2008-11-08 10:01:20

by Mathias Schnarrenberger

[permalink] [raw]
Subject: security: delete BIOS password in keyboard buffer during kernel bootup

Hi,

I'm using a BIOS password in my notebook (nc6120 from HP). Recently I noticed that the HP BIOS doesn't clean the keyboard buffer after the password was correctly entered. I know that this is rather a BIOS thing but I assume that other BIOSes also don't clean the BIOS keyboard ring buffer (at adress from 0x0000041E up to 0x0000043D). Since after the kernel boot up the BIOS Keyboard ISR is deactivated no one cares about the data in the keyboard buffer. So, the BIOS password is kept in the buffer.

So, I think it would be good if the kernel clears the keyboard buffer during boot up (at least in x86-based systems) to protect the users password. I don't know anything about EFI-based systems and other architectures.
Because I'm not sure where to implement the code to delete the keyboard buffer in the kernel, I can't make a proper patch. Possibly one of you can do this ;)


To read the BIOS keyboard buffer this piece of code can be used:

#include <stdio.h>
#include <string.h>
int main(void) {
FILE *file;
int i;
char keybuffer[32];

file = fopen("/dev/mem","r");

if (file==NULL) {
printf("Couldn't open file\n");
return 0;
}
//set pointer to keyboard buffer
fseek(file, 0x41E, SEEK_SET);
//get ASCII / scancodes
for (i=0;i<32;i++)
keybuffer[i] = fgetc(file);

fclose(file);

for (i=0;i<32;i++)
printf("position in buffer: %i \t value %i \t character %c\n",i,(int)keybuffer[i],keybuffer[i]);

return 0;
}


I hope I didn't waste too much of your time.

Best regards,
Mathias Schnarrenberger


2008-11-08 14:27:11

by Alan

[permalink] [raw]
Subject: Re: security: delete BIOS password in keyboard buffer during kernel bootup

> So, I think it would be good if the kernel clears the keyboard buffer during boot up (at least in x86-based systems) to protect the users password. I don't know anything about EFI-based systems and other architectures.
> Because I'm not sure where to implement the code to delete the keyboard buffer in the kernel, I can't make a proper patch. Possibly one of you can do this ;)

Clear it with a program if it bothers you. You've written 90% of the
needed code with the program below.


Alan

2008-11-08 14:36:55

by Mathias Schnarrenberger

[permalink] [raw]
Subject: Re: security: delete BIOS password in keyboard buffer during kernel bootup

>Clear it with a program if it bothers you. You've written 90% of the
>needed code with the program below.


>Alan

Yes, I already wrote the program for my personal usage. But I wanted to share
this information with the open source community. And I think it would be more
secure to implement this into kernel.

Mathias

2008-11-08 16:39:28

by Olaf van der Spek

[permalink] [raw]
Subject: Re: security: delete BIOS password in keyboard buffer during kernel bootup

On Sat, Nov 8, 2008 at 11:00 AM, Mathias Schnarrenberger
<[email protected]> wrote:
> Hi,
>
> I'm using a BIOS password in my notebook (nc6120 from HP). Recently I noticed that the HP BIOS doesn't clean the keyboard buffer after the password was correctly entered. I know that this is rather a BIOS thing but I assume that other BIOSes also don't clean the BIOS keyboard ring buffer (at adress from 0x0000041E up to 0x0000043D). Since after the kernel boot up the BIOS Keyboard ISR is deactivated no one cares about the data in the keyboard buffer. So, the BIOS password is kept in the buffer.
>
> So, I think it would be good if the kernel clears the keyboard buffer during boot up (at least in x86-based systems) to protect the users password. I don't know anything about EFI-based systems and other architectures.
> Because I'm not sure where to implement the code to delete the keyboard buffer in the kernel, I can't make a proper patch. Possibly one of you can do this ;)

What if my BIOS stores some critical info at that memory address?
I don't think the kernel is the right place to work around this issue.

2008-11-09 08:41:31

by Mathias Schnarrenberger

[permalink] [raw]
Subject: Re: security: delete BIOS password in keyboard buffer during kernel bootup

> What if my BIOS stores some critical info at that memory address?
> I don't think the kernel is the right place to work around this issue.

AFAIK every IBM PC compatible BIOS stores the keyboard buffer in this area.

Mathias

2008-11-09 11:08:19

by Alan

[permalink] [raw]
Subject: Re: security: delete BIOS password in keyboard buffer during kernel bootup

On Sun, 9 Nov 2008 09:41:20 +0100
Mathias Schnarrenberger <[email protected]> wrote:

> > What if my BIOS stores some critical info at that memory address?
> > I don't think the kernel is the right place to work around this issue.
>
> AFAIK every IBM PC compatible BIOS stores the keyboard buffer in this area.

Not every system we boot the x86 kernel on is a PC compatible.

2008-11-09 15:35:53

by Arjan van de Ven

[permalink] [raw]
Subject: Re: security: delete BIOS password in keyboard buffer during kernel bootup

On Sun, 9 Nov 2008 09:41:20 +0100
Mathias Schnarrenberger <[email protected]> wrote:

> > What if my BIOS stores some critical info at that memory address?
> > I don't think the kernel is the right place to work around this
> > issue.
>
> AFAIK every IBM PC compatible BIOS stores the keyboard buffer in this
> area.
>
that's a very bold statement...

there are MANY variations of BIOS that are not "IBM PC compatible". In
fact, that's the rule nowadays... they are only "Windows compatible"
often, anything that Windows doesn't use is.. untested at best.


--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org

2008-11-11 16:18:53

by Pavel Machek

[permalink] [raw]
Subject: Re: security: delete BIOS password in keyboard buffer during kernel bootup

On Sun 2008-11-09 11:08:14, Alan Cox wrote:
> On Sun, 9 Nov 2008 09:41:20 +0100
> Mathias Schnarrenberger <[email protected]> wrote:
>
> > > What if my BIOS stores some critical info at that memory address?
> > > I don't think the kernel is the right place to work around this issue.
> >
> > AFAIK every IBM PC compatible BIOS stores the keyboard buffer in this area.
>
> Not every system we boot the x86 kernel on is a PC compatible.

OTOH we don't call BIOS from linux, so we assume that low 64K is
usable memory (unless marked otherwise in memmap, I guess).

Anyway, proper place to do clearing is bootloader; it interacts with
bios already, anyway...

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

2008-11-11 16:54:25

by Alan

[permalink] [raw]
Subject: Re: security: delete BIOS password in keyboard buffer during kernel bootup

> OTOH we don't call BIOS from linux, so we assume that low 64K is
> usable memory (unless marked otherwise in memmap, I guess).

We use the BIOS in some cases for PCI routing, PCI services, APM, and
indirectly for SMM traps, ACPI and via user space for other stuff. So we
preserve the bottom 4K for the BIOS 0x40:xx page
>
> Anyway, proper place to do clearing is bootloader; it interacts with
> bios already, anyway...

Agreed entirely.

2008-11-12 08:50:56

by Gerhard Mack

[permalink] [raw]
Subject: Re: security: delete BIOS password in keyboard buffer during kernel bootup

On Tue, 11 Nov 2008, Alan Cox wrote:

> Date: Tue, 11 Nov 2008 16:54:21 +0000
> From: Alan Cox <[email protected]>
> To: Pavel Machek <[email protected]>
> Cc: [email protected], Olaf van der Spek <[email protected]>,
> [email protected]
> Subject: Re: security: delete BIOS password in keyboard buffer during kernel
> bootup
>
> > OTOH we don't call BIOS from linux, so we assume that low 64K is
> > usable memory (unless marked otherwise in memmap, I guess).
>
> We use the BIOS in some cases for PCI routing, PCI services, APM, and
> indirectly for SMM traps, ACPI and via user space for other stuff. So we
> preserve the bottom 4K for the BIOS 0x40:xx page
> >
> > Anyway, proper place to do clearing is bootloader; it interacts with
> > bios already, anyway...
>
> Agreed entirely.

Best place would be for the OEM to fix it. If it's a security issue it
shouldn't be overly difficult to embarass them into a fix.

Gerhard

--
Gerhard Mack

[email protected]

<>< As a computer I find your faith in technology amusing.