Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Booting and firmware password

275 views
Skip to first unread message

ohaya

unread,
May 21, 2009, 1:23:18 PM5/21/09
to
Hi,

I think that most of you here are "old hands" with Solaris and Sun
boxes, so this'll probably seem like a kind of stupid question, but...

It's been awhile since I've worked with Sun/Solaris machines (I also
have an old Sunblade 100 that I acquired awhile ago when I was more
active with Sun/Solaris, but haven't used that in awhile), but I
recall that on some machines at work, they had the firmware password
set, and we would occasionally encounter situations where we'd need to
go find someone who knew the firmware password in order to proceed.

The problem that I have is I can't remember what those situations
where :), so I'm wondering: if the firmware password is set, what
kinds of things require entry of the firmware password:

- "Normal" reboot (i.e., typing "reboot" as "root" while in Solaris)?
- Booting into single-user mode?
- Booting from a CD?
- Others?

Sorry, as I said, it's been awhile :)!!

Thanks for your patience!

Jim

Oscar del Rio

unread,
May 21, 2009, 1:58:49 PM5/21/09
to
ohaya wrote:

> recall that on some machines at work, they had the firmware password
> set, and we would occasionally encounter situations where we'd need to
> go find someone who knew the firmware password in order to proceed.
>
> The problem that I have is I can't remember what those situations
> where :), so I'm wondering: if the firmware password is set, what
> kinds of things require entry of the firmware password:

man eeprom:

security-mode

Firmware security level (options: none, command, or
full). If set to command or full, system will prompt for
PROM security password. Defaults to none.This property
has no special meaning or behavior on x86 based systems.


http://www.sun.com/blueprints/0100/security.pdf

OpenBoot PROM Security Modes

There are two security modes available. The command security mode
prevents EEPROM changes and hardware command execution while at the
OpenBoot PROM level. The full security mode provides the features of the
command mode and, in addition, the system will not boot without the
correct OpenBoot PROM password. Full security mode requires operator
interaction to boot the system. It will not boot without a password. Do
not use this feature on servers or other systems that must boot quickly
without outside intervention.

Darren Dunham

unread,
May 21, 2009, 2:04:45 PM5/21/09
to
ohaya <oh...@cox.net> wrote:
> so I'm wondering: if the firmware password is set, what
> kinds of things require entry of the firmware password:

That depends. There are three security levels (two of which use the
password).

'none' (no password needed for access to all OBP functionality)
'command' (no password for minimal access, password for other functions)
'full' (password needed for any interaction with OBP)

> - "Normal" reboot (i.e., typing "reboot" as "root" while in Solaris)?

No. That should always "work". In addition, if you're root, you can
disable/reset the security mode and change the password.

> - Booting into single-user mode?

Yes. To do that you have to modify the boot string. That's not allowed
in either 'command' or 'full'.

> - Booting from a CD?

Yes. Same as above.

> - Others?

'command' basically lets you type 'b' to boot from configured boot
device with configured boot settings. And if you've aborted the os you
can type 'c' to continue. If you're in 'full' mode, you can't do either
one manually.

--
Darren

ohaya

unread,
May 21, 2009, 2:19:41 PM5/21/09
to


Oscar and Darren,

As I mentioned on another thread yesterday/last night, I don't have
access to systems yet, so I'm prepping/refreshing my memory about
these things.

There is someone who has access to the system, and, who I understand,
has root access. It looks like if they just log into the system as
root, then type:

eeprom

it should display the configuration, including the setting for
"security-mode". Is that correct?

The reason for the question is that I can ask them to check on this.

Thanks,
Jim

Darren Dunham

unread,
May 21, 2009, 3:34:28 PM5/21/09
to
ohaya <oh...@cox.net> wrote:
> There is someone who has access to the system, and, who I understand,
> has root access. It looks like if they just log into the system as
> root, then type:
>
> eeprom
>
> it should display the configuration, including the setting for
> "security-mode". Is that correct?

Yes. Or "eeprom security-mode" to display just that setting,
or "eeprom security-mode=none" to disable it.

--
Darren

Casper H.S. Dik

unread,
May 22, 2009, 4:56:11 AM5/22/09
to
ddu...@taos.com (Darren Dunham) writes:

>ohaya <oh...@cox.net> wrote:
>> so I'm wondering: if the firmware password is set, what
>> kinds of things require entry of the firmware password:

>That depends. There are three security levels (two of which use the
>password).

>'none' (no password needed for access to all OBP functionality)
>'command' (no password for minimal access, password for other functions)
>'full' (password needed for any interaction with OBP)

>> - "Normal" reboot (i.e., typing "reboot" as "root" while in Solaris)?

>No. That should always "work". In addition, if you're root, you can
>disable/reset the security mode and change the password.

With "full" reboot requires a password also.

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

0 new messages