system76 / firmware-open

System76 Open Firmware
Other
965 stars 84 forks source link

Coreboot/Bios/Tianocore Password #174

Open varac opened 3 years ago

varac commented 3 years ago

Hi there,
I'm happy with my lemp9 - the only thing I wonder about is how to secure the initial boot with coreboot/tianocore(?) with a password. Is this possible ? If not, please implement this.
Thread model is rather a random bypasser trying to boot from usbstick i.e. than a more sophisticated attack.

Thanks !

JBombNZ commented 1 year ago

Is there an update on this? I brought a brand new Servel servw13 and i am shocked that i cant set a password.....

crawfxrd commented 1 year ago

No. While this feature is a valid request, no one is going to work on it.

jacobgkau commented 1 year ago

Just to elaborate, the reason it's not a priority is because BIOS/UEFI boot passwords are easy to bypass by simply moving the storage drive into a different computer or enclosure (or by resetting the firmware/firmware settings.) The files aren't actually protected unless you're using encryption on your storage drive, which Pop!_OS offers by default. And if you're using encryption on the drive, then an attacker who boots from a USB drive won't be able to access your data anyway.

ilikenwf commented 1 year ago

While it is easy to bypass, the current nature of the secureboot implementation does mean that the usefulness of secureboot is negated, since anyone can go and delete your keys...or because of #437 just screw your stuff up by inserting a USB drive. Being able to easily toggle secureboot on/off or clear keys or add them to the tpm without some kind of authorization, even if it CAN be bypassed, is less than ideal.

@JBombNZ same here.

I appreciate how nice the graphical setup is but am starting to wonder if one could just cherry pick the hardware support and build a vanilla coreboot for these devices with the more full control and featureset.

I'm not angry but am a bit disappointed I can spend such a huge chunk of money on this hardware which is supposed to come at a premium because of the open source firmware and hardware support, but then not have basic security features. If I'd have known that this was going to be an issue, I'd have bought a clevo and flashed it myself.

ilikenwf commented 1 year ago

Just to elaborate, the reason it's not a priority is because BIOS/UEFI boot passwords are easy to bypass by simply moving the storage drive into a different computer or enclosure (or by resetting the firmware/firmware settings.) The files aren't actually protected unless you're using encryption on your storage drive, which Pop!_OS offers by default. And if you're using encryption on the drive, then an attacker who boots from a USB drive won't be able to access your data anyway.

In addition these aren't stored on disk, they're stored in the flash itself. If the firmware is setup to automatically unlock when a drive changes, that is stupid.

Even if one has an encrypted /boot, having a password, even if one can bypass it with a chip clip, makes it harder for an evil maid to have your bootloader dump your password somewhere that they can retrieve it.

cmmh commented 1 year ago

Without a bios password, the security posture of my organization won't allow use of that machine. This really is a critical feature. Pretty disappointed with @crawfxrd 's assertion that no one is going to work on it.