Open Firmware Password

By: James Reynolds - Revised: 2006-07-03 devin

Introduction

Learn what an open firmware password is, how to set one, and how to verify one.


What is an Open Firmware Password?

Open Firmware is located on the computer hardware. It has nothing to do with the hard disk. It retains settings with an internal battery. One of the settings is security, which allows administrators to "lock" which disk the computer will boot to. You can override this at boot time by holding the option key. You will be asked for the Open Firmware password and then you can choose your boot disk. For more information read this Open Firmware document.

Set Open Firmware Password

Before setting the Open Firmware password, make sure your startup disk is set! If it is not set it and you turn on Open Firmware security, your computer will not boot.

The easiest way to turn on Open Firmware security and to set the password is to use Apple's Open Firmware Password utility.

If you are imaging alot of computers, using the GUI utility above takes alot of time. Another alternative is to use the OFPW command line tool.

Note: this tool requires a cleartext password. If you want good security, consider where that cleartext password is going to be. Do not save a script that contains a clear text password on a lab computer. Unless you encrypt your password, this tool should only be used for initial setup, where access to the cleartext password is controlled.

On the other hand, if you need to change all of your open firmware passwords, this tool can be a great time saver. But you want to encrypt the file that contains the cleartext password, decode it in the script, and then delete the password file when the script is done. For example:

#!/usr/bin/perl

$password_file = "/path/to/password_file";
if ( -f $password_file ) {
  open (FILEHANDLE, "< $password_file");
  @lines = <FILEHANDLE>;
  close (FILEHANDLE);
  $password = &decode_password_here($lines[0]);
  system "/usr/local/bin/OFPW -pass $password";
  system "/usr/local/bin/OFPW -mode 1";
  unlink $password_file;
}

You can use openssl to encrypt the password, and the decode_password_here subroutine could easily use openssl to decrypt the password. This isn't perfect, but it is better than throwing around a plain text password (or manually setting the password on 400+ computers).

Verify Open Firmware Password

It is advisable to automatically check to make sure that the Open Firmware password stays set. This perl script will check and save a message to the system log if the password isn't set.

#!/usr/bin/perl

$logger = "/usr/bin/logger"; # Your logger
$ofpassword = `/usr/sbin/nvram security-mode`;
chomp $ofpassword;
if ($ofpassword ne "security-mode\tcommand") {
  system "$logger \"I do not have an OFPW set.\"";
}

In order to add a startup item that executes the above code, read this document which discusses how to create a startup item.

Extended Verify Open Firmware Password

Here is an extended version of the above script. It addresses several issues.

The first issue is older hardware. There is no point in getting notifications for hardware that CAN'T have an Open Firmware password. So, on hardware that is too old, place a file saying it is too old. The script checks for the file. If it exists, it will not check.

The second issue is getting notified remotely. This script adds a &remote_logger line. You must set up some remote logger, either a sentral syslogd server, sendmail (which requires a fair bit of setting up), or you can look at what we use, report_to_master.sh, which uses curl and a FileMaker Pro database.

The third issue is that the above script only checks to make sure the security mode is on. What if it is on, but someone has compromised your box and changed the password. They could bring in their own firewire drive and boot to it instead of your drive whenever they wanted. You would never know! This script actually checks to make sure that password doesn't change. To do this, you must first make a checksum of the open firmware password. Do that by typing this at the command line:

sudo nvram security-password | openssl dgst -sha1 > /path/to/file

Place the above file on each computer you want to check.

Here is the extended verify script:

#!/usr/bin/perl

$logger = "/usr/bin/logger"; # Your logger
$remote_logger = "/path/to/remote_logger_script";
$dontCheckOpenFirmware = "/path/to/dontCheckOpenFirmware";
$openFirmwareChecksumFile = "/path/to/openFirmwareChecksumFile";

if ( ! -e $dontCheckOpenFirmware ) {
  system "$logger "Checking OFPW."";
  $ofpassword = `/usr/sbin/nvram security-mode`;
  chomp $ofpassword;
  if ($ofpassword ne "security-mode command") {
    system "logger "Found a problem: no openfirmware password."";
    system "$remote_logger "I do not have an OFPW set."";
  } else {
    if ( -e $openFirmwareChecksumFile ) {
      open (FILEHANDLE, "< $openFirmwareChecksumFile");
      $ofpwCksumFile = <FILEHANDLE>;
      close (FILEHANDLE);
      chomp $ofpwCksumFile;
      $ofpwCksumReal = `nvram security-password | openssl dgst -sha1`;
      chomp $ofpwCksumReal;
      if ($ofpwCksumFile ne $ofpwCksumReal) {
        system "logger "Found a problem: open firmware password is wrong."";
        system "$remote_logger OFPW "My OFPW is wrong."";
      }
    }
  }
}