[SeaBIOS] Seabios password protection
Jean-Michel Pouré - GOOZE
jmpoure at gooze.eu
Fri Jun 6 08:41:17 CEST 2014
Dear Kevin,
> It is expected projects like QEMU and coreboot
> will handle those tasks.
Seabios is also the BIOS of real computers, including the PC Engines
APU: http://www.gooze.eu/apu-pc-engines-kit
And probably the 'real' BIOS of many others.
> In a nutshell, there isn't really anything in SeaBIOS to password
> protect and so no reason for a password.
I am worried that SeaBIOS allows setting the priority of boot devices of
the PC Engines APU without restriction. This allows an attacker to boot
into any system using a USB sticks. Attacks with USB sticks are very
common.
I have no idea what would solve this problem. A good password management
with password stored in SHA-512 for sure. Encryption of BIOS data would
also help. The interest of a password is that it will stop MOST
attackers, but I agree not all (you can always compile SeaBIOS and
replace it with a modified version).
Also, providing a password for a BIOS system is a requirement, when used
in governments and administrations. French authorities recommend setting
a BIOS password on any GNU/Linux computer. Even companies might be
obliged sooner or later to set a BIOS password, as this is part of their
contract with insurance companies.
Are there projects around to protect Seabios with password or
encryption?
Kind regards,
Kellogs
More information about the SeaBIOS
mailing list