From 3f7fbe8740a082beeb380f5d73e217db7531eaea Mon Sep 17 00:00:00 2001
From: Captain ALM <captainalm@captainalm.com>
Date: Tue, 20 Aug 2024 22:59:21 +0100
Subject: [PATCH] Add grub root password management support.

---
 install-grub-security.sh     | 16 ++++++++++++++--
 update-grub-root-password.sh | 13 +++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100755 update-grub-root-password.sh

diff --git a/install-grub-security.sh b/install-grub-security.sh
index cef6628..b246e71 100755
--- a/install-grub-security.sh
+++ b/install-grub-security.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 echo "[+] Installing GRUB 2 Security...";
-echo "[i] Use --force to regenerate the signing key; clears ALL root's GPG keys!"
+echo "[i] Use --force to regenerate the signing key; clears ALL root's GPG keys!";
+echo "[i] Use --no-pwd-prompt to use the hash for the GRUB user 'root' provided by grub.d.my.7z";
 echo "[?] WARNING Make sure the current GRUB version does not have any bugs with gpg before installing, use CTRL+C to quit, enter to continue:";
 read;
 sudo cp bin/* /bin/ -f;
@@ -10,10 +11,21 @@ sudo cp kernel-hooks/* /etc/kernel/ -fr;
 sudo cp lib-systemd-system-sleep/* /usr/lib/systemd/system-sleep/ -f;
 sudo 7za x -o/etc grub.d.my.7z -y;
 sudo chmod +x /etc/grub.d/*;
+if [[ "$1" != "--no-pwd-prompt" ]] && [[ "$2" != "--no-pwd-prompt" ]]; then
+  echo "[i] Please enter your password TWICE pressing ENTER (RETURN) after EACH entry.";
+  echo "[i] There is no visible output.";
+  gphash=$(grub-mkpasswd-pbkdf2 -c 10000 | awk '/grub.pbkdf/{print$NF}' | sed -e 's:\.:\\\.:g');
+  if ! [ -z $gphash ] && [ -f /etc/grub.d/00_header ]; then
+    echo "[+] Setting GRUB Password...";
+    sudo sed -i "s/.*password_pbkdf2 root grub\.pbkdf2.*/password_pbkdf2 root $gphash/" /etc/grub.d/00_header;
+  fi;
+else
+  echo "[*] Using grub.d.my.7z hash for GRUB user 'root'!";
+fi;
 sudo cp sbat /root/sbat -f;
 sudo cp stop_timeout.conf /etc/systemd/system.conf.d/60_custom.conf -f;
 sudo systemctl daemon-reload;
-if [[ "$1" == "--force" ]]; then
+if [[ "$1" == "--force" ]] || [[ "$2" == "--force" ]]; then
   echo "[?] WARNING Clearing previous gpg keys in root, use CTRL+C to quit, enter to continue:";
   read;
   sudo rm -f /root/pubkey;
diff --git a/update-grub-root-password.sh b/update-grub-root-password.sh
new file mode 100755
index 0000000..bd7045f
--- /dev/null
+++ b/update-grub-root-password.sh
@@ -0,0 +1,13 @@
+#/bin/bash
+echo "[i] Please enter your password TWICE pressing ENTER (RETURN) after EACH entry.";
+echo "[i] There is no visible output.";
+gphash=$(grub-mkpasswd-pbkdf2 -c 10000 | awk '/grub.pbkdf/{print$NF}' | sed -e 's:\.:\\\.:g');
+if [ -z $gphash ] || ! [ -f /etc/grub.d/00_header ]; then
+  echo "[-] Could not update GRUB Password.";
+  exit 1;
+fi;
+echo "[+] Updating GRUB Password...";
+sudo sed -i "s/.*password_pbkdf2 root grub\.pbkdf2.*/password_pbkdf2 root $gphash/" /etc/grub.d/00_header;
+echo "[+] Updated GRUB Password!";
+sudo grub-update;
+exit 0;