File: //sbin/grub2-set-password
#!/bin/sh -e
EFIDIR=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
if [ -d /sys/firmware/efi/efivars/ ]; then
    grubdir=`echo "/boot/efi/EFI/${EFIDIR}/" | sed 's,//*,/,g'`
else
    grubdir=`echo "/boot/grub2" | sed 's,//*,/,g'`
fi
PACKAGE_VERSION="2.03"
PACKAGE_NAME="GRUB"
self=`basename $0`
bindir="/usr/bin"
grub_mkpasswd="${bindir}/grub2-mkpasswd-pbkdf2"
# Usage: usage
# Print the usage.
usage () {
    cat <<EOF
Usage: $0 [OPTION]
$0 prompts the user to set a password on the grub bootloader. The password
is written to a file named user.cfg which lives in the GRUB directory
located by default at ${grubdir}.
  -h, --help                     print this message and exit
  -v, --version                  print the version information and exit
  -o, --output_path <DIRECTORY>  put user.cfg in a user-selected directory
Report bugs at https://bugzilla.redhat.com.
EOF
}
argument () {
    opt=$1
    shift
    if test $# -eq 0; then
        gettext_printf "%s: option requires an argument -- \`%s'\n" "$self" "$opt" 1>&2
        exit 1
    fi
    echo $1
}
# Ensure that it's the root user running this script
if [ "${EUID}" -ne 0 ]; then
    echo "The grub bootloader password may only be set by root."
    usage
    exit 2
fi
# Check the arguments.
while test $# -gt 0
do
    option=$1
    shift
    case "$option" in
    -h | --help)
	usage
	exit 0 ;;
    -v | --version)
	echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}"
	exit 0 ;;
    -o | --output)
        OUTPUT_PATH=`argument $option "$@"`; shift ;;
    --output=*)
        OUTPUT_PATH=`echo "$option" | sed 's/--output=//'` ;;
    -o=*)
        OUTPUT_PATH=`echo "$option" | sed 's/-o=//'` ;;
    esac
done
# set user input or default path for user.cfg file
if [ -z "${OUTPUT_PATH}" ]; then
    OUTPUT_PATH="${grubdir}"
fi
if [ ! -d "${OUTPUT_PATH}" ]; then
    echo "${OUTPUT_PATH} does not exist."
    usage
    exit 2;
fi
ttyopt=$(stty -g)
fixtty() {
      stty ${ttyopt}
}
trap fixtty EXIT
stty -echo
# prompt & confirm new grub2 root user password
echo -n "Enter password: "
read PASSWORD
echo
echo -n "Confirm password: "
read PASSWORD_CONFIRM
echo
stty ${ttyopt}
getpass() {
    local P0
    local P1
    P0="$1" && shift
    P1="$1" && shift
    ( echo ${P0} ; echo ${P1} ) | \
        LC_ALL=C ${grub_mkpasswd} | \
        grep -v '[eE]nter password:' | \
        sed -e "s/PBKDF2 hash of your password is //"
}
MYPASS="$(getpass "${PASSWORD}" "${PASSWORD_CONFIRM}")"
if [ -z "${MYPASS}" ]; then
      echo "${self}: error: empty password" 1>&2
      exit 1
fi
# on the ESP, these will fail to set the permissions, but it's okay because
# the directory is protected.
install -m 0600 /dev/null "${OUTPUT_PATH}/user.cfg" 2>/dev/null || :
chmod 0600 "${OUTPUT_PATH}/user.cfg" 2>/dev/null || :
echo "GRUB2_PASSWORD=${MYPASS}" > "${OUTPUT_PATH}/user.cfg"
if ! grep -q "^### BEGIN /etc/grub.d/01_users ###$" "${OUTPUT_PATH}/grub.cfg"; then
    echo "WARNING: The current configuration lacks password support!"
    echo "Update your configuration with grub2-mkconfig to support this feature."
fi