Coreboot/Bios/Tianocore Password NitroPC

Hi there,

I’m happy with my NitroPC, the only thing I wonder about is how to secure the initial boot with coreboot/tianocore(?) with a password. Is this possible ? If not, please implement it.
Thread model is rather a random bypasser trying to boot from usbstick i.e., than a more sophisticate attack.

cheers, varac

Hey varac,

We are aware of this drawback and it is due to the feature not being supported (properly) inside Tianocore.
Concerning the threat model, booting from a stick should not be a problem as your entire hard-disk is encrypted, means even if someone boots into a live-system there still will be no access possible to your data.

Still as you mentioned the evil-maid scenario can happen, but is more sophisticated as you say.

Best

Hi daringer,

who are “we” in this case ? Nitrokey ?
Is there any motion to add this ? I’m a complete noob to tianocore but it looks like there’s basic support for that (https://bugzilla.tianocore.org/show_bug.cgi?id=1545), so I wonder what’s the blocker of using this ? Are there are any plans to add this basic security feature to the nitroPC firmware ?
Or can you link any issue that Nitrokey came across implementing this ?

To be clear: I’m super happy about having a modern NUC supporting coreboot/tianocore, it’s just that I just asked myself how much security I gained and how much I lost from not beeing able to prevent the evil-maid attack in comparism to a common vendor UEFI.

Cheers, Varac

yep, Nitrokey in this case

It is for sure on the list, I can’t promise when it will be available, at this point.
But I’ll add a +1 due to your message :slight_smile:

best

Thanks, good to hear it’s on your list.
Another, unrelated issue: I miss the ability to auto-power-on the NitroPC after power failure.
Reason is I use it as a small server in a basement rack, and it should resume unattended after power failure. Where’s the best place to reuest such features ?