V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-26 18:17:28 +00:00
parent 71d189e2c7
commit aef00ec63d
8 changed files with 69 additions and 41 deletions
--- a/func/cdi_4200_boot/4240_update_grub_password.sh
+++ b/func/cdi_4200_boot/4240_update_grub_password.sh
@@ -15,26 +15,29 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Append the GRUB superuser block to '/etc/grub.d/40_custom'.
 # Globals:
-#   DIR_CNF
+#   CISS_SECRET_GRUB
 #   TARGET
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_READ_GRUB_FILE
+#   ERR_READ_GRUB_FILE: on failure
 #######################################
 update_grub_password() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
+  declare var_username="superadmin" var_password="" \
          var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""

+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on

-  var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}"
+  var_password="${CISS_SECRET_GRUB}" || return "${ERR_READ_GRUB_FILE}"
+  unset CISS_SECRET_GRUB

  var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")

  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------

  ### Append if not already present.
  if ! grep -q "set superusers=" "${var_of}"; then
@@ -56,6 +59,8 @@ readonly -f update_grub_password

 #######################################
 # Generate PBKDF2 password hash for GRUB.
+# Globals:
+#   None
 # Arguments:
 #   1: Username (default to superadmin).
 #   2: User password.