No, the password is provided through wks file. ksparser.py is a wic subsystem which parses those kikstart files. -- With best wishes, Sergei Zhmylev Engineering consultant OS development department
On Tue, 2022-11-15 at 16:45 +0100, Alexander Kanavin wrote: > > Wait, is the password provided through command line? > > Alex > > On Tue, 15 Nov 2022 at 15:40, Sergey Zhmylev <[email protected]> > wrote: > > > > From: Sergei Zhmylev <[email protected]> > > > > Currently the only way to specify a password for bootloader > > is to supply a complete user-defined bootloader config file > > to the build process. This patch introduces a --password > > paramenter in order to simplify bootloaders hardening. > > > > Signed-off-by: Sergei Zhmylev <[email protected]> > > --- > > scripts/lib/wic/ksparser.py | 1 + > > scripts/lib/wic/plugins/source/bootimg-efi.py | 6 +++++- > > scripts/lib/wic/plugins/source/bootimg-pcbios.py | 7 ++++++- > > .../lib/wic/plugins/source/isoimage-isohybrid.py | 13 > > +++++++++++-- > > 4 files changed, 23 insertions(+), 4 deletions(-) > > > > diff --git a/scripts/lib/wic/ksparser.py > > b/scripts/lib/wic/ksparser.py > > index d1e546b12d..89bc897a5a 100644 > > --- a/scripts/lib/wic/ksparser.py > > +++ b/scripts/lib/wic/ksparser.py > > @@ -195,6 +195,7 @@ class KickStart(): > > default='msdos') > > bootloader.add_argument('--timeout', type=int) > > bootloader.add_argument('--source') > > + bootloader.add_argument('--password') > > > > include = subparsers.add_parser('include') > > include.add_argument('path', type=cannedpathtype) > > diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py > > b/scripts/lib/wic/plugins/source/bootimg-efi.py > > index 4b00913a70..3d84252796 100644 > > --- a/scripts/lib/wic/plugins/source/bootimg-efi.py > > +++ b/scripts/lib/wic/plugins/source/bootimg-efi.py > > @@ -86,7 +86,11 @@ class BootimgEFIPlugin(SourcePlugin): > > grubefi_conf += "serial --unit=0 --speed=115200 -- > > word=8 --parity=no --stop=1\n" > > grubefi_conf += "default=boot\n" > > grubefi_conf += "timeout=%s\n" % bootloader.timeout > > - grubefi_conf += "menuentry '%s'{\n" % (title if title > > else "boot") > > + if bootloader.password: > > + grubefi_conf += "set superusers=\"root\"\n" > > + grubefi_conf += "export superusers\n" > > + grubefi_conf += "password root %s\n" % > > (bootloader.password) > > + grubefi_conf += "menuentry '%s' %s {\n" % (title if > > title else "boot", "--unrestricted" if bootloader.password else "") > > > > kernel = get_bitbake_var("KERNEL_IMAGETYPE") > > if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1": > > diff --git a/scripts/lib/wic/plugins/source/bootimg-pcbios.py > > b/scripts/lib/wic/plugins/source/bootimg-pcbios.py > > index 32e47f1831..cbf4622cf9 100644 > > --- a/scripts/lib/wic/plugins/source/bootimg-pcbios.py > > +++ b/scripts/lib/wic/plugins/source/bootimg-pcbios.py > > @@ -113,8 +113,13 @@ class BootimgPcbiosPlugin(SourcePlugin): > > syslinux_conf = "" > > syslinux_conf += "PROMPT 0\n" > > syslinux_conf += "TIMEOUT " + str(bootloader.timeout) > > + "\n" > > + if bootloader.password: > > + syslinux_conf += "MENU MASTER PASSWD " + > > str(bootloader.password) + "\n" > > + syslinux_conf += "ALLOWOPTIONS 0\n" > > + syslinux_conf += "NOESCAPE 1\n" > > + else: > > + syslinux_conf += "ALLOWOPTIONS 1\n" > > syslinux_conf += "\n" > > - syslinux_conf += "ALLOWOPTIONS 1\n" > > syslinux_conf += "SERIAL 0 115200\n" > > syslinux_conf += "\n" > > if splashline: > > diff --git a/scripts/lib/wic/plugins/source/isoimage-isohybrid.py > > b/scripts/lib/wic/plugins/source/isoimage-isohybrid.py > > index 607356ad13..1d5099f954 100644 > > --- a/scripts/lib/wic/plugins/source/isoimage-isohybrid.py > > +++ b/scripts/lib/wic/plugins/source/isoimage-isohybrid.py > > @@ -63,8 +63,13 @@ class IsoImagePlugin(SourcePlugin): > > syslinux_conf = "" > > syslinux_conf += "PROMPT 0\n" > > syslinux_conf += "TIMEOUT %s \n" % (bootloader.timeout or > > 10) > > + if bootloader.password: > > + syslinux_conf += "MENU MASTER PASSWD " + > > str(bootloader.password) + "\n" > > + syslinux_conf += "ALLOWOPTIONS 0\n" > > + syslinux_conf += "NOESCAPE 1\n" > > + else: > > + syslinux_conf += "ALLOWOPTIONS 1\n" > > syslinux_conf += "\n" > > - syslinux_conf += "ALLOWOPTIONS 1\n" > > syslinux_conf += "SERIAL 0 115200\n" > > syslinux_conf += "\n" > > if splashline: > > @@ -116,10 +121,14 @@ class IsoImagePlugin(SourcePlugin): > > grubefi_conf += "--parity=no --stop=1\n" > > grubefi_conf += "default=boot\n" > > grubefi_conf += "timeout=%s\n" % (bootloader.timeout > > or 10) > > + if bootloader.password: > > + grubefi_conf += "set superusers=\"root\"\n" > > + grubefi_conf += "export superusers\n" > > + grubefi_conf += "password root %s\n" % > > (bootloader.password) > > grubefi_conf += "\n" > > grubefi_conf += "search --set=root --label %s " % > > part.label > > grubefi_conf += "\n" > > - grubefi_conf += "menuentry 'boot'{\n" > > + grubefi_conf += "menuentry 'boot' %s {\n" % ("-- > > unrestricted" if bootloader.password else "") > > > > kernel = get_bitbake_var("KERNEL_IMAGETYPE") > > if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1": > > -- > > 2.37.2 > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#173350): https://lists.openembedded.org/g/openembedded-core/message/173350 Mute This Topic: https://lists.openembedded.org/mt/95043934/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
