everything. You have two options:
Encrypt all the partitions and boot from e.g. a USB stick which only you have access to.
With new GRUB releases if you have secure EFI [boot] enabled, you can encrypt all the partitions and leave only the EFI boot partition unecrypted with no GRUB password at all.
Obviously you'll have to set the password to access BIOS cause otherwise the attacker may disable secure boot or install their own MAC key and tamper with the boot loader and sniff your passwords.
Lastly if someone has physical access to your PC they may tamper with your keyboard and install a hardware keylogger - then all your protections are worthless.
Protecting your device from physical attacks is a very complicated topic. Maybe you should settle on recently released Apple devices or Android phones which do it perfectly. A run of the mill x86 PC/laptop is wide open to all sorts of physical undetectable attacks.
