Hello,
The attached patch aims at giving system administrators an easier way to
configure which entries are accessible at boot when a password has been set.
Currently, when a password is set, it is required not only to do
advanced stuff at boot time, but also to boot the menu entries.
A common use case is when an administrator wants to prevent users from
using the grub shell or booting recovery entries, but not from using the
standard boot options.
Currently, administrators must either write grub.cfg themselves or alter
the scripts used by grub-mkconfig to add --unrestricted to the relevant
entries.
This patch adds two optional variables, GRUB_SECURITY_LINUX_DEFAULT and
GRUB_SECURITY_LINUX_RECOVERY, to grub simple configuration scheme. The
variables are used by the 10_linux script to add a specific security
option (eg. --unrestricted) to ordinary entries or to recovery entries
respectively.
The modification is conservative: if no option is set in
/etc/default/grub, grub-mkconfig will generate the same grub.cfg as before.
The idea may be expanded to other OS families.
--
Cordialement,
Yann Salmon
From efa78c36c0144424d4ad2b9014f5d3ba89b07fa7 Mon Sep 17 00:00:00 2001
From: Yann Salmon <nom...@yannsalmon.fr>
Date: Thu, 29 May 2025 15:46:58 +0200
Subject: [PATCH] Adding configuration options for Linux --unrestricted entries
---
util/grub-mkconfig.in | 4 +++-
util/grub.d/10_linux.in | 23 +++++++++++++++++------
2 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index 32c480dae..4b0ccda06 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -255,7 +255,9 @@ export GRUB_DEFAULT \
GRUB_ENABLE_CRYPTODISK \
GRUB_BADRAM \
GRUB_OS_PROBER_SKIP_LIST \
- GRUB_DISABLE_SUBMENU
+ GRUB_DISABLE_SUBMENU \
+ GRUB_SECURITY_LINUX_DEFAULT \
+ GRUB_SECURITY_LINUX_RECOVERY
if test "x${grub_cfg}" != "x"; then
rm -f "${grub_cfg}.new"
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index cc393be7e..361e4af40 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -35,6 +35,13 @@ else
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1|LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}"
fi
+if [ "x${GRUB_SECURITY_LINUX_DEFAULT}" = "x" ] ; then
+ GRUB_SECURITY_LINUX_DEFAULT=""
+fi
+
+if [ "x${GRUB_SECURITY_LINUX_RECOVERY}" = "x" ] ; then
+ GRUB_SECURITY_LINUX_RECOVERY=""
+fi
# loop-AES arranges things so that /dev/loop/X can be our root device, but
# the initrds that Linux uses don't like that.
case ${GRUB_DEVICE} in
@@ -87,6 +94,7 @@ linux_entry ()
version="$2"
type="$3"
args="$4"
+ security="$5"
if [ -z "$boot_device_id" ]; then
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
@@ -104,9 +112,9 @@ linux_entry ()
title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;"
grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")"
fi
- echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} $security \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
else
- echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} $security \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
fi
if [ x$type != xrecovery ] ; then
save_default_entry | grub_add_tab
@@ -285,7 +293,8 @@ for linux in ${reverse_sorted_list}; do
if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xtrue ]; then
linux_entry "${OS}" "${version}" simple \
- "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+ "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" \
+ "${GRUB_SECURITY_LINUX_DEFAULT}"
submenu_indentation="$grub_tab"
@@ -293,15 +302,17 @@ for linux in ${reverse_sorted_list}; do
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
fi
# TRANSLATORS: %s is replaced with an OS name
- echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
+ echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' --unrestricted \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
is_top_level=false
fi
linux_entry "${OS}" "${version}" advanced \
- "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+ "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" \
+ "${GRUB_SECURITY_LINUX_DEFAULT}"
if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then
linux_entry "${OS}" "${version}" recovery \
- "${GRUB_CMDLINE_LINUX_RECOVERY} ${GRUB_CMDLINE_LINUX}"
+ "${GRUB_CMDLINE_LINUX_RECOVERY} ${GRUB_CMDLINE_LINUX}" \
+ "${GRUB_SECURITY_LINUX_RECOVERY}"
fi
done
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
