1. Technical Field
The present invention generally relates to data processing system access control and in particular to password controlled access during power up initialization. Still more particularly, the present invention relates to preserving security of a password employed during power up initialization while allowing the password to be employed by the operating system.
2. Description of the Related Art
Many personal computer systems employ various password schemes to control system behavior before the operating system is started. For example, where a system is used by more than one user, the password may be employed to set “preferences,” or user-specific attributes for the operating system behavior.
A potential security problem arises as a result of how the passwords are stored in the system. Particularly on low cost systems, such passwords are commonly stored in a CMOS memory and can be easily read by a program which is run after the operating system is started. Various storage techniques may be employed in storing the passwords to make them less accessible than plain ASCII text strings, such as storing strings of keyboard scan codes or storing a hash of the ASCII text string or keyboard scan code string.
The most secure technique for password storage is to keep the passwords in a nonvolatile storage device which can be locked down “hard” (i.e., requiring a reset to unlock) before the operating system is started. On some systems, several other types of information which is considered sensitive, such as the order of boot device list, is also saved in this lockable storage device.
Because this technique prevents access to the passwords after the operating system is started, use of the passwords in any other environment other than the “pre-boot” environment is precluded. In some situations, however, use of the passwords to verify the user's identity during operation after the operating system is started may be useful.
It would be desirable, therefore, to provide a mechanism for maintaining the security of “pre-boot” passwords while allowing use of such passwords after the operating system is started.