[Semibug] OpenBSD - Authenticate boot into single user mode

Josh Grosse josh at jggimi.net
Wed Jun 2 07:02:09 EDT 2021

On Wed, Jun 02, 2021 at 04:03:23AM -0600, Jonathan Drews wrote:
> Hi People:
>   I have an OpneBSD laptop. I was distrurbed to find this:
> I Forgot My Root Password
> https://www.openbsd.org/faq/faq8.html
> You boot into single user mode;
> boot> boot -s
> and now have root privliges and can change the root password!
> My question is how do I prevent this? I thought of using a BIOS
> level password. That would suspend the boot process until you
> entered a password. However the thief could remove the CMOS battery
> and the BIOS would reset.
> How can I require authentcation on single user mode boot in OpenBSD?
> Kind regards,
> Jonathan

A password protected boot alone does not prevent a wide variety of Evil
Maid attacks, such as adding key loggers, or replicating data from disk
drives. Physical security is outside the scope of software.

With that understanding, OpenBSD offers Full Disk Encryption ("FDE")
through the softraid(4) driver's CRYPTO discipline, where the bootloader
will require either a key disk or prompt for a passphrase in order to boot
an encrypted drive.  This FDE solution is available for the amd64, i386,
and sparc64 architectures.  This does not eliminate all Evil Maid attacks,
but it does protect data-at-rest by encrypting all data but the bootloader,
physical disklabel(5), and MBR or GPT.

On all architectures non-boot disk encryption is available at the filesystem
level either through softraid(4) or via vnconfig(8).

More information about the Semibug mailing list