I'm looking for a little guidance on the new firmware password binary. Even Google can't provide much more than the man page:
Usage: firmwarepasswd [OPTION] ? Show usage -h Show usage -setpasswd Set a firmware password. You will be promted for passwords as needed. NOTE: if this is the first password set, and no mode is in place, the mode will automatically be set to "command" -setmode [mode] Set mode to: "command" - password required to change boot disk "full" - password required on all startups NOTE: cannot set a mode without having set a password -mode Prints out the current mode setting -check Prints out whether there is / isn't a firmware password is set -delete Delete current firmware password and mode setting -verify Verify current firmware password -unlockseed Generates a firmware password recovery key NOTE: Machine must be stable for this command to generate a valid seed. No pending changes that need a restart. NOTE: Seed is only valid until the next time a firmware password command occurs.
My assumption is that the returned value when I run
is intended to allow the removal of an unknown EFI password, but I can't figure out how to use this value to modify the firmware password. Using it in lieu of the actual password in
returns an incorrect password error.
We are in the process of switching EFI passwords as the old password was lengthy (>30 characters) and was an obstacle for helpdesk techs when they needed to EFI boot a device. I have written a script using firmwarepasswd that checks the actual password against a few supplied options, and sets some dummy receipts so that I can capture the EFI password in an EA. This has unearthed a handful of devices that have EFI enabled, but the password is set to a value that is not on my list.
Previously the EFI password was set via policy, but never verified. It appears that the policy failed on some devices and the students took it upon themselves to set the passwords. Hence the EA going forward.
Thanks in advance.