The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate an encrypted grub2 password
for the grub superusers with the following command:
$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected.
Using the hash from the output, modify the /etc/grub.d/40_custom
file with the following content:
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.VeryLongString
Once the superuser password has been added, update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg