From: Dubiousjim <dubiousjim@gmail.com>
To: alpine-devel@lists.alpinelinux.org
Subject: [alpine-devel] [PATCH 8/9] main/syslinux: hooks for bootloader password
Date: Sat, 29 Jun 2013 16:41:28 -0400
Message-Id: <d75ce1602b89a757029e5ecb2ac0f93500d6022c.1372538321.git.dubiousjim@gmail.com>
In-Reply-To: <cover.1372538321.git.dubiousjim@gmail.com>
References: <cover.1372538321.git.dubiousjim@gmail.com>
Precedence: list

We allow a password to be set in /etc/update-extlinux.conf. Instructions for
generating this are in /etc/update-extlinux.conf. For reference, here is another
(equivalent) way to generate the MD5 password: openssl passwd -1 -salt yy pass

If one sets a password, one will presumably want to make
/etc/update-extlinux.conf world-unreadable. We don't do that for you; however
we do make sure when a password is present to make the /boot/extlinux.conf
files we generate be world-unreadable.

Of the auto-generated entries, only HDT (if this is generated) is now
configured to respect the password; however, you can include "MENU PASSWD" in
any entries you put in /etc/update-extlinux.d/.

For example, I configure my BIOS to only boot from the internal drive, but I
have an entry in /etc/update-extlinux.d that permits chain-booting from a USB
key, and I have this entry configured to also require the password. (The BIOS
is also passworded, so that these settings can't be changed willy-nilly.)

Conflicts:
	main/syslinux/update-extlinux.conf
---
 main/syslinux/update-extlinux      | 10 ++++++++++
 main/syslinux/update-extlinux.conf |  9 +++++++++
 2 files changed, 19 insertions(+)

diff --git a/main/syslinux/update-extlinux b/main/syslinux/update-extlinux
index 0ba4bbf..0499f5f 100755
--- a/main/syslinux/update-extlinux
+++ b/main/syslinux/update-extlinux
@@ -134,6 +134,13 @@ for kernel in $(find /boot -name "vmlinuz-*" -type f); do
 	lst=$(($lst + 1))
 done
 
+if [ -n "$password" ]; then
+	echo "NOESCAPE 1" >> $conf.new
+	echo "MENU MASTER PASSWD $password" >> $conf.new
+	echo "" >> $conf.new
+	chmod o-r $conf.new
+fi
+
 everbose "$lst entries found."
 
 for entry in /etc/update-extlinux.d/*; do
@@ -147,6 +154,9 @@ if [ -f "/boot/hdt.c32" ]; then
 	everbose "Found Hardware Detection Tool: /boot/hdt.c32"
 	echo "LABEL hdt" >> $conf.new
 	echo "  MENU LABEL Hardware info" >> $conf.new
+	if [ -n "$password" ]; then
+		echo "  MENU PASSWD" >> $conf.new
+	fi
 	echo "  COM32 hdt.c32" >> $conf.new
 	if [ -f "/boot/memtest" ]; then
 		everbose "Found memtest86+: /boot/memtest"
diff --git a/main/syslinux/update-extlinux.conf b/main/syslinux/update-extlinux.conf
index 6c83349..947dfde 100644
--- a/main/syslinux/update-extlinux.conf
+++ b/main/syslinux/update-extlinux.conf
@@ -49,3 +49,12 @@ xen_opts=dom0_mem=256M
 
 # if you download and install /boot/memtest, then if HDT is present it will use it, else a separate
 # menu entry will be auto-generated for memtest
+
+# optional passwd
+# you can generate a MD5 password using: mkpasswd --salt=yy --method=md5
+# you can generate a SHA1 password using: printf '$4$%s$%s$\n' xxxxxx $(printf xxxxxxpass | openssl sha1 -binary | base64 | sed 's/=$//')
+# where yy are two "salt" characters from the set [./a-zA-Z0-9], and xxxxxx can be a longer "salt" from the same set
+# if you assign a password, you should make this file world-unreadable
+# if a password is assigned, the menu entries can't be edited at boot time, and HDT if present is password-protected
+# you can also include "MENU PASSWD" in any custom entries you have in /etc/update-extlinux.d/
+password=''
-- 
1.8.3.1



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---