Physically securing FreeBSD workstations & /boot/boot2

Roland Smith rsmith at
Thu Aug 6 20:21:07 UTC 2009

On Thu, Aug 06, 2009 at 01:35:55PM -0600, Tim Judd wrote:
> On 8/6/09, Nerius Landys <nlandys at> wrote:
> > Hi.  I am attempting to secure some workstations in such a way that a
> > user would not be able gain full control of the computer (only user
> > access). However, they are able to see and touch the physical
> > workstation.  Things I'm trying to avoid, to list a couple of
> > examples:
> >
> > 1. Go to BIOS settings and configure it to boot from CD first, then
> > stick in a CD.  To prevent this I've put BIOS to only boot from hard
> > drive and I've password-locked the BIOS.
> You can't beat physical security.  If you have access to the hardware,
> you can TAKE the box, saw it open, unmount the hard drive, slave it
> into another system, mount it as a data drive and steal the info.
> geli encryping the drive can secure the data on the disk, but they
> have your disk.  it's as good as stolen data, even if they are unable
> to decrypt it.
> After sawing open the case, move the jumper to reset CMOS data, power
> up, change boot order, and boot off CD.
> After BIOS is back to normal, stick in a USB drive, boot off the HDD,
> which is self-decrypting the geli encryption, copy the data off, and
> scrub the HDD and install Windows on it.  The hacker's OS  (Just
> Kidding, all.  Little humor is all I'm doing).

You can (and should) set geli up to require a passphrase, instead of or
next to a key-file. Using only a key-file is like sticking a tin-opener
to the tin.

> > 2. Go to loader menu and load (boot kernel) with some custom
> > parameters or something.  I've secured the loader menu by
> > password-protecting it (/boot/loader.conf has password) and
> > /boot/loader.conf is not world-readable.
> If you can do the above, even booting from alternate medium, no other
> means of security will apply.
> > And I'm sure there are other things, I just forgot them.
> >
> > So my question is: Is this [securing of the workstation] worthwhile,
> > or should I just forget about this kind of security?  I want to make
> > it so that the only way to gain full control of the computer is by
> > physically opening up the box.
> >
> > I noticed that boot2 brings up a menu like this one when I press space
> > during the initial boot blocks:
> >
> >>> FreeBSD/i386 BOOT
> > Default: 0:ad(0,a)/boot/loader
> > boot:
> >
> > I guess it would be possible to stick in a floppy disk or something
> > and boot from there?  So my question is, is this a threat to my plan,
> > and if so, how can I disable this prompt?

Disconnect or remove the floppy. Adn disable booting from USB devices.

[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list