Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Open Firmware and Intel-based Macs

MacDann

MacDann

macrumors 6502a
Original poster
Mar 27, 2007
888
246
Can see the end of the Earth from here
I feel stupid asking this, as I'm a longtime Mac person and feel pretty proficient, but the information I'm finding on Apple's Web site is confusing to me. Here's the question:

I want to enable the Open Firmware password on my 15" MBP to protect it from being started up from anything other than the internal HD. Yes, I know you can get around OF, however, it's a decent deterrent to all but the most savvy users.

In the docs Apple posts regarding Open Firmware passwords, they say that Intel-based Macs can have firmware passwords, but they never go into detail regarding firmware passwords using EFI with Intel-based Macs.

So I guess I'm trying to find out how to set up password protection for the EFI based firmware used on Intel-based Macs.

Thanks in advance for any help you can offer.

MD
 
Hardening Mac OS X says to use the Open Firmware Password app that is in Applications/Utilities on the install DVD that came with your Mac. It's too bad Apple didn't rename the app to make it less confusing, but its still the one to use, even for an EFI Mac.
 
pip11 said:
Hardening Mac OS X says to use the Open Firmware Password app that is in Applications/Utilities on the install DVD that came with your Mac. It's too bad Apple didn't rename the app to make it less confusing, but its still the one to use, even for an EFI Mac.
Click to expand...

My intel Imac came with 2 install DVDs and I can't seem to find an Applications/Utilities folder on the DVD.

it just pops up with a "Install Mac OS X and Bundled Software" icon and an "Install Bundled Software Only". Am I missing something? How do I browse the DVDs file structure?
 
glitch44 said:
My intel Imac came with 2 install DVDs and I can't seem to find an Applications/Utilities folder on the DVD.

it just pops up with a "Install Mac OS X and Bundled Software" icon and an "Install Bundled Software Only". Am I missing something? How do I browse the DVDs file structure?
Click to expand...


Nevermind. I had to force Finder to browse the DVD.
Sorry. New to this OS X stuff but I'm confused as to why Apple didn't include the updated app on the website instead of forcing you to get out the DVD.
 
glitch44 said:
Nevermind. I had to force Finder to browse the DVD.
Sorry. New to this OS X stuff but I'm confused as to why Apple didn't include the updated app on the website instead of forcing you to get out the DVD.
Click to expand...

Wait. You'd rather download an application, rather than have it already on the DVD???

That doesn't make much sense.
 
Can't you just boot into Open Firmware and use the commands to set the password there? At least that's how I thought you did it.
 
Eidorian said:
Can't you just boot into Open Firmware and use the commands to set the password there? At least that's how I thought you did it.
Click to expand...

Open Firmware and EFI are two different things. I don't think EFI offers a shell.

EDIT: Yes, there is no shell being distributed by Apple with the EFI. There are instructions to download a shell, but this is not for the faint of heart. Even I'm not too crazy about doing it.
 
SC68Cal said:
Wait. You'd rather download an application, rather than have it already on the DVD???

That doesn't make much sense.
Click to expand...

why doesn't it make much sense?
it's a 516k file. my internet is 6000 kb/s.
i could have it downloaded and installed before i even get the DVD out of the sleeve.
 
SC68Cal said:
Open Firmware and EFI are two different things. I don't think EFI offers a shell.

EDIT: Yes, there is no shell being distributed by Apple with the EFI. There are instructions to download a shell, but this is not for the faint of heart. Even I'm not too crazy about doing it.
Click to expand...
I thought the had EFI set up to basically emulate the old Open Firmware shell. I get it.
 
It is never smart to rely on an exclusive internet-only distribution of a vital system component, when you distribute a DVD with the computer.
 
SC68Cal said:
It is never smart to rely on an exclusive internet-only distribution of a vital system component, when you distribute a DVD with the computer.
Click to expand...

I never said internet-only. In addition to.

Why?

It is never smart to rely on an exclusive DVD-only distribution of a vital system component.
 
Ok, so that's why everyone doesn't get restore CDs and driver CDs when they buy a computer, by your logic.
 
SC68Cal said:
Ok, so that's why everyone doesn't get restore CDs and driver CDs when they buy a computer, by your logic.
Click to expand...


um, no. I was replicating your sentence structure to help you see the silliness of relying upon any one distribution system.

I think restore CD/DVDs are a good backup and are just as important as providing online sources. After all, what do we do after installing something? Go online and check for updates. You don't want online sources? Fine, that's your preference. But I travel a lot for work and it's good to have access to stuff if I don't have the CD or DVD with my laptop.

Why are you arguing this with me? I think you're more interested in feeling right than you are in the logic of redundancy.

The question is moot, anyway. I have the app now.
 
Eidorian said:
Can't you just boot into Open Firmware and use the commands to set the password there? At least that's how I thought you did it.
Click to expand...

Well, in all technicality you can do it via /usr/sbin/nvram (on either a PPC-based Macintosh or an Intel-based Macintosh) by applying the variables "security-mode" equal to "command", and "security-password" to the a "hex+XOR against string 'AA'" representation of the password.

Code: 
sudo nvram security-mode="command" security-password="%fa%cb%d9%d9%dd%c5%d8%ce"

would set the password to be "Password", and set the mode to be on when switching boot devices. Changing security-mode to equal "full" would set the password prompt to be on every time the machine is booted.

There are also some third party compiled batch scripts that will allow you to set the password from command line, and will do the "heavy" work for you. It's mainly used when implementing standardized images to push out to machines. Mike Bombich's NetRestore allows use of the OFPW tool to accomplish this. Anyroad, as you can see there is a tool available for download, but 99% of the time it's just easier to use the tool off the DVD.

EDIT: Apple hasn't changed these variables in quite some time (if ever?) and since the GUI tool is the same as the third-party CLI tool -- a wrapper for nvram variables -- I wouldn't imagine there being an issue with being out of date.

EDIT 2: I do agree, though, that having the GUI app available for download is a good idea. I mean, they used to...
 
This is for PPC Macs, which have Open Firmware.

EFI is for intel macs and cannot be booted into
 
SC68Cal said:
EFI is for intel macs and cannot be booted into
Click to expand...

If you're referring to me, I never disputed the fact that Apple left out the optional EFI shell. I was referring to setting the relevant variables using the bundled command "nvram" from within Mac OS X itself using Terminal. Apple's implementation of EFI and OF both recognize most of the same firmware variables, and so setting the password works the same way on both machine types.

I was giving a, "Well, you don't technically need to boot into any firmware shell to do this" and not a solution for a standard user to follow under normal circumstances. Moreover it was an elaboration on the response I quoted. I also was saying that while there is a solution available it's almost always better to just use the GUI app from the DVD.
 
Nope, wasn't referring to your comments, just clarifying so that if someone does a search for booting into EFI.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back