Set a GRUB Password on SLE Micro to Restrict Boot-Time Modifications

SUSE Linux Enterprise Micro 5.5

Customers operating SLE Micro systems in security-sensitive environments may want to prevent unauthorized boot-time modifications. Physical access to the machine could allow someone to edit GRUB entries, reset the root password, or change kernel parameters. To mitigate this risk, setting a GRUB password restricts who can modify boot entries.

Disclaimer: This does not protect disk data if an attacker has physical access. For full protection, disk encryption and physical security measures should also be implemented.

Generate a GRUB Password Hash

To begin, generate a secure PBKDF2 hash of your desired GRUB password:

grub2-mkpasswd-pbkdf2

Follow the prompt to enter the password, and note the output, which will resemble:

PBKDF2 hash of your password is grub.pbkdf2.sha512.10000...

Retain this hash for the next step.

Create a GRUB Password Configuration Script

Create a new script at /etc/grub.d/42_password with the following content. Replace the placeholder with the actual hash obtained above:

#!/bin/sh
exec tail -n +3 $0
# GRUB password protection
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000...
export superusers
set unrestricted_menu="y"
export unrestricted_menu

NOTE: Do not include the text PBKDF2 hash of your password is.

It should be like this example:

#!/bin/sh
exec tail -n +3 $0
# GRUB password protection
set superusers="root"
grub.pbkdf2.sha512.10000.7B439B54A0F679EACF37C6F66FEC7B24865B049EB05EC41DA36BF9FEE8F80E771488F7429418891E13A6E4CD5BFDAE7CB7D7722E0FEAFF5819A3560D4E34C306.0E44847E7F1A2DFB1F7BAFA52D37672C0D07C43B0E87D523AFFCD769AAA1280AB7059E1A3DEAA353A894B067329E4027E4365C6FCEC2B6B96430C67D1142B496
export superusers
set unrestricted_menu="y"
export unrestricted_menu

Unrestricted_menu Options

• set unrestricted_menu="y" → Password is required only when editing a menu entry at boot (press e on a menu entry). Normal boot proceeds without a password.

• set unrestricted_menu="n" → Password is required even to boot a menu entry, providing maximum security.

Make the script executable:

sudo chmod +x /etc/grub.d/42_password

Regenerate the GRUB Configuration

In SLE Micro, all modifications must be applied via transactional updates. Use the following commands:

transactional-update shell

Regenerate the GRUB configuration inside the shell:

grub2-mkconfig -o /boot/grub2/grub.cfg

This reads your /etc/grub.d/42_password script and includes it in GRUB’s config.

On UEFI systems, verify the correct path if needed (e.g., /boot/efi/EFI/sles/grub.cfg)

Exit and reboot.

After reboot, the GRUB menu should appear as shown below.

If unrestricted_menu="y" is set, the system will boot normally, but pressing e on a menu entry will prompt for the GRUB password.

If unrestricted_menu="n" is set, GRUB will prompt for the password even to boot a menu entry.

Disclaimer:

• Setting unrestricted_menu="n" can completely lock you out if the password or hash is incorrect.

• GRUB password does not encrypt the disk or fully protect against physical access; use disk encryption for full protection.

Systems without a GRUB password are vulnerable to unauthorized boot-time modifications. Anyone with physical access to the machine can edit boot entries, reset the root password, or change kernel parameters, potentially compromising system security.

This configuration prevents unauthorized modification of GRUB boot entries unless the password is provided. Normal boot proceeds without requiring a password when unrestricted_menu="y".

Particularly useful in environments where physical access cannot be fully restricted, such as shared data centers or branch offices.

Disk encryption is recommended for environments where protection against physical theft or unauthorized data access is a concern.

Customers should test these changes in a controlled lab environment before applying them to production systems.

If unrestricted_menu="n" is used, GRUB will prompt for the password even for normal boot; ensure the password and PBKDF2 hash are correct to avoid locking the system.