1

This assumes that:

  • Machine is powered off
  • No UEFI backdoors
  • No Reflashing the firmware
  • No clearing the NVRAM (The point is to modify/read a small amount of NVRAM, instead of resetting it)
  • Device requires password to POST (Enforced by BIOS/UEFI)
  • Physical access

And I think this might be an XY problem, so:

I'm trying to use the TPM PCRs 0 and 7 to have disk encryption. Currently, I have to enter a TPM pin (set using systemd-cryptenroll) during Linux boot. I want to set up a POST password instead, so the attack surface is reduced (My device allows to boot from external devices even if UEFI password is set).

If the Secure Boot keys are wiped, then the device should be rendered unusable. But if the attacker can somehow reset just the UEFI password through modifying NVRAM, then he can gain full access. What I'm asking is:

Is there some form of encryption in the NVRAM in place if I add a UEFI password?

Device is Lenovo IdeaPad S340-14IIL

EDIT: Added PCR 1, so now I'm using PCRs 0,1,7. I think this is plenty safe.

A-random-nerd
  • 11
  • 2
  • Pretty difficult if the device is actually powered off. I guess you could try radiation attacks to flip bits in the storage or something. – user Jul 22 '22 at 16:56
  • Oh. I meant that you have the ability to turn it on, just that it won't go past the password screen at post. And you have full physical access, so you can poke at the internals too. And if you have the ability to add a UEFI backdoor, then sure. But it can't be there before you touch the machine. – A-random-nerd Jul 24 '22 at 00:31

0 Answers0