[coreboot] Fwd: [FWD: Request for Chromebook Authentication Module Development]
David Hendricks
david.hendricks at gmail.com
Wed Aug 2 07:54:35 CEST 2017
Hi Victor,
IMO this is really more of a feature for the Out Of Box Experience (OOBE)
rather than coreboot or seabios. If your organization uses the ChromeOS
Management Console then you should already be able to assign specific
assets to users (
https://www.google.com/intl/en/chrome/business/devices/features-management-console.html
).
Regardless, if you want to add a PIN or code for first-time login, I would
suggest adding it via the login screen. Something like:
1. Program the PIN/code into the Read-Only Vital Product Data (RO_VPD),
which is a read-only region in the firmware ROM.
2. Modify the login manager to check if the machine is booting for the
first time since it was last installed.
3. If so, the login manager can read the code from the RO_VPD (using the
`vpd` tool in ChromeOS) and prompt the user to enter it. Once the user
enters the code, the check is disabled (until the OS is re-installed or
power washed).
Supporting firmware changes will be a very large task since there are
long-term support implications. It will be much easier for you to support a
change to the login screen I think.
The chromium-os-discuss mailing list might also be a good resource to find
people who can help with this sort of thing:
https://groups.google.com/a/chromium.org/forum/#!forum/chromium-os-discuss
Good luck!
On Tue, Aug 1, 2017 at 8:31 AM, ron minnich <rminnich at gmail.com> wrote:
> This doesn't make sense to me. By putting the PIN in memory you expose its
> value at all steps in the delivery process. Chromebooks have a very good
> mechanism for keys that can be personalized to an individual, see my talk
> at last year's linuxconf in berlin where I showed how you can make a
> chromebook boot only a chromeos you have signed personally.
>
> Security is really hard to get right. I think you need to build on what's
> in the chromebook, not design your own addon, because that's almost
> certainly going to weaken security.
>
> What are you trying to do here? Is the target software stack chromeos? Why
> the PIN?
>
> We may want to drop coreboot list off this discussion but there are so
> many smart people on the coreboot list I wanted to give them a chance to
> respond too.
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170801/26c42851/attachment.html>
More information about the coreboot
mailing list