Updated comments for password hash and variable

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

defaults/main.yml

@@ -569,15 +569,20 @@ rhel9cis_selinux_enforce: enforcing
 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
 rhel9cis_set_boot_pass: false
 
-# Either set rhel9cis_bootloader_password_hash or rhel9cis_bootloader_password and rhel9cis_bootloader_salt
-# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring
-rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
-
+# 2 Options for setting the bootloader password
+# 1. Set the bootloader password and salt - Reqiured the passlib python module available to the ansible controller
+# or
+# 2. Set the bootloader password hash
+#
+# Option 1: Set the bootloader password and salt - if salt is set, the password will be hashed using the salt
+# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
+rhel9cis_bootloader_salt: ''
 # This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
 rhel9cis_bootloader_password: 'password'  # pragma: allowlist secret
 
-# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
-rhel9cis_bootloader_salt: ''
+# Option 2: Set the bootloader password hash - if the salt value is empty, the password will be set using below variable
+# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring
+rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
 
 ## Controls 1.6.x and Controls 5.1.x
 # This variable governs if current Ansible role should manage system-wide crypto policy.