[nhaehnle]

I would second this. We know for a fact that the NSA uses BIOS malware. I don't believe we know for a fact that such malware is routinely installed by border guards, but it's not a very far-fetched worry at this point.

The technical expertise required to do so is very limited as long as you don't password-protect the BIOS: Basically, they only need to be able to plug in a USB stick and reconfigure the BIOS to boot from it.

In other words: If you leave your laptop outside of your physical control for even a few minutes, you may have to assume that it is totally compromised as long as you don't have a BIOS password.

If the laptop is outside of your control for a longer period of time, you probably have to assume that it has passed through the hands of somebody with sufficient technological know-how to work around the BIOS password as well.

[drdaeman]

Isn't BIOS passwords useless?

For non-soldered but socketed BIOSes I think one can just take chip out and put it into your wallet, possibly, covering some pins with some dissolvable insulating substance. For soldered SPI EEPROM chips with known pinout, I think one can reflash the chip afterwards.

[daxelrod]

BIOS passwords are not always useless, depending on model.

I had a Thinkpad T42 on which I managed to set a password for editing BIOS settings that I did not remember.

I the laptop into IBM for repairs to the monitor, and as part of their repairs they needed to get into the BIOS settings (I believe to run a diagnostic). Their solution was to replace the entire motherboard.

[drdaeman]

Well, guess it were hardware types, who performed the repairs, or they just didn't have necessary equipment (an AVR board like Arduino or PC with an old parallel "LPT" port will suffice, hardware-wise) at hand, so it was easier for them to solve it that way. :)

I was 99% positive the same could be achieved by messing with EEPROM. And, indeed, less than 10 minutes of searching yielded this unsurprising result: http://arduino.ada-language.com/recovering-ibm-thinkpad-t42-...

tl;dr: Nope, T42's BIOS password is not secure if you allow anyone with necessary hardware to touch the motherboard for a minute. TPM may (depending on the laptop model and firmware revision) prevent password recovery but will likely not prevent anyone from resetting them - at least this seems to be the case with Thinkpads. Next time I'll clean dust from my X300, maybe I'll remember this thread and check its EEPROM too. :)

So, do not rely on BIOS passwords as a strong security measure.

[javajosh]

Do MacBooks have the option to password protect the BIOS?

[ddinh]

Yes, you can set an EFI password on Macbooks: https://support.apple.com/kb/HT1352

[javajosh]

Thanks. But it looks like the "Firmware Password Utility" is not available by default in OSX 10.9, and those instructions only describe how to get it for OSX 10.5 and below. Thoughts?

[ulms]

You have to boot into your recovery partition (Cmd+R on boot), then there's a menu option to set the firmware password, which will be active on the next reboot.