disabling boot devices on poweredge servers?

Alexander Dupuy alex.dupuy at mac.com
Wed May 5 16:07:06 CDT 2010


I asked:
> The syscfg utility provides a mechanism to change the default boot 
> order, but I would like (for security reasons) to disable boot from USB 
> or CD-ROM (I can turn off PXE boot from the NICs).

Mahaveer_M replied:
> Check the OMSA command 
> omconfig chassis biossetup attribute=bootorder sequence=<list>
>
> The sequence of boot devices will be enabled in the bios and the devices
> that are not part of the sequence will be disabled.
>   

I didn't have OMSA installed, but this seemed to be equivalent to the 
syscfg --bootseq=<list> configuration command, which on a PE 1950 system 
just rearranged the order (omitted boot devices were left in the list, 
and were not disabled).

I actually went and installed OMSA via yum (it was pretty painless, I 
have to say) so that I could try this out, to see if I had different 
results from syscfg.  And it did, so that omreport chassis biossetup 
bootorder (thanks for pointing that out, Chandrasekhar_R) reported the 
following

> BIOS Boot Sequence
> Device Name : Hard drive C:
> Alias Name  : hdd.emb.0.1
> State       : Enabled
>
> Device Name : MBA v2.6.7  Slot 0500
> Alias Name  : nic.emb.1.2
> State       : Disabled
>
> Device Name : IDE CD-ROM device
> Alias Name  : cdrom.emb.0.0
> State       : Disabled
>
> BIOS Hard Disk Sequence
> Device Name : PERC 5/i Integrated(bus 02 dev 0E)
> Alias Name  : sasraid.emb.1.0

And after rebooting, the BIOS also showed the NIC and CDROM as disabled 
in the F2 Setup.  However, while this can prevent default booting from 
CD/DVD or USB, this does not prevent a user from pressing F11 to get the 
boot selection menu and then selecting any of the devices (including 
nominally disabled ones) from the menu.  Even after rebooting a second 
time, I was able to PXE boot from the NIC via either F12 or the F11 boot 
menu.

I noted:
> I ... will enable a BIOS setup password to lock in the changes once they are set.

After making the omconfig changes above, to disable boot from NIC and 
CD-ROM, I went ahead and set the BIOS Setup password.  After doing this, 
entering F2 asked for a password before taking me to the Setup screen 
(if the password was incorrect, the Setup screen was effectively 
read-only), and the F11 boot menu also required a password (if the 
password was incorrect, it kept prompting and wouldn't enter the boot menu).

Since I can disable NIC booting with syscfg --embnic1=onnopxe, the F12 
loophole can be closed via other means.  This leaves only one possible 
concern for me, which is the possibility of booting from a USB device.  
Since boot menu access is eliminated, it isn't possible to choose that 
directly, but I wonder whether a newly detected USB device (currently I 
have none) might get added to the default boot sequence (it is hard to 
disable something that isn't there) and by pulling the hard drive, 
manage to boot from a USB key.

Adam Nielsen replied:
> Don't forget that anyone with physical access to the machine can do a 
> BIOS reset to get rid of your password, so don't consider this as 
> anything other than a deterrent!

A BIOS reset to defaults requires getting to the F2 Setup screen, does 
it not?  While I know that the BIOS system password (and presumably the 
setup password as well) on Dell laptops has a unique master password 
(based on the service tag, it seems) that can be obtained from Dell 
support, or one of the "password removing" services on-line, I was not 
aware of any other trivial way to reset the BIOS or its passwords if the 
chassis is secured (some PowerEdge models seem to have a jumper that can 
be used to reset BIOS passwords).

@alex

-- 
mailto:alex.dupuy at mac.com



More information about the Linux-PowerEdge mailing list