[SeaBIOS] Seabios password protection

Jean-Michel Pouré - GOOZE jmpoure at gooze.eu
Fri Jun 6 08:41:17 CEST 2014

Dear Kevin,

> It is expected projects like QEMU and coreboot
> will handle those tasks.

Seabios is also the BIOS of real computers, including the PC Engines
APU: http://www.gooze.eu/apu-pc-engines-kit

And probably the 'real' BIOS of many others.

> In a nutshell, there isn't really anything in SeaBIOS to password
> protect and so no reason for a password.

I am worried that SeaBIOS allows setting the priority of boot devices of
the PC Engines APU without restriction. This allows an attacker to boot
into any system using a USB sticks. Attacks with USB sticks are very

I have no idea what would solve this problem. A good password management
with password stored in SHA-512 for sure. Encryption of BIOS data would
also help. The interest of a password is that it will stop MOST
attackers, but I agree not all (you can always compile SeaBIOS and
replace it with a modified version).

Also, providing a password for a BIOS system is a requirement, when used
in governments and administrations. French authorities recommend setting
a BIOS password on any GNU/Linux computer. Even companies might be
obliged sooner or later to set a BIOS password, as this is part of their
contract with insurance companies.

Are there projects around to protect Seabios with password or

Kind regards,

More information about the SeaBIOS mailing list