[OpenPower-Firmware] Implementing Users/Passwords in Petitboot

Jeremy Kerr jk at ozlabs.org
Fri Mar 16 12:07:35 AEDT 2018

Hi Sam,

> In some circles there has been talk of password-protecting Petitboot to
> restrict access to certain configuration options or the ability to modify disk
> contents for example.

OK, we should define what that means first though.

The examples you have there (protecting configuration and storage
contents) can easily be bypassed by just booting through petitboot to an
OS configuration that gives a user direct access to those things. So,
whatever we implement here will also need to protect against arbitrary
boot options too.

That means that whatever protections we implement here should also
include preventing the user from:

 1) adding a new boot option and booting that
     - because an arbitrary booted OS could do anything

 2) changing boot option arguments
     - eg, init=/bin/sh allows the console user to do anything

 3) and possibly: even changing which boot option is selected
     - eg, pre-exiting 'rescue mode' boot options may allow the console
       user to do anything

If we go with (3), then petitboot is essentially read-only while in
unauthenticated mode. Would we even allow an authenticated user to
interrupt the boot countdown?

> - If "petitboot,password" isn't present do we set some default password?

I'd say if there is no password set, we just follow existing behaviour.

Once consideration (for those reading along) is that there is absolutely
nothing "special" about the environment that petitboot runs in: it's
just a standard Linux environment, with no additional privileges above
the OS that it ends up booting.



More information about the Petitboot mailing list