Requiring Boot Loader Passwords
You can secure the boot process with a secure epassword to prevent someone from bypassing the user authentication step. This can work in conjunction with password protection for the BIOS. Note that while using a bootloader passwrd laone will stop a user from editing the bootloader configuration during the boot process, it will not prevent a user from booting from and alterantive boot media such as optical disks or pen drives. Thus, it should be used with a BIOS password for a full protection.
GRUB 2 version, things became more complicated to set a password. However, can take advantage of more advanced features, such as user-specific passwords.
You never edit grub.cfg directly; instead, modify the configuration files in /etc/grub.d and etc/default/grub and then run update-grub or grub2-mkconfig and same the new configuration file.