Friday, January 6, 2012

OS X Open Firmware settings: use nvram security-mode to disable firewire DMA without a firmware password

First some background. OS X uses Open Firmware, which is similar to a PC's BIOS. The nvram utility can be used to manipulate Open Firmware settings stored in NVRAM. Print NVRAM settings with:
nvram -p

For firewire DMA the important setting is security-mode. Here is an explanation of the different nvram security modes:

The "none" mode effectively disables security. The "command" mode just restricts the commands that may be executed to "go" and "boot". Additionally, under the "command" mode, the "boot" command may not have any arguments--that is, it will only boot the device specified in the boot device variable; no other command may be entered or any settings changed unless the password is supplied. Moreover, this password protection feature also applies to booting up with the option key held down (which allows you to choose from available bootable volumes through a built-in graphical user interface). Finally, in "full" mode, the machine is completely prohibited from booting until the password is entered.

To set a firmware password (puppet recipe):
nvram security-password=mypass
nvram security-mode=command
Note that anyone with root can read the hex encoded password with nvram security-password. To remove the password ('none' is the default security mode):
nvram -d security-password
nvram security-mode=none
When a firmware password is set, Firewire DMA is disabled. This can be abused to disable firewire DMA without setting a password - just by setting security-mode to something other than 'none'. This works for example (and will take effect after a reboot):
nvram security-mode=NONE
This causes the firewire controller to put itself into secure mode:
OSString * securityModeProperty = OSDynamicCast( OSString, options->getProperty("security-mode") );
if( securityModeProperty != NULL && strncmp( "none", securityModeProperty->getCStringNoCopy(), 5 ) != 0 ) {
  // set security mode to secure/permanent
  mode = kIOFWSecurityModeSecurePermanent;

1 comment:

JM Ibanez said...

Technically, Intel-based Macs no longer use Open Firmware, but EFI. EFI =/= Open Firmware. However, the nvram settings are still present.