Setting up a new configuration for our students' lab with SLED12 SP1 I
am running in trouble with grub2: following chapter 12.2.6 of the
Administration guide I set up a user and encrypted password in
/etc/grub.d/40_custom. What the manual obviously is missing is that one
has to redefine the variables GRUB_CMDLINE_LINUX_DEFAULT and
GRUB_CMDLINE_LINUX_RECOVERY in /etc/default/grub with the option
"user=root" (or whatever the name of the grub superuser is) in order to
enforce the protection for the Linux entries in the grub.cfg.

Now with these settings for grub2 the system will ask for user and
password at every boot. With grub like in SLED11 I could set up a pass
phrase in the header section of the menu.lst like "password --md5
$1$s...". This just protects the menu.lst and the grub shell from the
non-authorized user but still allows for automatic boot (WOL) or booting
by users who do not have the pass phrase.

Now with grub2 I am under the impression that I am stuck with just these
two options:
1) leave grub2 and thus the OS and hardware completely unprotected from
unwanted user interaction. This is not an option as students will
immediately start to mess up the installations.
2) Defining a user as above and not being able to boot the systems any
more. No WOL in the morning and the students will be asked for an
unknown password when they try to boot.

Is grub2 really that much messed up? Will I have support for a backport
of legacy grub (I did not find in the the repository)? Is there any way
to set up a protected boot loader for SLED12 that allows for automatic
booting the systems remotely and on place?