CN117235747A - Method for modifying BIOS startup password under LINUX - Google Patents
Method for modifying BIOS startup password under LINUX Download PDFInfo
- Publication number
- CN117235747A CN117235747A CN202311530004.6A CN202311530004A CN117235747A CN 117235747 A CN117235747 A CN 117235747A CN 202311530004 A CN202311530004 A CN 202311530004A CN 117235747 A CN117235747 A CN 117235747A
- Authority
- CN
- China
- Prior art keywords
- password
- bios
- startup password
- original
- xxxx
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 22
- 230000004048 modification Effects 0.000 claims abstract description 13
- 238000012986 modification Methods 0.000 claims abstract description 13
- 150000003839 salts Chemical class 0.000 claims description 18
- 238000012795 verification Methods 0.000 claims description 7
- 238000002360 preparation method Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 5
- 238000003860 storage Methods 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000004519 manufacturing process Methods 0.000 abstract description 4
- 230000001172 regenerating effect Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 6
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Landscapes
- Stored Programmes (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method for modifying BIOS startup passwords under LINUX, belonging to the field of computer information security. According to the method, a tool is used for regenerating a new password variable area in a linux system through an encryption algorithm of a re-carved BIOS to replace an original BIOS password variable area and can be identified by the BIOS, and the password modifying operation is put into a linux stage, so that workers with authority of a production line can directly perform batch operation on a machine through script files corresponding to the method, and dependence of modifying BIOS startup passwords on technicians is relieved; in addition, the method does not need to re-burn the memory chip of the server in a code modification mode, thereby greatly simplifying the modification operation of modifying the BIOS boot passwords in batches.
Description
Technical Field
The application relates to a method for modifying BIOS startup passwords under LINUX, belonging to the field of computer information security.
Background
With the rapid development of informatization, the application of the informatization technology covers various fields of people's life, so that the user's security of informatization is also more and more important. For example, to ensure the security of a server device, various security policies are generally embedded in the use of the key component BIOS (Basic Input Output System ) thereof, and the secure startup of the BIOS can ensure the security of the server to a great extent.
As is well known, BIOS secure boot is a secure function that is used by validating all boot components used during an operating system boot process. It can ensure that each component loaded during startup is digitally signed and can be verified as trusted; it can prevent malware, prevent unauthorized boot, detect if hardware is tampered with (when it is detected that the hardware is tampered with, the system will refuse to boot, effectively preventing the hardware from being replaced or changed).
As one of the security policies for ensuring the secure start of the BIOS, setting the BIOS boot password is more commonly used, however, the BIOS boot password is generally set uniformly when the server leaves the factory, but in real life, a part of specially customized servers may have special requirements for the BIOS boot password, which requires resetting and modifying the BIOS boot password, and the resetting and modifying of the BIOS boot password needs to enter into the SETUP interface for operation, which requires personnel having a certain knowledge about the BIOS system to operate, and if a large number of machines need to be modified, one machine needs to be set separately, which is inefficient.
Disclosure of Invention
In order to realize batch operation of BIOS startup passwords of a server and reduce technical dependence on operators, the application provides a method for modifying BIOS startup passwords under LINUX, which comprises a preparation stage and a modification stage:
the preparation stage comprises the following three steps of pre-operation:
pre-installing an opensl password library in a linux kernel code in advance, wherein the opensl password library comprises an encryption algorithm of an original BIOS startup password;
the encryption algorithm of the original BIOS startup password is obtained in advance;
when a variable file corresponding to a startup password is created in the BIOS operation stage in advance, setting the attribute of the variable file to be RUNTIME attribute;
the modification stage comprises:
step1, a linux system is operated, and a variable file corresponding to a startup password under a Vars path is accessed through an open interface of a linux kernel;
and 2, encrypting the input new BIOS startup password by adopting an encryption algorithm of the original BIOS startup password, and writing the new BIOS startup password encrypted by a write interface of the linux kernel into a data area of a variable file corresponding to the startup password.
Optionally, before the step1, the method further includes:
determining a storage path of a variable file in a linux system; the name format of the variable file corresponds to Syspwdxx-xxxx-xxxx-xxxx, wherein the corresponding relationship between xxxx-xxxx-xxxx is GUID of the variable corresponding to the startup password.
Optionally, before the step2, the method further includes verifying an original BIOS boot password:
prompting to input an original BIOS startup password;
acquiring an original BIOS startup password input from a command line;
the method comprises the steps of comparing data of a data area of a variable file corresponding to a starting password after encrypting an original BIOS starting password input from a command line in an original BIOS encryption mode, and prompting to input a new BIOS starting password if a comparison result is consistent; if the comparison result is inconsistent, the verification fails, and the current decryption flow is exited.
Optionally, the step2 includes:
prompting to input a new BIOS startup password;
acquiring a new BIOS startup password input from a command line;
encrypting the input new BIOS startup password by adopting an encryption mode of the original BIOS startup password;
and writing the new password data stored in the data area into the data area of the variable file corresponding to the startup password through a write interface of the linux kernel.
Optionally, the encryption manner of the original BIOS boot password includes MD5, sha1, sha224, sha256, sha384 and sha512.
Optionally, when the encryption mode of the original BIOS boot password is encryption by using a sha256 hash algorithm, step2 includes:
carrying out sha256 hash algorithm conversion processing on the new password character string input by the command line to obtain encrypted data;
generating a 4-8 bit salt value by using random numbers, and inserting the generated salt value into the data which is encrypted before;
and writing the encrypted data after the salt value is inserted into the data area of the variable file corresponding to the startup password by a write interface of the linux kernel.
Optionally, the inserting the generated salt value into the data that has been previously encrypted is inserting the generated salt value into a predetermined location of the data that has been previously encrypted.
Optionally, the predetermined position is an intermediate position of the data.
Optionally, the method further comprises:
and (3) generating a linux automation script from the contents in the steps 1 to 2.
The application also provides application of the method for modifying the BIOS startup password under LINUX in the field of information security.
The application has the beneficial effects that:
(1) According to the method, the password modifying operation is put into the linux stage, so that workers with authority on the production line can directly perform batch operation on the machine through the script files corresponding to the method, and the dependence of modifying BIOS startup passwords on technicians is solved; in addition, the method does not need to re-burn the memory chip of the server in a code modification mode, thereby greatly simplifying the modification operation of modifying the BIOS boot passwords in batches.
(2) The encryption algorithm of the BIOS is repeated, and a tool is used for regenerating a new password variable area in the linux system to replace the original BIOS password variable area and can be identified by the BIOS, so that the effect of modifying the BIOS startup password is achieved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for modifying a BIOS boot password under LINUX according to an embodiment of the present application.
Fig. 2 is a flowchart of a method for modifying a BIOS boot password under LINUX according to a second embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
Technical noun interpretation:
GUID: the globally unique identifier is used for distinguishing each var variable area in the scheme of the application.
Variable: the variable area of the BIOS is generally used to store some modifiable setting parameters, and there is a fixed location in the flash chip area, and if the run attribute is set, the os can also operate it in running.
Vars: and generating a/sys/firmware/efi/vars path under the common linux system, wherein the path is used for storing a Variable region corresponding file generated after bios operation.
RUNTIME: the mode attribute of the OS system and the APP application in the running process of the server is common.
Embodiment one:
the present embodiment provides a method for modifying a BIOS boot password under LINUX, referring to fig. 1, the method includes a preparation stage and a modification stage:
the preparation stage comprises the following three steps of pre-operation:
pre-installing an opensl password library in a linux kernel code in advance, wherein the opensl password library comprises an encryption algorithm of an original BIOS startup password;
the encryption algorithm of the original BIOS startup password is obtained in advance;
when a variable file corresponding to a startup password is created in the BIOS operation stage in advance, the attribute of the variable file is set to be RUNTIME attribute so as to be accessed and operated in a system operation mode;
no sequence exists between the three steps of pre-operation.
The modification stage comprises:
step1, a linux system is operated, and a variable file corresponding to a startup password under a Vars path is accessed through an open interface of a linux kernel;
the name of the variable file corresponding to the boot password is generally corresponding to "Syspwdxx-xxxx-xxxx-xxxx" (wherein, the corresponding relationship between xxxx-xxxx-xxxx-xxxx is the GUID of the variable corresponding to the boot password).
Step2, checking the original BIOS startup password input by the user according to the password modification instruction, encrypting the input new BIOS startup password by adopting an encryption mode of the original BIOS startup password, and writing a variable file corresponding to the startup password;
the encryption modes of the original BIOS startup password comprise MD5, sha1, sha224, sha256, sha384, sha512 and the like. The encryption mode of the original BIOS startup password can be known in advance from the BIOS code by a technician.
The encryption mode of the original BIOS startup password is assumed to be encryption by adopting a sha256 hash algorithm.
The verification of the original BIOS startup password input by the user comprises the following steps:
step2.1, prompting to input the original BIOS startup password, processing the password through the original BIOS encryption mode after inputting the password from the command line, and comparing the password with the original password data, if the comparison result is consistent, indicating that the input is the original BIOS startup password, and if the verification is successful, continuing to input a new set password to modify the password operation; if the comparison result is inconsistent, the verification fails, and the original password without authority modification exits the current decryption flow.
After the verification of the original password is successful, the input of a new BIOS startup password is prompted. Encrypting the input new BIOS startup password by adopting an encryption mode of the original BIOS startup password, and then writing in a variable file corresponding to the startup password, wherein the method comprises the following steps:
step2.2, carrying out sha256 hash algorithm conversion processing on the new password character string input by the command line to obtain encrypted data;
step2.3, generating a 4-8 bit salt value by using random numbers, and inserting the generated salt value into the data which is encrypted before;
salt values may be added to the middle of this data for ease of decryption, or other fixed locations. Such new data is stored in the variable area, and even if someone tries different hash algorithms to crack the variable area data, cracking is failed because the position and the length of the random salt value insertion are not known.
And 2.4, writing the new password data stored in the data area into the data of Syspwdxx-xxxx-xxxx-xxxx vars through a write interface of the linux kernel.
Because all the processes are realized in the linux command line environment, each machine can finish the operation of modifying the password in batches on the production line in a mode of writing an automatic script, and an operator does not need to know a BIOS system.
Embodiment two:
the embodiment provides a method for modifying a BIOS boot password under LINUX, referring to fig. 2, the method needs to install an opensl password library in a LINUX kernel code in advance, and when a variable file corresponding to the boot password is created in a BIOS operation stage, the attribute of the variable file is set to be RUNTIME attribute, and a technician knows the encryption mode of the original BIOS boot password in advance according to the BIOS code;
the method comprises the following steps:
step1, determining a storage path of a variable file in a linux system;
under the general linux system catalog, there exists a/sys/firmware/efi/vars path, under which there exists various variable files (for example, syspwdxxxx-xxxx-xxxx-xxxx) of the BIOS variable region. The variable file contains VariableName, vendorGuid, dataSize, data and other variables, if the boot password of the BIOS is to be modified, the variable file corresponding to the boot password needs to be found, and the name of the variable file is generally "Syspwdxx-xxxx-xxxx-xxxx" (wherein, the corresponding of xxxx-xxxx-xxxx-xxxx is the GUID of the variable corresponding to the boot password).
Step2, accessing the file under the path of Syspwdxx-xxxx-xxxx-xxxx-vans through the linux kernel from the open interface, and editing the data file in the file.
When editing the vars file, a technician needs to know the encryption algorithm and mechanism of the startup password in advance through the BIOS. Because the usual uefi specification encryption algorithm is contained in the opensl cipher library, the cipher library of opensl is also contained in the kernel code when the encryption actions are also performed in the system. This process may be accomplished by directly installing the cryptographic libraries into the kernel.
Step2.1, prompting a user to input an original password in a command line according to the input password modifying instruction;
step2.2, prompting a user to input a new password for replacing the original password in a command line according to the input password modifying instruction;
step2.3, storing the new password character string into a data area of a file under a path of Syspwdxxxx-xxxx-xxxx-xxxx-vars by a method which is the same as a BIOS encryption mode; in this step, the corresponding encryption algorithm may be selected from the password library of openssl based on the encryption manner of the original BIOS startup password that the technician knows in advance according to the BIOS code.
When the scheme is used for running in a linux system, a user is firstly prompted to input a new password for replacing an original password in a command line according to an input password modifying instruction (a mechanism for checking the original password can be added for safety in the process, the new password can be set continuously only after the verification is carried out), and then a new password character string is stored in a data area through the same method as the BIOS encryption mode. Common encryption schemes are illustrated as follows:
the new password character string input by the command line is subjected to the transformation processing of a sha256 hash algorithm, the encrypted data is reserved for standby, a 4-8-bit salt value is generated by using random numbers, the generated salt value is inserted into the data which is encrypted before, and the salt value can be added into the middle or other preset positions of the data for facilitating decryption. Such new data is stored in the variable area, and even if someone breaks the variable area data by trying different hash algorithm areas, the breaking will fail because the position and length of the random salt value insertion are not known.
Opening the file by using the open interface of the linux kernel according to the 'Syspwdxx-xxxx-xxxx-xxxx' vars file searched by the name and GUID, and then writing the new password data stored in the data area into the data of the 'Syspwdxx-xxxx-xxxx-xxxx' vars file by using the write interface of the same kernel. After successful writing, the newly set password can replace the original old password, thereby achieving the purpose of modifying the password.
Because all the processes are realized in the linux command line environment, each machine can complete the operation of modifying the password in batches on the production line by writing an automatic script.
Some steps in the embodiments of the present application may be implemented by using software, and the corresponding software program may be stored in a readable storage medium, such as an optical disc or a hard disk.
The foregoing description of the preferred embodiments of the application is not intended to limit the application to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the application are intended to be included within the scope of the application.
Claims (9)
1. A method for modifying a BIOS boot password under LINUX, the method comprising a preparation phase and a modification phase:
the preparation stage comprises the following three steps of pre-operation:
installing an opensl password library in a linux kernel code in advance, wherein the opensl password library comprises an encryption algorithm of an original BIOS startup password;
the encryption algorithm of the original BIOS startup password is obtained in advance;
when a variable file corresponding to a startup password is created in the BIOS operation stage in advance, setting the attribute of the variable file to be RUNTIME attribute;
the modification stage comprises:
step1, a linux system is operated, and a variable file corresponding to a startup password under a Vars path is accessed through an open interface of a linux kernel;
and 2, encrypting the input new BIOS startup password by adopting an encryption algorithm of the original BIOS startup password, and writing the new BIOS startup password encrypted by a write interface of the linux kernel into a data area of a variable file corresponding to the startup password.
2. The method according to claim 1, wherein the step1 is preceded by:
determining a storage path of a variable file in a linux system; the name format of the variable file corresponds to Syspwdxx-xxxx-xxxx-xxxx, wherein the corresponding relationship between xxxx-xxxx-xxxx is GUID of the variable corresponding to the startup password.
3. The method according to claim 2, wherein the step2 further comprises verifying an original BIOS boot password:
prompting to input an original BIOS startup password;
acquiring an original BIOS startup password input from a command line;
the method comprises the steps of comparing data of a data area of a variable file corresponding to a starting password after encrypting an original BIOS starting password input from a command line in an original BIOS encryption mode, and prompting to input a new BIOS starting password if a comparison result is consistent; if the comparison result is inconsistent, the verification fails, and the current decryption flow is exited.
4. A method according to claim 3, wherein step2 comprises:
prompting to input a new BIOS startup password;
acquiring a new BIOS startup password input from a command line;
encrypting the input new BIOS startup password by adopting an encryption mode of the original BIOS startup password;
and writing the new password data stored in the data area into the data area of the variable file corresponding to the startup password through a write interface of the linux kernel.
5. The method of claim 1, wherein the encryption of the original BIOS boot password comprises MD5, sha1, sha224, sha256, sha384, and sha512.
6. The method of claim 5, wherein when the original BIOS boot password is encrypted by using a sha256 hash algorithm, step2 comprises:
carrying out sha256 hash algorithm conversion processing on the new password character string input by the command line to obtain encrypted data;
generating a 4-8 bit salt value by using random numbers, and inserting the generated salt value into the data which is encrypted before;
and writing the encrypted data after the salt value is inserted into the data area of the variable file corresponding to the startup password by a write interface of the linux kernel.
7. The method of claim 6, wherein inserting the generated salt value into the previously encrypted data is inserting the generated salt value into a predetermined location of the previously encrypted data.
8. The method of claim 7, wherein the predetermined location is an intermediate location of data.
9. Use of the method for modifying BIOS boot passwords under LINUX according to any of claims 1-8 in the field of information security.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311530004.6A CN117235747B (en) | 2023-11-16 | 2023-11-16 | Method for modifying BIOS startup password under LINUX |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311530004.6A CN117235747B (en) | 2023-11-16 | 2023-11-16 | Method for modifying BIOS startup password under LINUX |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117235747A true CN117235747A (en) | 2023-12-15 |
| CN117235747B CN117235747B (en) | 2024-01-23 |
Family
ID=89097089
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311530004.6A Active CN117235747B (en) | 2023-11-16 | 2023-11-16 | Method for modifying BIOS startup password under LINUX |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117235747B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103186748A (en) * | 2011-12-29 | 2013-07-03 | 鸿富锦精密工业(深圳)有限公司 | Electronic device and password protection method thereof |
| CN106203066A (en) * | 2016-08-03 | 2016-12-07 | 深圳中电长城信息安全系统有限公司 | Power on password protection method, terminal and server |
| CN108256332A (en) * | 2018-01-17 | 2018-07-06 | 郑州云海信息技术有限公司 | A kind of method of the BIOS startup passwords setting based on IPMI orders |
| CN109815721A (en) * | 2019-01-30 | 2019-05-28 | 郑州云海信息技术有限公司 | A kind of method, apparatus, terminal and storage medium for modifying BIOS Setup option password by BMC |
| CN110443029A (en) * | 2019-08-15 | 2019-11-12 | 深圳忆联信息系统有限公司 | The method and device thereof that password is arranged under a kind of automatic test b IOS |
| CN113688406A (en) * | 2021-07-17 | 2021-11-23 | 苏州浪潮智能科技有限公司 | Method, system and terminal for switching encryption algorithm based on BIOS |
-
2023
- 2023-11-16 CN CN202311530004.6A patent/CN117235747B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103186748A (en) * | 2011-12-29 | 2013-07-03 | 鸿富锦精密工业(深圳)有限公司 | Electronic device and password protection method thereof |
| CN106203066A (en) * | 2016-08-03 | 2016-12-07 | 深圳中电长城信息安全系统有限公司 | Power on password protection method, terminal and server |
| CN108256332A (en) * | 2018-01-17 | 2018-07-06 | 郑州云海信息技术有限公司 | A kind of method of the BIOS startup passwords setting based on IPMI orders |
| CN109815721A (en) * | 2019-01-30 | 2019-05-28 | 郑州云海信息技术有限公司 | A kind of method, apparatus, terminal and storage medium for modifying BIOS Setup option password by BMC |
| CN110443029A (en) * | 2019-08-15 | 2019-11-12 | 深圳忆联信息系统有限公司 | The method and device thereof that password is arranged under a kind of automatic test b IOS |
| CN113688406A (en) * | 2021-07-17 | 2021-11-23 | 苏州浪潮智能科技有限公司 | Method, system and terminal for switching encryption algorithm based on BIOS |
Non-Patent Citations (2)
| Title |
|---|
| 失传技术研究所: "linux bios密码设置时间, 如何设置BIOS密码", Retrieved from the Internet <URL:https://blog.csdn.net/weixin_33520865/article/details/116609763> * |
| 小O魂: "Openssl加密库", Retrieved from the Internet <URL:https://blog.csdn.net/u012173846/article/details/121591154> * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117235747B (en) | 2024-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10530576B2 (en) | System and method for computing device with improved firmware service security using credential-derived encryption key | |
| TWI598814B (en) | System and method for managing and diagnosing a computing device equipped with unified extensible firmware interface (uefi)-compliant firmware | |
| US6209099B1 (en) | Secure data processing method and system | |
| US7634661B2 (en) | Manifest-based trusted agent management in a trusted operating system environment | |
| US7243230B2 (en) | Transferring application secrets in a trusted operating system environment | |
| TWI444826B (en) | Method, system and medium holding computer-executable instructions for providing secure storage for firmware in a computing device | |
| US20030097578A1 (en) | Operating system upgrades in a trusted operating system environment | |
| CN110688660B (en) | Method and device for safely starting terminal and storage medium | |
| US11055414B2 (en) | Method for a secured start-up of a computer system, and configuration comprising a computer system and an external storage medium connected to the computer system | |
| CN113722720B (en) | System starting method and related device | |
| CN109814934B (en) | Data processing method, device, readable medium and system | |
| CN115934194A (en) | Controller starting method and device, electronic equipment and storage medium | |
| CN112749383A (en) | Software authentication method and related product | |
| CN112613011B (en) | USB flash disk system authentication method and device, electronic equipment and storage medium | |
| CN113342425A (en) | Starting method, device and storage medium of Linux embedded system | |
| CN117235747B (en) | Method for modifying BIOS startup password under LINUX | |
| CN112231649A (en) | Firmware encryption processing method, device, equipment and medium | |
| CN115391750B (en) | Algorithm authorization method and device, electronic equipment and storage medium | |
| CN113761538A (en) | Security boot file configuration method, boot method, device, equipment and medium | |
| CN111125717A (en) | Method, device, equipment and medium for safely running BIOS (basic input output System) driver | |
| CN114650175B (en) | Verification method and device | |
| TWI818221B (en) | Chip and method capable of authenticating off-chip debug firmware program and debug user | |
| CN117874721A (en) | JAR package decompilation prevention method | |
| CN114428956A (en) | File verification method, device and system based on extended attributes | |
| CN113849819A (en) | Command line instruction processing method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |