On 15 Nov 2016 20:42 +0100, from sven@xxxxxxxxxxxxxxxxxxxxx (Sven Eschenberg): >> Either way, you need the BIOS administrator password to get to an >> alternative boot device. > > I wonder however how securely that password is stored? Almost certainly not securely at all. It certainly is easy to clear once you have physical access: All you need to do is get access to the motherboard and either remove/disconnect the CMOS battery, or set a jumper to a "CLEAR CMOS" or similarly labeled position. I would expect some modicum of protection such that the password isn't stored in clear text in NVRAM or flash readable to all and sundry, but I wouldn't expect anything much more sophisticated than an XOR with a fixed value, a CRC-32 checksum, or similar. The exact details almost certainly vary with BIOS implementations and there's no guarantee that there aren't implementations out there that actually do the right thing, but BIOS password storage methods is hardly a distinguishing feature among motherboard manufacturers. Don't expect a proper PBKDF. Think of the BIOS passwords (both user and administrator) not really as tamper-proofing measures as much as a tamper-evidence measures. Feel free to mentally s/BIOS/UEFI/g above if that's your open-at-the-top-container of hot-breakfast-beverage-of-choice. -- Michael Kjörling • https://michael.kjorling.se • michael@xxxxxxxxxxx “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
