Hi All,
Sorry I couldn't make JNUC 2013! However i've been working on something and while it's very raw AND VERY UNTESTED, I thought i'd share with you all to hopefully make managing EFI passwords a little easier.
I've a script that can do it all. Hopefully. It'll do an initial password set up, a change of password or a removal of a password should you require it. It merely needs to be called with the correct information specified.
There are notes in the script itself but basically you have to supply the following info in order for this script to work.
Operating Mode in $3
This should be set to initial, change or remove.
New password in $4
Old password in $5
Security mode in $6
This is for the initial set up only. Specify full or command depending on your usage case.
Again this is HIGHLY UNTESTED. Please use at OWN RISK. When dealing with EFI passwords I prefer to err on the side of caution.
#!/bin/bash
# Script to implement an EFI password policy on a Casper Mac running 10.8 or better.
# Author: r.purves@arts.ac.uk
# Version 1.0 : 18-10-2013 - Initial version
# Set up path variables for easy access and change
toolpath="/Volumes/Mac OS X Base System/Applications/Utilities/Firmware Password Utility.app/Contents/Resources/"
basesyspath="/Volumes/Recovery HD/com.apple.recovery.boot/BaseSystem.dmg"
basesysmnt="/Volumes/Mac OS X Base System/"
recoverypath="Recovery HD"
# Set up working variables from info passed to the script
# This will determine how the script functions.
# Accepted inputs are as follows:
# initial - This will install the first EFI password on the system. This requires the security mode to be supplied.
# change - This will change the EFI password as long as the correct old password is supplied.
# remove - This will remove the EFI password as long as the correct old password is supplied.
operatingmode=$3
# Get password details in the next two variables
newpassword=$4
oldpassword=$5
# Get the security mode. Required for the "initial" operating mode.
# Acceptable inputs are as follows:
# full - This will require password entry on every boot
# command - This only requires password entry if boot picker is invoked with alt key.
securitymode=$6
# Which OS is this running on?
osvers=$( sw_vers -productVersion | awk -F. '{print $2}' )
# First of all, check the OS to see if this is supported or not. Less than 10.8 is not supported.
if [[ ${osvers} -lt 8 ]];
then
echo "Unsupported OS version detected. Terminating script operation."
exit 1
fi
# Gain access to the setregproptool tool in the Recovery partition.
# We're using the tool in that partition because it should be the correct version for the installed OS.
/usr/sbin/diskutil mount $recoverypath
/usr/bin/hdiutil attach -quiet $basesyspath
# Now depending on specified mode, sanity check and run the appropriate commands
case "$operatingmode" in
initial)
# Check to see if the security mode has been specified properly. Exit if not as command will fail.
if [ "$securitymode" == "" ]; then
echo "Error: Missing security mode in policy. e.g. full"
exit 1
fi
if [ "$securitymode" != "full" || "$securitymode" != "command" ]; then
echo "Error: Incorrect security mode specified in policy. e.g. full"
exit 1
fi
# Enable the EFI password
$toolpath/setregproptool -p $newpassword -m $securitymode
;;
change)
# Check if new password has been specified properly.
if [ "$newpassword" == "" ]; then
echo "Error: Missing new password in policy."
exit 1
fi
# Check if old password has been specified properly.
if [ "$oldpassword" == "" ]; then
echo "Error: Missing old password in policy."
exit 1
fi
# Change the EFI password
$toolpath/setregproptool –p $newpassword -o oldpassword
;;
remove)
# Check if old password has been specified properly.
if [ "$oldpassword" == "" ]; then
echo "Error: Missing old password in policy."
exit 1
fi
# Remove the EFI password
$toolpath/setregproptool –d –o oldpassword
;;
*)
# This should only activate if the operating mode hasn't been specified properly.
echo "Error: Incorrect operating mode specified in policy. e.g. initial, change or remove"
;;
esac
# We're done with setregproptool. Detach the BaseSystem.dmg and unmount the Recovery partition.
/usr/bin/hdiutil detach $basesysmnt
/usr/sbin/diskutil unmount $recoverypath
# All done!
exit 0