Section 4.12. Firmware Security

4.12. Firmware Security

Open Firmware includes a security feature that allows you to set a password that is required to access most commands from the firmware prompt, and optionally, to even boot the system. Open Firmware security settings can be changed either from the firmware prompt or through Apple's Open Firmware Password application. The latter is available for newer versions of Mac OS X on the installation media.

4.12.1. Managing Firmware Security

The password command prompts the usertwiceto type a newline-terminated security password string. The password, which is not echoed on the screen, can contain only ASCII characters. If both user-typed password strings match, Apple's implementation of Open Firmware encodes the password using a simple scheme and stores the encoded version in the security-password variable. The scheme is shown in Table 46.

Note that setting the password alone does not enable password protection; a security mode must also be set through the security-mode variable. The security mode defines the level of access protection. The following levels are supported.

• none This sets no security; even though a password may be set, it will not be required.

• command A password is required for all firmware commands except for booting the system using default settings. The system can automatically boot in this mode after power-on.

• full A password is required for all firmware commands, including for booting the system with default settings. The system will not automatically boot without a password.

• no-password Access to Open Firmware is entirely disabled. The system will simply boot into the operating system regardless of any keys pressed at boot time. Note that this is not a standard Open Firmware mode.

The following is an example of enabling Open Firmware password protection.

0 > password Enter a new password: ******** Enter password again: ******** Password will be in place on the next boot! ok 0 > setenv security-mode full  ok 0 >

When the security mode is set to either command or full, the ability to use snag keys is blocked: pressing keys such as c, n, or t will not alter booting behavior. Similarly, pressing -v, -s, or will not result in a verbose boot, single-user boot, or PRAM-reset, respectively.

The security-#badlogins firmware variable contains a total count of failed access attempts while the security mode was set to command or full. Each time an incorrect password is entered at the Open Firmware prompt, this counter is incremented by one.

The values of the security-related firmware variables can be examined or set from within Mac OS X by using the nvram utility. However, setting security-password tHRough nvram is not recommended, as the encoding scheme shown in Table 46 is not guaranteed to remain unchanged across firmware revisions. Note that superuser access is required to view the contents of security-password.

$ sudo nvram -p | grep security security-#badlogins     1 security-password       %c4%c5%c4%cf security-mode   none

4.12.2. Recovering the Open Firmware Password

Open Firmware security is not foolproofit is meant to be only a deterrent. It is possible to reset, change, and perhaps even recover the firmware password. The superuser can disable firmware security by using the nvram utility to change the value of security-mode to none. The password may also be reset via physical access to the inside of the computer.^[27]

^[27] The password may be reset by altering the memory configuration of the computer and then resetting the PRAM.