<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"French Script MT";
panose-1:3 2 4 2 4 6 7 4 6 5;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:964238290;
mso-list-type:hybrid;
mso-list-template-ids:-745094388 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1700818797;
mso-list-type:hybrid;
mso-list-template-ids:-805304640 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I may be able to answer some of the questions here:<o:p></o:p></span></a></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Does UEFI support HDD password?
<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Yes and No. UEFI is extensible, such that new drivers can be added to the firmware image. Theoretically, one such driver could transfer a password from
Firmware to the HDD directly (if technically possible – I do not know how the HDD receives its password, so if the mechanism is strict or proprietary it may not be technically possible to perform the operation). So, to do this will require the driver writer
to understand the mechanism which stores the password in the system as well as the mechanism to transfer that password to the HDD. This assumes a lot of specifics which may or may not be true. I do not believe such a driver has been written already, so
it will be a new development.<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Example: The password could be stored in a non-volatile UEFI variable (possibly even as an authenticated variable). But that storage is NOT protected,
and someone with the right knowledge and tools, who can get to the shell on your platform could possibly retrieve that data. Per you question about TPM, a greater answer awaits that question, but for this part of this question, it should be possible to store
a password (like a key) in the fTPM, but fTPM is implemented such that the key storage is a one way trip. You can put data into the storage, but you cannot retrieve the data, but rather you can ask the fTPM to confirm the key/hash you have against the data
in the store (but that data is never exposed). This is not useful to your needs.
<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">As for passing the password to the HDD, that is a question of how the HDD receives its password. If the mechanism is documented so you can bypass the
keyboard entry implementation, and put your own driver in place to send the password directly to the drive, then it should be possible. However, that is a function of the HDD and the software interface around that HDD device (and not a function of the UEFI
firmware). It may even be that the HDD does not allow input of the password, except by keyboard, as that would ensure that the person on the system at boot actually has authorization to the data.<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Your requested implementation is not a standard feature of any system I am aware of, so the hardware may not be compatible with this kind of solution.
Most people who have HDD protection, are not as interested in making it platform specific as they are in protecting the data from access by anyone not authorized. Many security people would consider this kind of implementation a security fault, as the data
is open to anyone as long as the drive stays with the platform. <o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">(several questions) Is it possible to modify UEFI firmware to bypass entering the password by hard-coding it in the UEFI firmware?<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">As stated before the UEFI firmware is provided in an open source format, and the build can be modified. If such drivers (as described above) are technically
possible (per the HDD interface and other requirements), then the firmware can be modified to run the driver and perform the operation. And as stated above, it will probably take an application to get the password into storage to begin with. So you would
have to design the entire implementation, including recovery options should the firmware be re-programmed, and other real world possibilities.<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Is TPM support by MinnowBoard Turbot?<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The MinnowBoard MAX and Turbot do not have TPM onboard. There is some support for adding a TPM, through the I2S bus, but I do not have the details. The
MinnowBoards do have a form of TPM through the processor, this feature is referred to as fTPM (firmware TPM). This means that there is no discrete TPM part on the either MinnowBoard product, but rather the processor has a TPM emulation built into it.
<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Originally, the MinnowBoard MAX was to be a non-secure system, and a discrete TPM was considered an unnecessary additional cost on the board. However
the fTPM feature was a low cost mechanism to provide UEFI secure boot, when that became a feature requirement by some customers. The fTPM feature support was added to the MinnowBoard in the 0.80 firmware release (May 2015). The firmware release notes (from
0.80 on) include a discussion of how to enable the fTPM feature. However, I doubt this will meet your needs (per discussion in question #1).
<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Is there no way to protect the firmware from reading and flashing?<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The firmware SPI part itself is not protected. There is a connector on the board itself that allows the user to update the SPI directly via a programmer,
or SPI writing utility. Beyond this, the MinnowBoard MAX/Turbot was not designed to be a ‘hardened system’ in fact quite the opposite, as the platform was designed with experimenters in mind, allowing them access to as much of the hardware as possible. There
are no protections in the software for the SPI write access. And considering that the SPI contains the pre-boot execution code, even less protections against reading the part. <o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">So putting a password in the SPI flash, would be placing it on a storage that is not necessarily secure, or even safe (if someone re-flashes the firmware,
the password could be lost.<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="margin-left:0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Bottom line: The UEFI standard allows for a lot of customization of firmware, and it may be possible to implement your new feature
(in some form). However, it is not something that you will likely find “on the shelf” and will require research, solution planning/designing, and custom firmware development. It may also require some additional hardware to be added to the board to safely
and securely store and retrieve the password. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Sincerely,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:18.0pt;font-family:"French Script MT";color:#1F497D">Michael Krau</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> <o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">While I am an Intel employee, I do not represent Intel and am not authorized to speak for Intel. </span></i><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><a name="_____replyseparator"></a><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> elinux-MinnowBoard [mailto:elinux-minnowboard-bounces@lists.elinux.org]
<b>On Behalf Of </b>Abdelghani Ouchabane<br>
<b>Sent:</b> Monday, April 04, 2016 6:45 AM<br>
<b>To:</b> MinnowBoard Development and Community Discussion <elinux-minnowboard@lists.elinux.org>; Hawley, John <john.hawley@intel.com><br>
<b>Subject:</b> Re: [MinnowBoard] MinnowBoard Turbot & mSATA self encrypted SSD & UEFI<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 01/04/16 19:39, John Hawley wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Inline -JH<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>On 4/1/2016 8:40 AM, Abdelghani Ouchabane wrote:<o:p></o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Hallo for all,<o:p></o:p></pre>
<pre> I am planning to plug in a mSATA self encrypted SSD to the board but I<o:p></o:p></pre>
<pre>have some concerns:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>1. As I understood a self encrypted SSD works without any setup and<o:p></o:p></pre>
<pre>configuration but the user needs to protect the drive's access with a<o:p></o:p></pre>
<pre>HDD password, so my question is: does UEFI support HDD password?<o:p></o:p></pre>
</blockquote>
<pre><o:p> </o:p></pre>
<pre>To be honest, I'm not sure how most hard drives handle this, there's a<o:p></o:p></pre>
<pre>couple of possible ways, but I don't believe it's the responsibility of<o:p></o:p></pre>
<pre>the firmware to directly include this kind of support. I.E. the<o:p></o:p></pre>
<pre>solution should be firmware agnostic, or the support burden for these<o:p></o:p></pre>
<pre>drives may never reach other machines. It's possible someone from the<o:p></o:p></pre>
<pre>firmware team, who's on the list, knows something I don't and will<o:p></o:p></pre>
<pre>contradict me here, but I'm pretty sure the unlocking probably happens,<o:p></o:p></pre>
<pre>effectively, as a first stage boot loader on the drive - so it's<o:p></o:p></pre>
<pre>possible it's completely outside the firmware's hands even, as it may<o:p></o:p></pre>
<pre>(effectively) be passed off to the real boot loader already.<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal">Thanks john.<br>
<br>
Well, as I understood that: the data encrypt and decrypt is automatically done on a hard drive (it works regardless of the motherboard), but SEDs also allow you to set what is called an Authentication Key (AK) which acts as a password that locks the drive until
the key is entered. And the board has to have the ability to enter the Authentication Key, and this should be implemented in the UEFI.<br>
<br>
Please correct me if I am wrong.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>2. If yes, I want to have non-interactive boot, I mean the user will not<o:p></o:p></pre>
<pre>have to enter the password on every boot, is it possible to modify UEFI<o:p></o:p></pre>
<pre>firmware to bypass entering the password by hard-coding it in the UEFI<o:p></o:p></pre>
<pre>firmware?<o:p></o:p></pre>
</blockquote>
<pre><o:p> </o:p></pre>
<pre>It's going to be hard to have any reasonable discussion on this point<o:p></o:p></pre>
<pre>without understanding the threat model you are worrying about here. At<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal">Sure, I am want to protect the content of the SSD, so the user will not be able to look into its data and only my system can boot and read the content of the SSD.<br>
<br>
So, if the drive is plugged into a different computer the drive will still require the AK to be entered in order for the drive to unlock.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre><o:p> </o:p></pre>
<pre>a quick glance, what you are proposing only really protects you against<o:p></o:p></pre>
<pre>a drive being separated from the board permanently, and it being forever<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal">Right<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre><o:p> </o:p></pre>
<pre>"locked". I suppose something similar could be accomplished by<o:p></o:p></pre>
<pre>encrypting the drive based on a key from the TPM, but that's a level of<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal">is TPM support by MinnowBoard Turbot?<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre><o:p> </o:p></pre>
<pre>interaction I don't believe I've seen in production, and I don't believe<o:p></o:p></pre>
<pre>a SED would work well in that case, as I don't believe SATA has a good<o:p></o:p></pre>
<pre>communications channel to the TPM.<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal">Do you mean filesystem/disk encryption?<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Either way I'm not sure, with a SED, you can hard-code the password into<o:p></o:p></pre>
<pre>the firmware without a fair amount of work to accomplish this, and you'd<o:p></o:p></pre>
<pre>be stuck on the hook to support your custom firmware going forward.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>I've seen some suggestions / thoughts on software encrypted drives, such<o:p></o:p></pre>
<pre>as luks volumes under Linux, being modified to read key data from usb<o:p></o:p></pre>
<pre>keys that are plugged into the system, but that's a purely software<o:p></o:p></pre>
<pre>encryption solution (though that has the advantage of being slightly<o:p></o:p></pre>
<pre>more flexible in the general sense), but again doesn't have any direct<o:p></o:p></pre>
<pre>correlation to the firmware.<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal">I see<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>3. Is it possible to lock the UEFI firmware's flashing in the<o:p></o:p></pre>
<pre>MinnowBoard Turbot, so none can flash UEFI firmware without password?<o:p></o:p></pre>
</blockquote>
<pre><o:p> </o:p></pre>
<pre>Considering that the Turbot has a physical header where the entire<o:p></o:p></pre>
<pre>firmware flash can be read/written to, I'm not sure there's really a way<o:p></o:p></pre>
<pre>to lock the firmware the way you are intending, but this might be a moot<o:p></o:p></pre>
<pre>point based on questions #1 and #2<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal">So, there is no way to protect the firmware from reading and flashing.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre><o:p> </o:p></pre>
<pre>Many thanks in advance<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>My best regards<o:p></o:p></pre>
<pre>Ghani<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>This email has been scanned by Barracuda Networks.<o:p></o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>elinux-MinnowBoard mailing list<o:p></o:p></pre>
<pre><a href="mailto:elinux-MinnowBoard@lists.elinux.org">elinux-MinnowBoard@lists.elinux.org</a><o:p></o:p></pre>
<pre><a href="http://lists.elinux.org/mailman/listinfo/elinux-minnowboard">http://lists.elinux.org/mailman/listinfo/elinux-minnowboard</a><o:p></o:p></pre>
</blockquote>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>elinux-MinnowBoard mailing list<o:p></o:p></pre>
<pre><a href="mailto:elinux-MinnowBoard@lists.elinux.org">elinux-MinnowBoard@lists.elinux.org</a><o:p></o:p></pre>
<pre><a href="http://lists.elinux.org/mailman/listinfo/elinux-minnowboard">http://lists.elinux.org/mailman/listinfo/elinux-minnowboard</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><br>
<br>
This email has been scanned by Barracuda Networks. <o:p></o:p></p>
</div>
</body>
</html>