> > But, be advised that once you do this, all the menu entries in grub will
> be
> > inaccessible until the password is supplied.
> > It would be nice to have a way of requiring a password only if it
> required
> > to boot a non-default entry.
>
> That's what
> menuentry "May be run by any user" --unrestricted {
> is for. The documentation example runs thus:
>
>
Yes, I had read through that. But that would mean editing
/boot/grub/grub.cfg manually and losing the changes every time grub-update
is run. What I could not figure out was to having the --unrestricted be
appended automatically for the default entry (In my case, GRUB_DEFAULT=0
which boots the default kernel) every time grub-update was run.
An alternate and equally acceptable solution for me would be to require a
password only to a access the grub console or to edit the menu entries
interactively during boot. I had such a setup back when grub-legacy was the
default in debian but could not achieve the same results with grub2.
