Hello everybody!
First I have to admit that while I occasionally followed the progress of LinuxBIOS I don't really know that much about it, so please forgive me if that discussion is already over and done with.
My question is this. I'd like to secure machines against the people that should work with them [1].
In most BIOSes I can set the boot order to "harddisk only". (coreboot too, right?). That doesn't help if someone has access to the machine and can reset the CMOS.
Encrypting the harddisk is another way, but if someone installs a trojan/keylogger or uses
Now my idea was: - Set the boot order and a BIOS password - Encrypt the harddisk, (print the key and store it somewhere safe), and derive the key from some passphrase (and/or smartcard, etc.) *and* CMOS data.
As soon as I get, say, 128bit of entropy there, eg. by the salted MD5 hash of the BIOS password, it's suddenly a great bit harder to get into the machine. If the machine has an intrusion detection, the better; and if the BIOS overwrites the password as soon as a changed harddisk (by serial number and SHA1 of bootsector?) is detected, it is a really good solution.
The only possible way to attack that'd be left is on the order of cutting holes in the case, and using a logic analyser to get the CMOS values of the motherboards' bus and similar ... and that is likely to raise questions.
Ad 1: I know that that's impossible to achieve fully, like DRM. But if there is some easy way to set the bar higher - then why not?
Thank you for all remarks, ideas and answers! Happy weekend!
Phil