Hi Victor, IMO this is really more of a feature for the Out Of Box Experience (OOBE) rather than coreboot or seabios. If your organization uses the ChromeOS Management Console then you should already be able to assign specific assets to users ( https://www.google.com/intl/en/chrome/business/devices/features-management-c... ).
Regardless, if you want to add a PIN or code for first-time login, I would suggest adding it via the login screen. Something like: 1. Program the PIN/code into the Read-Only Vital Product Data (RO_VPD), which is a read-only region in the firmware ROM. 2. Modify the login manager to check if the machine is booting for the first time since it was last installed. 3. If so, the login manager can read the code from the RO_VPD (using the `vpd` tool in ChromeOS) and prompt the user to enter it. Once the user enters the code, the check is disabled (until the OS is re-installed or power washed).
Supporting firmware changes will be a very large task since there are long-term support implications. It will be much easier for you to support a change to the login screen I think.
The chromium-os-discuss mailing list might also be a good resource to find people who can help with this sort of thing: https://groups.google.com/a/chromium.org/forum/#!forum/chromium-os-discuss
Good luck!
On Tue, Aug 1, 2017 at 8:31 AM, ron minnich rminnich@gmail.com wrote:
This doesn't make sense to me. By putting the PIN in memory you expose its value at all steps in the delivery process. Chromebooks have a very good mechanism for keys that can be personalized to an individual, see my talk at last year's linuxconf in berlin where I showed how you can make a chromebook boot only a chromeos you have signed personally.
Security is really hard to get right. I think you need to build on what's in the chromebook, not design your own addon, because that's almost certainly going to weaken security.
What are you trying to do here? Is the target software stack chromeos? Why the PIN?
We may want to drop coreboot list off this discussion but there are so many smart people on the coreboot list I wanted to give them a chance to respond too.
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot