main/syslinux: hooks for bootloader password

We allow a password to be set in /etc/update-extlinux.conf. Instructions for
generating this are in /etc/update-extlinux.conf. For reference, here is another
(equivalent) way to generate the MD5 password: openssl passwd -1 -salt yy pass

If one sets a password, one will presumably want to make
/etc/update-extlinux.conf world-unreadable. We don't do that for you; however
we do make sure when a password is present to make the /boot/extlinux.conf
files we generate be world-unreadable.

Of the auto-generated entries, only HDT (if this is generated) is now
configured to respect the password; however, you can include "MENU PASSWD" in
any entries you put in /etc/update-extlinux.d/.

For example, I configure my BIOS to only boot from the internal drive, but I
have an entry in /etc/update-extlinux.d that permits chain-booting from a USB
key, and I have this entry configured to also require the password. (The BIOS
is also passworded, so that these settings can't be changed willy-nilly.)

Conflicts:
	main/syslinux/update-extlinux.conf

1 files changed, 10 insertions, 0 deletions

diff --git a/main/syslinux/update-extlinux b/main/syslinux/update-extlinux
index 0ba4bbf21d..0499f5f91a 100755
--- a/main/syslinux/update-extlinux
+++ b/main/syslinux/update-extlinux
@@ -134,6 +134,13 @@ for kernel in $(find /boot -name "vmlinuz-*" -type f); do
 	lst=$(($lst + 1))
 done
 
+if [ -n "$password" ]; then
+	echo "NOESCAPE 1" >> $conf.new
+	echo "MENU MASTER PASSWD $password" >> $conf.new
+	echo "" >> $conf.new
+	chmod o-r $conf.new
+fi
+
 everbose "$lst entries found."
 
 for entry in /etc/update-extlinux.d/*; do
@@ -147,6 +154,9 @@ if [ -f "/boot/hdt.c32" ]; then
 	everbose "Found Hardware Detection Tool: /boot/hdt.c32"
 	echo "LABEL hdt" >> $conf.new
 	echo "  MENU LABEL Hardware info" >> $conf.new
+	if [ -n "$password" ]; then
+		echo "  MENU PASSWD" >> $conf.new
+	fi
 	echo "  COM32 hdt.c32" >> $conf.new
 	if [ -f "/boot/memtest" ]; then
 		everbose "Found memtest86+: /boot/memtest"