From 21356b75081fd048be946eac3fafc184f916e1a6 Mon Sep 17 00:00:00 2001
From: Henning Heinold <henning@itconsulting-heinold.de>
Date: Tue, 24 Feb 2015 20:59:11 +0100
Subject: [PATCH] initrdscripts: make it possbile to secure grub with a
 password

* an example setup for the IDU can be found on
  https://projects.sysmocom.de/redmine/projects/sob-idu/wiki/ProvisioningSetup

Fixes: SYS#1130
---
 .../images/core-image-minimal-initramfs.bbappend   | 14 +++++++++++++-
 recipes-core/initrdscripts/files/init-install.sh   | 12 ++++++++++++
 .../initramfs-live-install_sysmocom.inc            |  2 +-
 3 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/recipes-core/images/core-image-minimal-initramfs.bbappend b/recipes-core/images/core-image-minimal-initramfs.bbappend
index 26fd5b0..3d7c27c 100644
--- a/recipes-core/images/core-image-minimal-initramfs.bbappend
+++ b/recipes-core/images/core-image-minimal-initramfs.bbappend
@@ -4,4 +4,16 @@ change_udev_automounter_ro() {
         sed -i -e 's/\-t auto/\-t auto \-o ro/' ${IMAGE_ROOTFS}/etc/udev/scripts/mount.sh
 }
 
-ROOTFS_POSTPROCESS_COMMAND += "change_udev_automounter_ro ; "
+bootuser = "${@d.getVar('BOOT_USER', True) or ""}"
+bootpasswd = "${@d.getVar('BOOT_PASSWD', True) or ""}"
+
+set_boot_passwd() {
+   if [ -n "${bootpasswd}" ] && [ -n "${bootuser}" ]; then
+       sed -e "s/^\(BOOTPASSWD=\)/\1${bootpasswd}/g" \
+           -e "s/^\(BOOTUSER=\)/\1${bootuser}/g" \
+           -i ${IMAGE_ROOTFS}/install.sh
+       echo "Generated new grub-passwd"
+  fi
+}
+
+ROOTFS_POSTPROCESS_COMMAND += "change_udev_automounter_ro ; set_boot_passwd; "
diff --git a/recipes-core/initrdscripts/files/init-install.sh b/recipes-core/initrdscripts/files/init-install.sh
index 6c22174..4ca4b83 100644
--- a/recipes-core/initrdscripts/files/init-install.sh
+++ b/recipes-core/initrdscripts/files/init-install.sh
@@ -175,10 +175,22 @@ terminal_input --append  serial
 terminal_output --append serial
 EOF
 
+BOOTPASSWD=
+BOOTUSER=
+if [ -n "${BOOTPASSWD}" ] && [ -n "${BOOTUSER}" ]; then
+cat >> $GRUBCFG << EOF
+set superusers="$BOOTUSER"
+password $BOOTUSER $BOOTPASSWD
+EOF
+fi
+
 if [ -f /etc/grub.d/40_custom ] ; then
     echo "Preparing custom grub2 menu..."
 
     cat /etc/grub.d/40_custom >> $GRUBCFG
+    if [ -n "${BOOTPASSWD}" ] && [ -n "${BOOTUSER}" ]; then
+        sed -i "s/\(menuentry\)\(.*\)\({\)/\1\2--unrestricted \3/g" $GRUBCFG
+    fi
     sed -i "s@__ROOTFS__@$rootfs $rootwait@g" $GRUBCFG
     sed -i "s/__VIDEO_MODE__/$kernel_cmdline_video_mode/g" $GRUBCFG
     sed -i "s/__VGA_MODE__/$kernel_cmdline_vga_mode/g" $GRUBCFG
diff --git a/recipes-core/initrdscripts/initramfs-live-install_sysmocom.inc b/recipes-core/initrdscripts/initramfs-live-install_sysmocom.inc
index 107dfd3..d507aa3 100644
--- a/recipes-core/initrdscripts/initramfs-live-install_sysmocom.inc
+++ b/recipes-core/initrdscripts/initramfs-live-install_sysmocom.inc
@@ -1,6 +1,6 @@
 SYSMOCOM := "${@os.path.dirname(bb.data.getVar('FILE', d, True))}"
 FILESEXTRAPATHS_prepend := "${SYSMOCOM}/files:"
 
-PRINC = "1"
+PRINC = "2"
 
 RDEPENDS_${PN} += "e2fsprogs-e2fsck"