Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dasharo setup password #120

Closed
miczyg1 opened this issue Jun 8, 2022 · 4 comments · Fixed by Dasharo/DasharoModulePkg#5
Closed

Dasharo setup password #120

miczyg1 opened this issue Jun 8, 2022 · 4 comments · Fixed by Dasharo/DasharoModulePkg#5
Assignees
@mkopec
Labels
enhancement New feature or request
Projects
Nlnet October 2022

Comments

@miczyg1
Copy link
Contributor

miczyg1 commented Jun 8, 2022

The problem you're addressing (if any)
Currently Dasharo setup menu is not password protected.

Describe the solution you'd like
Add Setup password implementation. There is a SMM-based implementation in edk2-platforms.

Where is the value to a user, and who might that user be?
For users wanting to protect the unauthorized access to options menu.

Describe alternatives you've considered
None

Additional context
None
@miczyg1 miczyg1 added the enhancement New feature or request label Jun 9, 2022
@mkopec
Copy link
Member

mkopec commented Jul 28, 2022
edited

+1. We could extend this to add a power-on password, too

@miczyg1
Copy link
Contributor Author

miczyg1 commented Aug 16, 2022

@mkopec if you use a SATA disk today, you may already benefit from SATA password during power-on (but not resume)

@macpijan macpijan added this to To Do in Nlnet October 2022 Oct 14, 2022
@mkopec mkopec moved this from To Do to In progress in Nlnet October 2022 Oct 25, 2022
@mkopec
Copy link
Member

mkopec commented Oct 27, 2022

PR: Dasharo/DasharoModulePkg#5

@mkopec mkopec mentioned this issue Oct 27, 2022
Merged
@mkopec
Copy link
Member

mkopec commented Oct 28, 2022

Implemented in Dasharo/DasharoModulePkg#5. The user management option appears on the front page of the setup menu:

image

There, you can set an admin password:

image

And now, when entering the setup menu, you'll get a password prompt:

image

Additionally, since the password hash is stored in an EFI variable, it needs to be protected from overwriting from within the OS. So, a new option Enable SMM BIOS write protection was added to the Dasharo Security Options menu, which disables all writes to flash, except for writes from SMM which are necessary for EFI variables to work. It's recommended to enable it for security when a password is set, but it needs to be disabled when updating the BIOS.

image

@mkopec mkopec mentioned this issue Oct 28, 2022
Closed
@pietrushnic pietrushnic mentioned this issue Nov 6, 2022
Closed
@macpijan macpijan moved this from In progress to Done in Nlnet October 2022 Nov 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mkopec mkopec

Labels
enhancement New feature or request
Projects
Nlnet October 2022
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Setup password Dasharo/DasharoModulePkg
2 participants
@mkopec @miczyg1