initrdscripts: make it possbile to secure grub with a password

* an example setup for the IDU can be found on
  https://projects.sysmocom.de/redmine/projects/sob-idu/wiki/ProvisioningSetup

Fixes: SYS#1130

recipes-core/images/core-image-minimal-initramfs.bbappend

@@ -4,4 +4,16 @@ change_udev_automounter_ro() {
         sed -i -e 's/\-t auto/\-t auto \-o ro/' ${IMAGE_ROOTFS}/etc/udev/scripts/mount.sh
 }
 
-ROOTFS_POSTPROCESS_COMMAND += "change_udev_automounter_ro ; "
+bootuser = "${@d.getVar('BOOT_USER', True) or ""}"
+bootpasswd = "${@d.getVar('BOOT_PASSWD', True) or ""}"
+
+set_boot_passwd() {
+   if [ -n "${bootpasswd}" ] && [ -n "${bootuser}" ]; then
+       sed -e "s/^\(BOOTPASSWD=\)/\1${bootpasswd}/g" \
+           -e "s/^\(BOOTUSER=\)/\1${bootuser}/g" \
+           -i ${IMAGE_ROOTFS}/install.sh
+       echo "Generated new grub-passwd"
+  fi
+}
+
+ROOTFS_POSTPROCESS_COMMAND += "change_udev_automounter_ro ; set_boot_passwd; "

recipes-core/initrdscripts/files/init-install.sh

@@ -175,10 +175,22 @@ terminal_input --append  serial
 terminal_output --append serial
 EOF
 
+BOOTPASSWD=
+BOOTUSER=
+if [ -n "${BOOTPASSWD}" ] && [ -n "${BOOTUSER}" ]; then
+cat >> $GRUBCFG << EOF
+set superusers="$BOOTUSER"
+password $BOOTUSER $BOOTPASSWD
+EOF
+fi
+
 if [ -f /etc/grub.d/40_custom ] ; then
     echo "Preparing custom grub2 menu..."
 
     cat /etc/grub.d/40_custom >> $GRUBCFG
+    if [ -n "${BOOTPASSWD}" ] && [ -n "${BOOTUSER}" ]; then
+        sed -i "s/\(menuentry\)\(.*\)\({\)/\1\2--unrestricted \3/g" $GRUBCFG
+    fi
     sed -i "s@__ROOTFS__@$rootfs $rootwait@g" $GRUBCFG
     sed -i "s/__VIDEO_MODE__/$kernel_cmdline_video_mode/g" $GRUBCFG
     sed -i "s/__VGA_MODE__/$kernel_cmdline_vga_mode/g" $GRUBCFG

recipes-core/initrdscripts/initramfs-live-install_sysmocom.inc

@@ -1,6 +1,6 @@
 SYSMOCOM := "${@os.path.dirname(bb.data.getVar('FILE', d, True))}"
 FILESEXTRAPATHS_prepend := "${SYSMOCOM}/files:"
 
-PRINC = "1"
+PRINC = "2"
 
 RDEPENDS_${PN} += "e2fsprogs-e2fsck"