6 files changed, 87 insertions, 40 deletions

diff --git a/sys/boot/forth/beastie.4th.8 b/sys/boot/forth/beastie.4th.8
index 679a082b12d0..30d29b2cb07a 100644
--- a/sys/boot/forth/beastie.4th.8
+++ b/sys/boot/forth/beastie.4th.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2011 Devin Teske
+.\" Copyright (c) 2011-2012 Devin Teske
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -94,8 +94,9 @@ The
 variable can be configured in
 .Xr loader.conf 5
 to the number of seconds you would like to delay loading the boot menu.
-During the delay the user can press Ctrl-C to fall back to autoboot or ENTER
-to proceed.
+During the delay the user can press Ctrl-C to fall back to
+.Ic autoboot
+or ENTER to proceed.
 The default behavior is to not delay.
 .El
 .Pp
diff --git a/sys/boot/forth/check-password.4th b/sys/boot/forth/check-password.4th
index 4728fc25f9da..26d6b94b78a6 100644
--- a/sys/boot/forth/check-password.4th
+++ b/sys/boot/forth/check-password.4th
@@ -1,4 +1,4 @@
-\ Copyright (c) 2006-2011 Devin Teske <dteske@FreeBSD.org>
+\ Copyright (c) 2006-2012 Devin Teske <dteske@FreeBSD.org>
 \ All rights reserved.
 \ 
 \ Redistribution and use in source and binary forms, with or without
@@ -74,7 +74,7 @@ variable readlen        \ input length
    again
 ;
 
-: read ( -- String prompt )
+: read ( String prompt -- )
 
 	0 25 at-xy           \ Move the cursor to the bottom-left
 	dup 1+ read-start !  \ Store X offset after the prompt
@@ -134,23 +134,37 @@ variable readlen        \ input length
 
 : check-password ( -- )
 
-	\ Exit if a password was not set
-	s" password" getenv dup -1 = if
-		drop exit
+	\ Do not allow the user to proceed beyond this point if a boot-lock
+	\ password has been set (preventing even boot from proceeding)
+	s" bootlock_password" getenv dup -1 <> if
+		begin
+			s" Boot Password: " read ( prompt -- )
+			2dup readval readlen @ compare 0<>
+		while
+			3000 ms ." loader: incorrect password" 10 emit
+		repeat
+		2drop ( c-addr/u )
+	else
+		drop ( -1 ) \ getenv cruft
 	then
 
-	begin \ Loop as long as it takes to get the right password
+	\ Exit if a password was not set
+	s" password" getenv -1 = if exit else drop then
+
+	\ We should prevent the user from visiting the menu or dropping to the
+	\ interactive loader(8) prompt, but still allow the machine to boot...
 
-		s" Password: " \ Output a prompt for a password
-		read           \ Read the user's input until Enter
+	0 autoboot
 
+	\ Only reached if autoboot fails for any reason (including if/when
+	\ the user aborts/escapes the countdown sequence leading to boot).
+
+	s" password" getenv
+	begin
+		s" Password: " read ( prompt -- )
 		2dup readval readlen @ compare 0= if
 			2drop exit \ Correct password
 		then
-
-		\ Bad Password
-		3000 ms
-		." loader: incorrect password" 10 emit
-
-	again \ Not the right password; repeat
+		3000 ms ." loader: incorrect password" 10 emit
+	again
 ;
diff --git a/sys/boot/forth/check-password.4th.8 b/sys/boot/forth/check-password.4th.8
index b9c7b6636d15..e1f52b7d20d7 100644
--- a/sys/boot/forth/check-password.4th.8
+++ b/sys/boot/forth/check-password.4th.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2011 Devin Teske
+.\" Copyright (c) 2011-2012 Devin Teske
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd May 18, 2011
+.Dd December 10, 2012
 .Dt CHECK-PASSWORD.4TH 8
 .Os
 .Sh NAME
@@ -33,7 +33,8 @@
 .Sh DESCRIPTION
 The file that goes by the name of
 .Nm
-is a set of commands designed to prevent booting without the proper password.
+is a set of commands designed to either prevent booting or prevent modification
+of boot options without an appropriately configured password.
 The commands of
 .Nm
 by themselves are not enough for most uses.
@@ -57,30 +58,36 @@ The commands provided by it are:
 .Pp
 .Bl -tag -width disable-module_module -compact -offset indent
 .It Ic check-password
-Once called, the user cannot continue until the correct password is entered.
-If the user enters the correct password the function returns.
+Dual-purpose function that can either protect the interactive boot menu or
+prevent boot without password (separately).
 .Pp
-The password that is required is configured by setting the
-.Ic password
-variable in
-.Xr loader.conf 5 .
+First checks
+.Va bootlock_password
+and if-set, the user cannot continue until the correct password is entered.
 .Pp
-Subsequent calls after a successful password
-has been entered will not cause reprompting
-\(em the function will silently return.
+Next checks
+.Va password
+and if-set, tries to
+.Ic autoboot
+and only prompts for password on failure or user-interrupt.
+See
+.Xr loader.conf 5
+for additional information.
 .El
 .Pp
 The environment variables that effect its behavior are:
-.Bl -tag -width bootfile -offset indent
+.Bl -tag -width bootlock_password -offset indent
+.It Va bootlock_password
+Sets the bootlock password (up to 16 characters long) that is required by
+.Ic check-password
+to be entered before the system is allowed to boot.
 .It Va password
 Sets the password (up to 16 characters long) that is required by
 .Ic check-password
-to be entered before the system is allowed to boot. If unset (default) or NULL,
-.Ic check-password
-will silently abort.
+before the user is allowed to visit the boot menu.
 .El
 .Sh FILES
-.Bl -tag -width /boot/loader.4th -compact
+.Bl -tag -width /boot/check-password.4th -compact
 .It Pa /boot/loader
 The
 .Xr loader 8 .
@@ -101,11 +108,20 @@ check-password
 .Ed
 .Pp
 Set a password in
-.Xr loader.conf 5 :
+.Xr loader.conf 5
+to prevent modification of boot options:
 .Pp
 .Bd -literal -offset indent -compact
 password="abc123"
 .Ed
+.Pp
+Set a password in
+.Xr loader.conf 5
+to prevent booting without password:
+.Pp
+.Bd -literal -offset indent -compact
+bootlock_password="boot"
+.Ed
 .Sh SEE ALSO
 .Xr loader.conf 5 ,
 .Xr loader 8 ,
diff --git a/sys/boot/forth/loader.4th.8 b/sys/boot/forth/loader.4th.8
index 568aa847a355..612036455aab 100644
--- a/sys/boot/forth/loader.4th.8
+++ b/sys/boot/forth/loader.4th.8
@@ -99,7 +99,7 @@ This
 is the command used in the default
 .Pa /boot/loader.rc
 file, and it uses the
-.Pa autoboot
+.Ic autoboot
 command (see
 .Xr loader 8 ) ,
 so it can be stopped for further interaction with
diff --git a/sys/boot/forth/loader.conf.5 b/sys/boot/forth/loader.conf.5
index 5f7a0d7078d4..0aa05e70bb85 100644
--- a/sys/boot/forth/loader.conf.5
+++ b/sys/boot/forth/loader.conf.5
@@ -23,7 +23,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd July 20, 2011
+.Dd December 10, 2012
 .Dt LOADER.CONF 5
 .Os
 .Sh NAME
@@ -113,8 +113,23 @@ that contains a kernel.
 .It Ar kernel_options
 Flags to be passed to the kernel.
 .It Ar password
+Protect boot menu with a password without interrupting
+.Ic autoboot
+process.
+The password should be in clear text format.
+If a password is set, boot menu will not appear until any key is pressed during
+countdown period specified by
+.Va autoboot_delay
+variable or
+.Ic autoboot
+process fails.
+In both cases user should provide specified password to be able to access boot
+menu.
+.It Ar bootlock_password
 Provides a password to be required by check-password before execution is
 allowed to continue.
+The password should be in clear text format.
+If a password is set, the user must provide specified password to boot.
 .It Ar verbose_loading
 If set to
 .Dq YES ,
diff --git a/sys/boot/forth/menu.4th.8 b/sys/boot/forth/menu.4th.8
index 457952f6c430..044faee6cf24 100644
--- a/sys/boot/forth/menu.4th.8
+++ b/sys/boot/forth/menu.4th.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2011 Devin Teske
+.\" Copyright (c) 2011-2012 Devin Teske
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -108,8 +108,9 @@ will wait for user input and never execute
 If set to
 .Dq Li -1 ,
 .Ic menu-display
-will boot immediately, preventing both interruption of the autoboot process and
-escaping to the loader prompt.
+will boot immediately, preventing both interruption of the
+.Ic autoboot
+process and escaping to the loader prompt.
 Default is
 .Dq Li 10 .
 See