-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fingerprint unlock for boot/bios #26
Comments
It's an interesting idea but I'm not sure it's worth the effort. Would auto-unlocking LUKS with Linux fingerprint login cover your use-case? I think that would give you even better security properties than the proposed approach of fingerprint in UEFI with unencrypted disk. |
Thanks for the reply @JohnAZoidberg
Well anecdotally, literally 100% of my users I've switched from lenovo to frameworks have expressed disappointment in the missing feature.
And no I don't really think that would cover our use-case. Certainly a LUKS/LUKS2/bitlocker integration would be nice if added as part of a UEFI fingerprint unlock but it does not replace it. Some of our users already use LUK2 with passkey(yubikeys) auth, but they still prefer having UEFI fingerprint unlock in addition to that. The whole point is to conveniently restrict access to the computer/bios itself, not the OS. It should still function even when there is no disk/OS installed or even after a fresh OS install when nothing(ignoring initial fingerprint registration) has being configured. |
Ok I think I understand your request and it is very specific. We can consider this as a future improvement, but there are lots of pieces missing to make that work.
What's the threat model where this is needed on top of restricting access to the disk/OS? Evil maid attack that swaps out the SSD and returns the system? Or somebody steal the system and re-use it with a new SSD? Maybe we can figure out an alternative easier solution to address the concerns of your threat model. |
Thanks again for the quick response @JohnAZoidberg
I feel like ability to restrict access to the bios/secure boot/boot selection should speak for itself. Also combined with default boot order settings in the bios it can also be used to completely restrict the ability to boot to an "unexpected" disk/usb without biometric auth first. Which is a huge win in my book. The threat model is a pretty wide range:
Obviously the simpler solution would be a password to do all the same things. Especially since a password prompt is used as a backup for the biomentic auth, so it's a prerequisite anyways. But in my experience, end users will simply not use a password solution for a bios/boot auth, it's seen as far too much of an inconvenience. Even if forced, users will typically set a comically low complexity password or simply lie and disable the bios/boot password all together. Fingerprint for bios/boot auth on the other hand, users seem to love. End users especially enjoy the "seemless" OS login feature. And since it lowers the perceived inconvenience so much, it means I can easily convince users to set an extremely complex password for not only the bios/boot password but also their windows login password. End users might only need to enter in these passwords a handful of times in the entire lifetime of their device. Which is a hell of a lot lower than, "every time I boot". Anecdotally, my users just like the act of needing to enter in their fingerprint to boot in general. It seems to provide them with a level of comfort. |
Thanks for the thorough explanations! It sounds like setting a BIOS password, using passwordless disk encryption, and using fingerprint for OS login would get you 90% of the way to where you want.
|
Device Information:
BIOS VERSION:
03.05
/03.03
Standalone Operation:
Description:
It would be a really nice feature to have, especially for businesses, for the ability to require a fingerprint on boot and/or access bios/admin/secure boot/boot selection menus. Lenovos implementation of this has been very good.
Expected behavior:
Bonus Points:
Operating System:
The text was updated successfully, but these errors were encountered: