[dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell

Michael Kjörling michael at kjorling.se
Wed Nov 16 00:15:46 CET 2016


On 15 Nov 2016 20:42 +0100, from sven at whgl.uni-frankfurt.de (Sven Eschenberg):
>> Either way, you need the BIOS administrator password to get to an
>> alternative boot device.
> 
> I wonder however how securely that password is stored?

Almost certainly not securely at all. It certainly is easy to clear
once you have physical access: All you need to do is get access to the
motherboard and either remove/disconnect the CMOS battery, or set a
jumper to a "CLEAR CMOS" or similarly labeled position. I would expect
some modicum of protection such that the password isn't stored in
clear text in NVRAM or flash readable to all and sundry, but I
wouldn't expect anything much more sophisticated than an XOR with a
fixed value, a CRC-32 checksum, or similar. The exact details almost
certainly vary with BIOS implementations and there's no guarantee that
there aren't implementations out there that actually do the right
thing, but BIOS password storage methods is hardly a distinguishing
feature among motherboard manufacturers. Don't expect a proper PBKDF.

Think of the BIOS passwords (both user and administrator) not really
as tamper-proofing measures as much as a tamper-evidence measures.

Feel free to mentally s/BIOS/UEFI/g above if that's your
open-at-the-top-container of hot-breakfast-beverage-of-choice.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the dm-crypt mailing list