EFI Password via script

franton
Valued Contributor III

Hi All,

Sorry I couldn't make JNUC 2013! However i've been working on something and while it's very raw AND VERY UNTESTED, I thought i'd share with you all to hopefully make managing EFI passwords a little easier.

I've a script that can do it all. Hopefully. It'll do an initial password set up, a change of password or a removal of a password should you require it. It merely needs to be called with the correct information specified.

There are notes in the script itself but basically you have to supply the following info in order for this script to work.

Operating Mode in $3
This should be set to initial, change or remove.

New password in $4
Old password in $5

Security mode in $6
This is for the initial set up only. Specify full or command depending on your usage case.

Again this is HIGHLY UNTESTED. Please use at OWN RISK. When dealing with EFI passwords I prefer to err on the side of caution.

#!/bin/bash

# Script to implement an EFI password policy on a Casper Mac running 10.8 or better.

# Author: r.purves@arts.ac.uk
# Version 1.0 : 18-10-2013 - Initial version

# Set up path variables for easy access and change

toolpath="/Volumes/Mac OS X Base System/Applications/Utilities/Firmware Password Utility.app/Contents/Resources/"
basesyspath="/Volumes/Recovery HD/com.apple.recovery.boot/BaseSystem.dmg"
basesysmnt="/Volumes/Mac OS X Base System/"
recoverypath="Recovery HD"

# Set up working variables from info passed to the script

# This will determine how the script functions.
# Accepted inputs are as follows:
# initial   - This will install the first EFI password on the system. This requires the security mode to be supplied.
# change    - This will change the EFI password as long as the correct old password is supplied.
# remove    - This will remove the EFI password as long as the correct old password is supplied.
operatingmode=$3

# Get password details in the next two variables
newpassword=$4
oldpassword=$5

# Get the security mode. Required for the "initial" operating mode.
# Acceptable inputs are as follows:
# full      - This will require password entry on every boot
# command   - This only requires password entry if boot picker is invoked with alt key.
securitymode=$6

# Which OS is this running on?
osvers=$( sw_vers -productVersion | awk -F. '{print $2}' )

# First of all, check the OS to see if this is supported or not. Less than 10.8 is not supported.

if [[ ${osvers} -lt 8 ]];
then
    echo "Unsupported OS version detected. Terminating script operation."
    exit 1
fi

# Gain access to the setregproptool tool in the Recovery partition.
# We're using the tool in that partition because it should be the correct version for the installed OS.

/usr/sbin/diskutil mount $recoverypath
/usr/bin/hdiutil attach -quiet $basesyspath

# Now depending on specified mode, sanity check and run the appropriate commands

case "$operatingmode" in

    initial)
        # Check to see if the security mode has been specified properly. Exit if not as command will fail.

        if [ "$securitymode" == "" ]; then
            echo "Error: Missing security mode in policy. e.g. full"
            exit 1
        fi      

        if [ "$securitymode" != "full" || "$securitymode" != "command" ]; then
            echo "Error: Incorrect security mode specified in policy. e.g. full"
            exit 1
        fi              

        # Enable the EFI password

        $toolpath/setregproptool -p $newpassword -m $securitymode   
    ;;

    change)
        # Check if new password has been specified properly.

        if [ "$newpassword" == "" ]; then
            echo "Error: Missing new password in policy."
            exit 1
        fi          

        # Check if old password has been specified properly.

        if [ "$oldpassword" == "" ]; then
            echo "Error: Missing old password in policy."
            exit 1
        fi          

        # Change the EFI password

        $toolpath/setregproptool –p $newpassword -o oldpassword
    ;;

    remove)
        # Check if old password has been specified properly.

        if [ "$oldpassword" == "" ]; then
            echo "Error: Missing old password in policy."
            exit 1
        fi              

        # Remove the EFI password

        $toolpath/setregproptool –d –o oldpassword  
    ;;

    *)
        # This should only activate if the operating mode hasn't been specified properly.
        echo "Error: Incorrect operating mode specified in policy. e.g. initial, change or remove"
    ;;
esac

# We're done with setregproptool. Detach the BaseSystem.dmg and unmount the Recovery partition.

/usr/bin/hdiutil detach $basesysmnt
/usr/sbin/diskutil unmount $recoverypath

# All done!

exit 0
13 REPLIES 13

denmoff
Contributor III

Very nice script. I've been banging my head trying to get EFI passwords set for my users. So, why is this for 10.8 and above if you are grabbing the setregproptool from the recovery partition. If you grab the Lion setregproptool, wouldn't it work on Lion?

denmoff
Contributor III

@franton A couple of things i've noticed running this on Mavericks and JSS 9.2. First with JSS 9.2, the optional script parameters start at $4, where $1, $2, and $3 are already used. So, $operatingmode gets set to $3, which is set to $username.
For Mavericks, the hdutil attach command sets it to /Volumes/OS X Base System instead of /Volumes/Mac OS X Base System.

franton
Valued Contributor III

I should have updated the post sooner. The latest version can be found here: https://github.com/franton/Set-EFI-Password

franton
Valued Contributor III

It's for mountain lion or better because we don't support anything less than 10.8 at my work.

denmoff
Contributor III

@franton][/url Very cool. I did notice one typo. In the closerecovery function, you have MLmntpath instead of MVmntpath for the Mavericks detach if statement.

franton
Valued Contributor III

Nice catch. It's now fixed and credit given.

Backas
New Contributor

Good job!
Can we use it -without- Casper?

Best regards

Kostas

mscottblake
Valued Contributor

I don't see any JAMF specific functionality in the script, so I figure it would work anywhere.

franton
Valued Contributor III

@Backas @msblake very true, it's not meant to be Casper only. As long as you can pass the required parameters to it, it should just work.

mm2270
Legendary Contributor III

Its using parameters $4 and $5 for newpassword and oldpassword respectively, so yes its designed for Casper. But that could be easily modified. I don't necessarily think its a great idea to hardcode passwords into a script, but, you can do it if security isn't a major concern.

fabian_ulmrich
Contributor
Contributor

@franton Just figured out I cannot use the old setregproptool - You made my day!!! THANKS :)

franton
Valued Contributor III

You're very welcome!

uurazzle
Contributor II

Hello:

You might want to take a look at our firmware_password_manager script which allows management of firmware password.

Its available in our github repo here:

https://github.com/univ-of-utah-marriott-library-apple/firmware_password_manager

If you have any questions or problems, please let us know.