I asked: > The syscfg utility provides a mechanism to change the default boot > order, but I would like (for security reasons) to disable boot from USB > or CD-ROM (I can turn off PXE boot from the NICs).
Mahaveer_M replied: > Check the OMSA command > omconfig chassis biossetup attribute=bootorder sequence=<list> > > The sequence of boot devices will be enabled in the bios and the devices > that are not part of the sequence will be disabled. > I didn't have OMSA installed, but this seemed to be equivalent to the syscfg --bootseq=<list> configuration command, which on a PE 1950 system just rearranged the order (omitted boot devices were left in the list, and were not disabled). I actually went and installed OMSA via yum (it was pretty painless, I have to say) so that I could try this out, to see if I had different results from syscfg. And it did, so that omreport chassis biossetup bootorder (thanks for pointing that out, Chandrasekhar_R) reported the following > BIOS Boot Sequence > Device Name : Hard drive C: > Alias Name : hdd.emb.0.1 > State : Enabled > > Device Name : MBA v2.6.7 Slot 0500 > Alias Name : nic.emb.1.2 > State : Disabled > > Device Name : IDE CD-ROM device > Alias Name : cdrom.emb.0.0 > State : Disabled > > BIOS Hard Disk Sequence > Device Name : PERC 5/i Integrated(bus 02 dev 0E) > Alias Name : sasraid.emb.1.0 And after rebooting, the BIOS also showed the NIC and CDROM as disabled in the F2 Setup. However, while this can prevent default booting from CD/DVD or USB, this does not prevent a user from pressing F11 to get the boot selection menu and then selecting any of the devices (including nominally disabled ones) from the menu. Even after rebooting a second time, I was able to PXE boot from the NIC via either F12 or the F11 boot menu. I noted: > I ... will enable a BIOS setup password to lock in the changes once they are > set. After making the omconfig changes above, to disable boot from NIC and CD-ROM, I went ahead and set the BIOS Setup password. After doing this, entering F2 asked for a password before taking me to the Setup screen (if the password was incorrect, the Setup screen was effectively read-only), and the F11 boot menu also required a password (if the password was incorrect, it kept prompting and wouldn't enter the boot menu). Since I can disable NIC booting with syscfg --embnic1=onnopxe, the F12 loophole can be closed via other means. This leaves only one possible concern for me, which is the possibility of booting from a USB device. Since boot menu access is eliminated, it isn't possible to choose that directly, but I wonder whether a newly detected USB device (currently I have none) might get added to the default boot sequence (it is hard to disable something that isn't there) and by pulling the hard drive, manage to boot from a USB key. Adam Nielsen replied: > Don't forget that anyone with physical access to the machine can do a > BIOS reset to get rid of your password, so don't consider this as > anything other than a deterrent! A BIOS reset to defaults requires getting to the F2 Setup screen, does it not? While I know that the BIOS system password (and presumably the setup password as well) on Dell laptops has a unique master password (based on the service tag, it seems) that can be obtained from Dell support, or one of the "password removing" services on-line, I was not aware of any other trivial way to reset the BIOS or its passwords if the chassis is secured (some PowerEdge models seem to have a jumper that can be used to reset BIOS passwords). @alex -- mailto:[email protected] _______________________________________________ Linux-PowerEdge mailing list [email protected] https://lists.us.dell.com/mailman/listinfo/linux-poweredge Please read the FAQ at http://lists.us.dell.com/faq
