Dear all,
First, I would like to congratulate you for working on a Free BIOS.
Is there a way to lock-down SEABIOS with a password like a traditional computer. I know most computers have BIOS magic passwords, but ... some don't and a good password will always slow down an attack.
Does SeaBIOS support password protection?
Kind regards, Kellogs
On Wed, Jun 04, 2014 at 04:07:28PM +0200, Jean-Michel Pouré - GOOZE wrote:
Dear all,
First, I would like to congratulate you for working on a Free BIOS.
Is there a way to lock-down SEABIOS with a password like a traditional computer. I know most computers have BIOS magic passwords, but ... some don't and a good password will always slow down an attack.
Does SeaBIOS support password protection?
No. The SeaBIOS project is focused on providing BIOS compatibility so that one can boot common operating systems. Support for menus, run time configuration, and low level hardware initialization isn't the primary focus. It is expected projects like QEMU and coreboot will handle those tasks.
In a nutshell, there isn't really anything in SeaBIOS to password protect and so no reason for a password.
-Kevin
Dear Kevin,
It is expected projects like QEMU and coreboot will handle those tasks.
Seabios is also the BIOS of real computers, including the PC Engines APU: http://www.gooze.eu/apu-pc-engines-kit
And probably the 'real' BIOS of many others.
In a nutshell, there isn't really anything in SeaBIOS to password protect and so no reason for a password.
I am worried that SeaBIOS allows setting the priority of boot devices of the PC Engines APU without restriction. This allows an attacker to boot into any system using a USB sticks. Attacks with USB sticks are very common.
I have no idea what would solve this problem. A good password management with password stored in SHA-512 for sure. Encryption of BIOS data would also help. The interest of a password is that it will stop MOST attackers, but I agree not all (you can always compile SeaBIOS and replace it with a modified version).
Also, providing a password for a BIOS system is a requirement, when used in governments and administrations. French authorities recommend setting a BIOS password on any GNU/Linux computer. Even companies might be obliged sooner or later to set a BIOS password, as this is part of their contract with insurance companies.
Are there projects around to protect Seabios with password or encryption?
Kind regards, Kellogs
Le mercredi 04 juin 2014 à 11:40 -0400, Kevin O'Connor a écrit :
In a nutshell, there isn't really anything in SeaBIOS to password protect and so no reason for a password.
OK, I thought about an answer.
Let's suppose that you are in charge of building doors and you say "As door locks can be broken, there is no need for a lock". Not many people would use such doors.
IMHO, a good password management system in Seabios is needed to stop most attacks on BIOS.
Kind regards, Kellogs
Il 06/06/2014 17:24, Jean-Michel Pouré - GOOZE ha scritto:
Le mercredi 04 juin 2014 à 11:40 -0400, Kevin O'Connor a écrit :
In a nutshell, there isn't really anything in SeaBIOS to password protect and so no reason for a password.
OK, I thought about an answer.
Let's suppose that you are in charge of building doors and you say "As door locks can be broken, there is no need for a lock". Not many people would use such doors.
No, this is more like a construction company saying "you asked us to build an arch, not a door, so there is no need for a lock".
SeaBIOS is just a consumer of the boot order. The BIOS boot order in SeaBIOS should come from coreboot or QEMU or TianoCore (I don't know if coreboot provides it), and that's where the password should be---in coreboot or TianoCore, or for QEMU you will have some kind of an access control list in a virtualization management tool.
Paolo
-
Jean-Michel Pouré - GOOZE -
Kevin O'Connor -
Paolo Bonzini