4.12. Firmware SecurityOpen Firmware includes a security feature that allows you to set a password that is required to access most commands from the firmware prompt, and optionally, to even boot the system. Open Firmware security settings can be changed either from the firmware prompt or through Apple's Open Firmware Password application. The latter is available for newer versions of Mac OS X on the installation media. 4.12.1. Managing Firmware SecurityThe password command prompts the usertwiceto type a newline-terminated security password string. The password, which is not echoed on the screen, can contain only ASCII characters. If both user-typed password strings match, Apple's implementation of Open Firmware encodes the password using a simple scheme and stores the encoded version in the security-password variable. The scheme is shown in Table 46.
Note that setting the password alone does not enable password protection; a security mode must also be set through the security-mode variable. The security mode defines the level of access protection. The following levels are supported.
The following is an example of enabling Open Firmware password protection. 0 > password Enter a new password: ******** Enter password again: ******** Password will be in place on the next boot! ok 0 > setenv security-mode full ok 0 >
When the security mode is set to either command or full, the ability to use snag keys is blocked: pressing keys such as c, n, or t will not alter booting behavior. Similarly, pressing -v, -s, or will not result in a verbose boot, single-user boot, or PRAM-reset, respectively. The security-#badlogins firmware variable contains a total count of failed access attempts while the security mode was set to command or full. Each time an incorrect password is entered at the Open Firmware prompt, this counter is incremented by one. The values of the security-related firmware variables can be examined or set from within Mac OS X by using the nvram utility. However, setting security-password tHRough nvram is not recommended, as the encoding scheme shown in Table 46 is not guaranteed to remain unchanged across firmware revisions. Note that superuser access is required to view the contents of security-password. $ sudo nvram -p | grep security security-#badlogins 1 security-password %c4%c5%c4%cf security-mode none 4.12.2. Recovering the Open Firmware PasswordOpen Firmware security is not foolproofit is meant to be only a deterrent. It is possible to reset, change, and perhaps even recover the firmware password. The superuser can disable firmware security by using the nvram utility to change the value of security-mode to none. The password may also be reset via physical access to the inside of the computer.[27]
|