- password for specific boot menu entries (recovery mode)
- password for changing kernel command line or manual boot commands
This could either be an installer option or be prompted after first boot.
Implementation:
grub-mkpasswd-pbkdf2 can create the password hash.
Create a file /etc/grub.d/02_password:
contents:
#!/bin/sh cat << EOF set superusers="user" password_pbkdf2 user grub.pbkdf2.sha512.10000.59212648B05E3BC4D862681E83480B1EBC0D4715A3EB382FA38AD6F55CDD2F742A02B9B3E885897B2698FDF3966CD2E75CF5992FD045305D88FD1D30F0DD6114.D532492BB61F378E932BB66FF49217805574850E09B53D9A5EB2CC1006544CE8B32F4644DBD4E59CFC26FECA8C7A0162305F4DD0C8BE200D81619BF96951615D EOF