Skip to content

Add "here document" block to 40_custom #2751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
enoch85 merged 2 commits into from
Jul 2, 2025
Merged

Add "here document" block to 40_custom #2751

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
546a7fe
Add here document block to 40_
pq2 Jun 9, 2025
c81221f
Merge branch 'main' into patch-3
enoch85 Jul 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion not-supported/tpm2-unlock.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,10 +99,11 @@ GRUB_PASS="$(echo -e "$PASSWORD\n$PASSWORD" | grub-mkpasswd-pbkdf2 | grep -oP 'g
if [ -n "${PASSWORD##grub.pbkdf2.sha512.10000.}" ]
then
cat << GRUB_CONF > /etc/grub.d/40_custom

cat << EOF
# Password-protect GRUB
set superusers="grub"
password_pbkdf2 grub $GRUB_PASS
Copy link
Collaborator

@szaimen szaimen Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thanks for your PR but I wonder if this is really necessary since there is already a surrounding cat command. Why should this make it work? Cannot we fix the surrounding cat command somehow?

Copy link
Contributor Author

@pq2 pq2 Jun 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding those two lines fixed the issue for me. I don't know if it's possible to adjust the surrounding cat. To be honest, this solution was suggested to me by an AI, but the sources given seemed to me to fit the problem and made sense (unfortunately, the main source no longer seems to be available without an account).

Copy link
Collaborator

@szaimen szaimen Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you show me the content of /etc/grub.d/40_custom on your instance after applying the patch?

Copy link
Contributor Author

@pq2 pq2 Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

# Password-protect GRUB
cat << EOF
set superusers="grub"
password_pbkdf2 grub grub.pbkdf2.sha512.10000.XXXXXXX
EOF

Copy link
Collaborator

@szaimen szaimen Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fear this is not doing anything. It just stores the content in the EOF variable IIRC. So the solution does not seem correct to me...

Copy link
Contributor Author

@pq2 pq2 Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All I can say is that before applying this fix, updating my system always failed because apt tried to install a new kernel version, which is why update-grub was run, and this always resulted in “password_pbkdf2: not found” and a three digit return value. After this fix it worked fine.

Copy link
Collaborator

@szaimen szaimen Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it works fine because the config is bascially disabled...

password_pbkdf2: not found

The question is why this binary is not found?

Copy link
Contributor Author

@pq2 pq2 Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it works fine because the config is bascially disabled...

Then, of course, this fix is not a solution

The question is why this binary is not found?

I was wondering the same thing. This problem seems to have come out of nowhere. /boot/grub2/x86_64-efi/password_pbkdf2.mod exists.

Copy link
Contributor Author

@pq2 pq2 Jun 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked in to this again. It doesn't seem like this fix disables the config. After applying the fix and running update-grub, I can still find both commands inside the here document in /boot/grub/grub.cfg.

Microsofts Copilot says the reason for this is the following:

The command update-grub (or rather grub-mkconfig) generates the final grub.cfg file, which is used during boot. This file contains pure GRUB script that is interpreted directly by the GRUB bootloader, not by the Bash shell.

However, the file /etc/grub.d/40_custom is a shell script. That means:

Everything in that file is initially interpreted by Bash.

If you insert password_pbkdf2 directly, Bash doesn't recognize it as a valid command → you get an error message.

That's why you need a workaround: using a here document (cat <<EOF ... EOF) you generate a text block that gets copied into the generated grub.cfg without being executed by Bash. This way, GRUB will later understand commands like password_pbkdf2, while Bash doesn't complain when building the configuration.

In simple terms:

40_custom: interpreted by Bash → needs cat <<EOF.

grub.cfg: interpreted by GRUB → contains real password_pbkdf2.

Assuming that this explanation is correct, I still don't understand why it previously worked without the here document.

Copy link
Collaborator

@szaimen szaimen Jul 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. the explanation makes sense. However you are right that it is weird that it worked formally. Anyway, fine by me to proceed with this 👍

EOF
GRUB_CONF
# Allow to run the default grub options without requiring the grub password
if ! grep -q '^CLASS=.*--unrestricted"' /etc/grub.d/10_linux && grep -q '^CLASS=.*"$' /etc/grub.d/10_linux
Expand Down