On 12/18/2016 02:27 PM, Nicklaus McClendon wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 12/18/2016 01:26 PM, Grzesiek Chodzicki wrote:
W dniu niedziela, 18 grudnia 2016 17:15:59 UTC+1 użytkownik
'0194358'019438'0194328'01943 napisał:
Hello,
does a BIOS password (against BIOS changes), gives a higher
system security, or it is more like a security fake and could be
easily bypassed?
Should I switch the IME off?
Kind Regards
Usually, the BIOS password can be reset by using a jumper on the
motherboard, a dedicated button, or by removing the CMOS battery
so it's trivial to bypass. However if one day you notice that the
password is gone or that it has changed, that's a good indicator
that somebody accessed your pc.
In Lenovo Thinkpads (mentioning as they tend to be popular for Qubes)
however, the supervisor BIOS password is stored in an EEPROM chip and
cannot be bypassed without digital analysis of the chip itself. So,
more secure against a standard attacker, but by no means secure
against a dedicated one.
- --
kulinacs <nickl...@kulinacs.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhW4x4ACgkQuXLc0JPg
MlYAeRAApBziRvsaUCGsWbUetc8Z0wEAHhoQrOYU9GdO5/FyRU0QtALMDBcjv/6z
sYc5udhPn9lJoR9Ak65e+BRcR0zjWZ/jrkhan1GSvBV1B+Wma0jUyrLeVImq/gDj
Bn3ZxPsDCWhX5kClAFAa1f+ckUgY8s+ksgpHC4aui/FcJGGBUO7P1KpC3US4MO8+
pBj2E0Aw5pcUqiqfk7MoKpaaGh16IzOyhm5EWkT2xOFTayQJPuMUec1F92N/8ikU
SrVeC0VCCeIDD3DHoeGHa+4fu1+nurmGbwgICwWHRGHqqtdCG+IalUhEMsSF2oa0
oV5IbpvtdevnrE6JSv1AmLMe5w4tUDRryP6MUsd8BQHUwTfxDI9Lxbd9ip1oS2Uh
fog2n7mxgkGqKfx5yY/kAiVWPYBoYp2gNy4K6XzYX0j7eZlHM36K5hQSH0C+FSu1
i/3OonmeBZ3PfOiF+GRw7tT6jq4lLxC0P2fkueiruHDX6hUjGs+qbhQbsjQWtufY
KtPbmo/vR7QWvne4rs2Vcz1b5qgpO4c69MD68Fy0ks+xsbAhZ/WeARfCPGpqHhFR
CMwvEzkWsf/nYnj0+AetiIkJB9dbCUdPeSiwxy1Q5tzgkQii5daRbY15v8igH73l
96fl7Mp96ERzMDEhC7fq2D1K0A7a3YEzQx7e+GiYhIezysy44/g=
=jsc7
-----END PGP SIGNATURE-----
Some laptops such as dell latitudes/precisions have a "master recovery
password" that is generated from the current serial number of the laptop
(so do thinkpads)
"Cannot be bypassed" - well you could always clip on a eprom writer to
the chip correct? I assume then you could force it to spill.
Entering the password on a latitude/precision then resets the serial
number and you have to re-enter it, you're now thinking that you could
simply do this to make a code that no one knows however on the pre-boot
authentication screen it helpfully provides the current serial number.
BIOS passwords and PBA schemes are simply another layer in security,
ideally you would have both a password and a smart-card so somebody
can't simply do shoulder surfing password recovery and then be able to
steal your laptop. (Most business laptops have a contact-smart card reader).
Yes you should switch off ME, although "Disabled" means something
different to intel than it does to you and me - it isn't really off.
If you do that you will have to blacklist intel_ips kernel module to
prevent log spam of "ME Hung"
There is a project from some coreboot developers that is able to nerf
(not remove) ME from most systems (caution - may brick your mobo - do
not perform without an external eeprom flashing device) although of
course you're still stuck with the proprietary bios and FSP on anything
recent.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/efa97fd8-02ab-dd3d-1217-1777aae2362d%40gmx.com.
For more options, visit https://groups.google.com/d/optout.
