Boot priority and firmware password

Please see Use a firmware password on your Mac - Apple Support for the firmware password functionality.

Once set, it is enforced as follows...

Unlock your Mac using a firmware password

When you start your Mac from your normal startup disk, you see the normal login window where you enter your user account password. If you try to start up from another drive, or from OS X Recovery, your Mac pauses startup and displays a lock icon with a password field instead.

There is no available method to white-list non-password devices.

Bless is being deprecated, and El Capitan's SIP has become even stricter.

A USB boot is an inherent security hole. There are issues of cloning and UUID hacks which are every common. If you first booted with a USB and set a firmware password, shutdown your mac, removed the USB, the fallback boot search will provide the internal drive as an option (with firmware password), correct?

If the booting can be bypassed using just plain labels, it should be flagged as a bug, not a feature. Using a label as a white-listing tool may not be very wise. An entire bank branch may have the same USB labels, correct?

Secondly, if you have 2 bootable usb drive with the same label, when you set one of them as the primary disk and plug it off before plugging the other one in, the other one will boot even if there is firmware password, this suggest that the issue can be solved by changing the label.

a. without a firmware password? and

b. if the machine is already booted, firmware password has already been entered. Pulling out this USB will cause the running OS to crash/hang (even this has problems when ramdisks are used).

c. where are your page and swap located when using USB to boot linux?

My recommendation is to either use a firmware password and physical security or allow USB booting. Doing both may not be very wise. Alternative would be to net-boot for your linux.

Please also see NetBoot, NetInstall, and NetRestore requirements in OS X El Capitan - Apple Support and check if the csrutil netboot can solve trust issues.

Also curious if this will be used with dual boot (OS X/Windows).

Infinite Niubility wrote:

and why is this marked as solved? this is another way in which apple trick people?

Only the author of the article can mark it solved, no one else can. Mobile devices are notorious for such apparent solutions. 😉

Infinite Niubility wrote:

sorry but how do i unmark it?

I am onto aware of any method. You can report the solved post and ask the hosts to correct, if possible.

Infinite Niubility wrote:

i disabled sip in recovery since the upgrade. Well, what i have tried is to set the first usb as the primary disk and power off before plugging the usb off, after which i plugged the other usb in and it worked, furthermore, it seems that the disk permission repair do not affect the label, so i changed the label of my hd. What happened was not very nice, it did boot up, but tells me that no bootable disk was found. This should be caused by the different partition tables, both my usb are mbr and the hd is gpt.

1. Did it work without a firmware password prompt?

2. It is also a value stored in NVRAM under boot_args. See the man page for nvram command for details.

3. Bless with --legacy and --legacydrivehint should allow you to boot. El Capitan is a very different animal though.

4. On the GPT it will look for EFI to boot from. If you have more than one disk with EFI boot loaders, it is supposed to use a known rather than an unknown boot loader. I have not tested recent EFI updates and behavior, but EFI updates have additional security due to Rowhammer.

Other than that, it seems that what affects the selection also includes the position of the usb(i.e. the usb ports) so using labels as white listing seems to be a decent choice with same partition schemes. Since MacBooks can have higher ram and better processor, i did not allocate any swap. However, I did have a exfat for data transferring.

As long as you have physical control of the Mac and USB devices used, it seems a secure solution, at least for now.

If you first booted with a USB and set a firmware password, shutdown your mac, removed the USB, the fallback boot search will provide the internal drive as an option (with firmware password), correct?

The thing is, if you do not interfere, the macs will just give you the question mark with the flashing folder, it will not bother to prompt you for the password.

The NVRAM settings of the last successful boot are being used, which is not the 10.6-10.9 behavior. El Capitan (and Yosemite) and EFI updates may have changed this.

I am sorry but I don't feel safe with networks, but i may try to install os x onto my usb.

It is understandable, but OSX Internet Recovery uses Network boot. Let me know how your OSX-USB test goes.

Infinite Niubility wrote:

how do i rename the efi folder by the way? I have this usb drive with a efi partition, however, the partition is actually a folder named EFI, I tried to bless it and give a label, but it did not work. I used the command "sudo bless --folder "xxx" --label "xxx" "

Do you want to post the directory structure where this file is located?

Is it the boot loader file?