After discovering and working around a bug in grub2-set-password, I am now able to set password protection for grub2 in Fedora 38. While this method asks for a password when trying to edit a grub menu entry with 'e', it does not stop a regular user from booting non-default grub entries.

Grub 2.06 documentation states that

Superusers are permitted to use the GRUB command line, edit menu entries, and execute any menu entry.

The problem is the last action: stopping the execution of non-default menu entries without password. In Fedora 38, after password-protecting grub, a superusers group is indeed created, but I can still execute non-default menu entries without password.

So, the question is: How can the execution of non-default entries be password-protected in Fedora 38?

The grub documentation page above shows ways to interpret different menuentry lines in grub.cfg from the perspective of authentication. Unfortunately,

1. Fedora generates grub.cfg from a set of files, and the resulting grub.cfg is not supposed to be edited directly.
2. The resulting grub.cfg is cumbersome to interpret, and does not contain menuentry lines for the different entries.
3. I have not found any documentation on how the execution of non-default entries should be done.

Edit. After doing some digging around, I can now see that password protection for grub menu entries is effectively disabled by each individual file in /boot/loader/entries/. Every file sets grub-arg --unrestricted, which according to Grub 2.06 documentation means that there is no restriction as to who can boot that entry. I also found a discussion indicating that Fedora patches grub to combine it with Boot Loader Specification (BLS). This suggests that the issue could be very much Fedora-specific. More information on this feature in Fedora can be found in the Fedora change description on BLS.

Edit 2. I can now see that grub_arg --unrestricted has been hard coded into the new version of grubby, which is just a bash script in F38. So I guess I should make a feature request for Fedora.

After discovering and working around a bug in grub2-set-password, I am now able to set password protection for grub2 in Fedora 38. While this method asks for a password when trying to edit a grub menu entry with 'e', it does not stop a regular user from booting non-default grub entries.

Grub 2.06 documentation states that

Superusers are permitted to use the GRUB command line, edit menu entries, and execute any menu entry.

The problem is the last action: stopping the execution of non-default menu entries without password. In Fedora 38, after password-protecting grub, a superusers group is indeed created, but I can still execute non-default menu entries without password.

I can see that password protection for grub menu entries is effectively disabled by each individual file in /boot/loader/entries/. Every file sets grub-arg --unrestricted, which according to Grub 2.06 documentation means that there is no restriction as to who can boot that entry. I also found a discussion indicating that Fedora patches grub to combine it with Boot Loader Specification (BLS). This suggests that the issue could be very much Fedora-specific. More information on this feature in Fedora can be found in the Fedora change description on BLS.

I can also see that grub_arg --unrestricted has been hard coded into the new version of grubby, which is just a bash script in F38. 

So the question is: For non-default grub entries, how does one correctly override grub_arg --unrestricted, which is hard-coded into grubby?

After discovering and working around a bug in grub2-set-password, I am now able to set password protection for grub2 in Fedora 38. While this method asks for a password when trying to edit a grub menu entry with 'e', it does not stop a regular user from booting non-default grub entries.

Grub 2.06 documentation states that

Superusers are permitted to use the GRUB command line, edit menu entries, and execute any menu entry.

The problem is the last action: stopping the execution of non-default menu entries without password. In Fedora 38, after password-protecting grub, a superusers group is indeed created, but I can still execute non-default menu entries without password.

So, the question is: How can the execution of non-default entries be password-protected in Fedora 38?

The grub documentation page above shows ways to interpret different menuentry lines in grub.cfg from the perspective of authentication. Unfortunately,

1. Fedora generates grub.cfg from a set of files, and the resulting grub.cfg is not supposed to be edited directly.
2. The resulting grub.cfg is cumbersome to interpret, and does not contain menuentry lines for the different entries.
3. I have not found any documentation on how the execution of non-default entries should be done.

Edit. After doing some digging around, I can now see that password protection for grub menu entries is effectively disabled by each individual file in /boot/loader/entries/. Every file sets grub-arg --unrestricted, which according to Grub 2.06 documentation means that there is no restriction as to who can boot that entry. I also found a discussion indicating that Fedora patches grub to combine it with Boot Loader Specification (BLS). This suggests that the issue could be very much Fedora-specific. More information on this feature in Fedora can be found in the Fedora change description on BLS.

After discovering and working around a bug in grub2-set-password, I am now able to set password protection for grub2 in Fedora 38. While this method asks for a password when trying to edit a grub menu entry with 'e', it does not stop a regular user from booting non-default grub entries.

Grub 2.06 documentation states that

Superusers are permitted to use the GRUB command line, edit menu entries, and execute any menu entry.

The problem is the last action: stopping the execution of non-default menu entries without password. In Fedora 38, after password-protecting grub, a superusers group is indeed created, but I can still execute non-default menu entries without password.

So, the question is: How can the execution of non-default entries be password-protected in Fedora 38?

The grub documentation page above shows ways to interpret different menuentry lines in grub.cfg from the perspective of authentication. Unfortunately,

1. Fedora generates grub.cfg from a set of files, and the resulting grub.cfg is not supposed to be edited directly.
2. The resulting grub.cfg is cumbersome to interpret, and does not contain menuentry lines for the different entries.
3. I have not found any documentation on how the execution of non-default entries should be done.

Edit. After doing some digging around, I can now see that password protection for grub menu entries is effectively disabled by each individual file in /boot/loader/entries/. Every file sets grub-arg --unrestricted, which according to Grub 2.06 documentation means that there is no restriction as to who can boot that entry. I also found a discussion indicating that Fedora patches grub to combine it with Boot Loader Specification (BLS). This suggests that the issue could be very much Fedora-specific. More information on this feature in Fedora can be found in the Fedora change description on BLS.

Edit 2. I can now see that grub_arg --unrestricted has been hard coded into the new version of grubby, which is just a bash script in F38. So I guess I should make a feature request for Fedora.

After discovering and working around a bug in grub2-set-password, I am now able to set password protection for grub2 in Fedora 38. While this method asks for a password when trying to edit a grub menu entry with 'e', it does not stop a regular user from booting non-default grub entries.

Grub 2.06 documentation states that

Superusers are permitted to use the GRUB command line, edit menu entries, and execute any menu entry.

The problem is the last action: stopping the execution of non-default menu entries without password. In Fedora 38, after password-protecting grub, a superusers group is indeed created, but I can still execute non-default menu entries without password.

So, the question is: How can the execution of non-default entries be password-protected in Fedora 38?

The grub documentation page above shows ways to interpret different menuentry lines in grub.cfg from the perspective of authentication. Unfortunately,

1. Fedora generates grub.cfg from a set of files, and the resulting grub.cfg is not supposed to be edited directly.
2. The resulting grub.cfg is cumbersome to interpret, and does not contain menuentry lines for the different entries.
3. I have not found any documentation on how the execution of non-default entries should be done.

Edit. After doing some digging around, I can now see that password protection for grub menu entries is effectively disabled by each individual file in /boot/loader/entries/. Every file sets grub-arg --unrestricted, which according to Grub 2.06 documentation means that there is no restriction as to who can boot that entry. I also found a discussion indicating that Fedora patches grub to combine it with Boot Loader Specification (BLS). This suggests that the issue could be very much Fedora-specific.

After discovering and working around a bug in grub2-set-password, I am now able to set password protection for grub2 in Fedora 38. While this method asks for a password when trying to edit a grub menu entry with 'e', it does not stop a regular user from booting non-default grub entries.

Grub 2.06 documentation states that

Superusers are permitted to use the GRUB command line, edit menu entries, and execute any menu entry.

The problem is the last action: stopping the execution of non-default menu entries without password. In Fedora 38, after password-protecting grub, a superusers group is indeed created, but I can still execute non-default menu entries without password.

So, the question is: How can the execution of non-default entries be password-protected in Fedora 38?

The grub documentation page above shows ways to interpret different menuentry lines in grub.cfg from the perspective of authentication. Unfortunately,

1. Fedora generates grub.cfg from a set of files, and the resulting grub.cfg is not supposed to be edited directly.
2. The resulting grub.cfg is cumbersome to interpret, and does not contain menuentry lines for the different entries.
3. I have not found any documentation on how the execution of non-default entries should be done.

Edit. After doing some digging around, I can now see that password protection for grub menu entries is effectively disabled by each individual file in /boot/loader/entries/. Every file sets grub-arg --unrestricted, which according to Grub 2.06 documentation means that there is no restriction as to who can boot that entry. I also found a discussion indicating that Fedora patches grub to combine it with Boot Loader Specification (BLS). This suggests that the issue could be very much Fedora-specific. More information on this feature in Fedora can be found in the Fedora change description on BLS.