2

I have been trying to password-protect grub boot menu in Fedora 38. Now, unfortunately, the Fedora guide for GRUB2 is "currently in the process of revision," so I have had to work with other guides such as this one and this answer.

What I have done is, according to the instructions in the sources above,

  1. call grub2-set-password to set up a password.
  2. call grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg to recreate grub configuration.

This has had no effect on grub boot menu: I can still edit kernel parameters with 'e.' I can see that the password has been stored into /boot/grub2/user.cfg and I can see that /etc/grub.d/01_users should then set superuser and other values appropriately, as indicated in the answer link above.

So: how can I achieve what I am trying to do?

Edit. grub2-set-password stores the password into file /boot/grub2/user.cfg, while in an UEFI system the script 01_users tries to read the password from file ${prefix}/user.cfg. Given that in an UEFI system other boot information is contained in directory /boot/efi/EFI/fedora, perhaps grub2-set-password stores the password into an incorrect directory in this case. I wonder what ${prefix} is in UEFI.

Improve this question
1

2 Answers 2

Reset to default
1

This is a bug in grub2-set-password in UEFI boot systems. grub2-set-password stores the resulting password in /boot/grub2/user.cfg, which would be the correct location for legacy BIOS boot. UEFI boot tries to read this information from ${prefix}/user.cfg, which - based on an experiment - seems to map to /boot/efi/EFI/fedora/user.cfg.

As a temporary solution, the following solves the problem in an UEFI boot system (this is the experiment referred to above),

  1. call grub2-set-password to generate the password
  2. mv /boot/grub2/user.cfg /boot/efi/EFI/fedora/

Calling grub2-mkconfig after this does not seem to be necessary: all the code for reading the password is already in /boot/efi/EFI/fedora/grub.cfg even before the password is generated and stored.

Improve this answer
1
0

This method comes from the article How to Add Password Protect to Grub Boot Menu in Linux Mint, Ubuntu, Debian where you may find much more details and with screenshots.

Here is a summary of the article for Fedora.

Generate a hashed password

Run in Terminal the command grub-mkpasswd-pbkdf2 and copy the output string starts with grub.pbkdf2.sha512….

Add Password Protect to Grub boot-menu

  • Edit the configuration file by running in terminal:

    sudo nano /etc/grub.d/40_custom

  • Add two new lines (password in plain text):

    set superusers="USER_NAME"
password USER_NAME PASSWORD

    Or generate instead a hash for the password:

    set superusers="USER_NAME"
password_pbkdf2 USER_NAME encryption_key

  • Press Ctrl+X, type y and hit Enter to save the file.

Apply changes

Run the following command in terminal.

For UEFI boot:

grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

For legacy BIOS boot:

grub2-mkconfig -o /boot/grub2/grub.cfg
Improve this answer
2
  • Good point on making the correct mkconfigcall for UEFI, but unfortunately it did not solve the problem. On Fedora 38, password generation and setting the correct environment variables is automated by grub2-set-password and the file 01_users, which do what you have done manually here.
    – jhu
    Commented Jul 31, 2023 at 5:39
  • However, pointing to UEFI might have provided a valuable piece of information: perhaps grub2-set-password saves password info into incorrect directory. See edit in origiinal question.
    – jhu
    Commented Jul 31, 2023 at 5:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .