Implementing Open Firmware Security

The Open Firmware built into Macintosh computers supports a variety of startup options, many of which allow bypassing Mac OS X:

• Using FireWire Target Disk Mode: By pressing the T key as the computer starts up, an attacker can turn a computer into the equivalent of a FireWire hard drive. By plugging it into a computer under her control, the attacker can read or modify any file on the hard drive. The computer will display a moving icon (shown below) when it is in FireWire Target Disk Mode.

  

• Booting from other disks or partitions: By pressing the Option key at startup, an attacker can use Open Firmware's Startup Manager to select an alternate boot device such as a FireWire drive. If the attacker knows an administrator user name and password for that alternate boot device, she can take control of a computer booted from that device. If Mac OS 9 is installed on a separate partition, then booting from the Mac OS 9 partition allows total access to the Mac OS X partition.

• Booting from an installer CD: By pressing the C key at startup, an attacker can boot a computer from an installer CD and use its Reset Password option to change the passwords of accounts on any Mac OS X disk or partition.

• Booting from a NetBoot server: By pressing the N key at startup, an attacker can boot a computer from a NetBoot server. This may not be problem if you control the NetBoot server, but if the attacker provides his or her own NetBoot server, or if the default NetBoot image is actually a NetInstall or NetRestore image (which automatically log in to the root account), the attacker can gain control of the computer.

• Using Open Firmware command mode: By pressing Command-Option-O-F at startup, an attacker can enter Open Firmware mode and change boot parametersenabling, for example, a startup from an alternate device.

• Booting in single-user mode: By pressing Command-S at startup, the attacker can halt the Mac OS X boot process before starting the minimum pieces of the operating system and gain access to a command-line interface with root access to the computer.

• Booting off any other device than the internal disk: By pressing Command-Option-Shift-Delete at startup, the attacker can force a bypass of the selected startup disk and boot off of another device.

Using an Open Firmware Password

To prevent attackers from selecting any of these alternate boot modes, you should enable an Open Firmware password. The easiest way to do this is with the Apple Open Firmware Password utility, provided on the Mac OS X version 10.4 (v10.4) installer DVD in the /Applications/Utilities folder.

The Open Firmware password feature is supported only by Open Firmware version 4.1.7 and later. You may need to update some older Macintosh models' firmware to use this feature. To determine which version of Open Firmware is installed on a computer, open the System Profiler located in /Applications/Utilities and click the Hardware option under the Contents pane. The BootROM version, which is also the computer's Open Firmware version, is displayed in the Hardware Overview window.

Note

A list of the latest firmware updates for various models is available at http://docs.info.apple.com/article.html?artnum=86117. For some older Mac models, you may need to perform updates under Mac OS 9.

The following Apple computers can use the Open Firmware Password application:

• iBook: all models

• iMac G3: Slot Loading and later models

• iMac G4: all models

• iMac G5: all models

• eMac: all models

• PowerBook G3: FireWire model only

• PowerBook G4: all models

• Power Mac G4: AGP Graphics and later models

• Power Mac G4 Cube

• Power Mac G5: all models

When an Open Firmware password is enabled, it blocks the following boot modes by displaying a lock with an entry box for the Open Firmware password:

• CD-ROM (C key)

• NetBoot (N key)

• Target disk (T key)

• Verbose boot (Command-V)

• Single-user boot (Command-S)

• PRAM reset (Command-Option-P-R)

• Boot from any other device except the selected internal disk (Command-Option-Shift-Delete)

  

Note

Target Disk Mode, NetBoot, and CD-ROMs may still be selected in the Startup Disk preferences pane; the Open Firmware password prevents them from being selected only at boot time.

Open Firmware mode also restricts the following modes, by requiring that the password be provided to use them:

• Startup Manager (Option key)

• Open Firmware (Command-Option-O-F)

Choosing an Open Firmware Password

Open Firmware does not support international or accented characters in passwords, so you must choose a password consisting only of the printing ASCII characters (character values 32 through 126). Also, to avoid a known-password issue, do not use the capital letter U in an Open Firmware password. Following are the allowed characters:

!"#$%&'()*+,-./0123456789:;<=>? @ABCDEFGHIJKLMNOPQRSTVWXYZ[\]^_ 'abcdefghijklmnopqrstuvwxyz{|}~

Be aware that Open Firmware stores its password in recoverable form. This means that if an attacker gains root access to a computer by other means, he can find out what the Open Firmware password is. For example, there are certain applications that will routinely collect the Open Firmware password from any computer on which they are installed. If multiple computers share the same Open Firmware password, the attacker can use that password to gain control of other computers with the same password.

Ideally, each computer should be given a unique password to prevent such cross-computer attacks. If completely individual passwords are impractical, at least split your computers into groups to limit the exposure. In particular, low-security computers (such as laptops and lab/general-access computers) should never be assigned the same Open Firmware password as high-security computers. Also, you should not use the Open Firmware password in any other context, such as a login password.

Tip

You can use the command-line utility nvram to control firmware settings. Just type man nvram at the command line to see the arguments. To see a better set of options, type nvram -p.

Disabling an Open Firmware Password

You may find that you need to disable an Open Firmware password, either temporarily or permanently, to perform operations like installing a new version of Mac OS X from DVD. There are a number of ways to accomplish this:

• Run the Open Firmware Password utility again and deselect the "Require password" checkbox.

  This method requires that you authenticate as an administrator on the computer.

• Enter Open Firmware command mode (by pressing Command-Option-O-F during the boot process) and enter the following commands:

  setenv security-mode none setenv security-password reset-all

  This method requires that you know the current Open Firmware password. (You'll be prompted for it after you enter the first command.)

• Reset the computer's nonvolatile RAM (NVRAM, or PRAM) by changing its physical memory size (by adding or removing a DIMM) and then starting the system while pressing Command-Option-P-R until the system speaker has chimed four times. All PRAM settings (including the Open Firmware password) will be returned to factory defaults.

  This method requires that you have access to the computer's internals to change its RAM configuration.