Apple's Open Firmware offers BIOS-like Password Protection
24 May 2001
Summary
Apple's latest Open Firmware update introduces support for additional security options that allow the Open Firmware to be password protected. Similar to the typical PC BIOS password protection feature, this feature in Apple's implementation of Open Firmware allows you to password protect your computer's ability to boot.
Credit:
The information has been provided by CodeSamurai of SecureMac.com.
Apple went beyond the Open Firmware 1275 specification and added a progressive delay technique to discourage brute force hacking of the Open Firmware password. The delay itself increases in a pattern of 2^x seconds. If you do not quite understand what the "progressive delay technique" is, you can check it out on a machine with password protection enabled by pressing the return key several times at the password request prompt. Also, note, zapping the PRAM (through Command + Option + P + R or even TechTool's "complete zap") will not disable or remove the password protection.
The way this password protection feature works is that there is an Open Firmware command "password" which will ask you to set your password, and then on confirmation of what you typed as you password, it sets that as the password. Then, you must tell it to enable the security and specify which setting level of security you wish. This is stored as the "security-mode" variable that can be set to one of three modes: "none", "command", or "full". The "none" mode effectively disables security. The "command" mode just restricts the commands that may be executed to "go" and "boot". Additionally, under the "command" mode, the "boot" command may not have any arguments - that is, it will only boot the device specified in the boot device variable; no other command may be entered or any settings changed unless the password is supplied. Moreover, this password protection feature also applies to booting up with the option key held down (which allows you to choose from available bootable volumes through a built-in graphical user interface). Finally, in "full" mode, the machine will not even boot without the password being entered first.
Procedure: Enabling Password Protection
1) Boot into the Open Firmware. (Command + Option + O + F)
2) At the command prompt, type "password" (without the quotes, of course). You will be prompted to enter in the password you wish to use. Type your password, press the return key, retype your password again, and press return to verify that that the first password you typed is indeed the password you want. (Note: the password is stored in the "security-mode" variable, but the content of this variable is never shown via the "printenv" command.)
3) Type "setenv security-mode full" OR "setenv security-mode command" OR "setenv security-mode none", depending on which level of security you wish.
4) Then type "reset-all" to restart the computer.
Disabling Password Protection
1) Boot into the Open Firmware. (Command + Option + O + F)
2) Type "setenv security-mode none" and press return.
3) Enter in the password at the password request prompt and press return.
4) Then type "reset-all" to restart the computer.
