tech-kern: Re: why runtime modularity is bad for security sensitive things (was: Where to put firmware?)

Subject: Re: why runtime modularity is bad for security sensitive things (was: Where to put firmware?)
To: NetBSD Kernel Technical Discussion List <tech-kern@NetBSD.ORG>
From: Bill Squier <groo@old-ones.com>
List: tech-kern
Date: 08/24/2002 00:47:34

On Fri, Aug 23, 2002 at 06:54:12PM -0400, Greg A. Woods wrote:
> > Does NetBSD's boot loader use
> > password protection etc.?
> 
> No, not the default one shipped with the official code.

True.  But in case anyone is wondering, you can enable it by modifying

	sys/arch/i386/stand/biosboot/Makefile

and uncommenting the CPPFLAGS line which enables BOOTPASSWD.

Then use installboot's -p option to set a password.

Although without other protections (bios prevention of removable media boots,
protection in the bios from modifying that setting, physically preventing the
case from being opened with tamper proof screws, etc) such protection can be
quite weak.  Although, for example, in a well populated lab where opening a
computer case would be conspicuous, it may be sufficient.

-- 
Bill Squier (groo@old-ones.com)                          http://www.netbsd.org

        I know I don't deserve another chance, but this _is_ America,
        and as an American, aren't I entitled to one?  --Sideshow Bob.