-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathSetEFIpw.sh
executable file
·211 lines (157 loc) · 5.49 KB
/
SetEFIpw.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
#!/bin/bash
# Script to implement an EFI password policy on a Casper Mac running 10.8 or better.
# Author: [email protected]
# Version 1.0 : 18-10-2013 - Initial version
# Version 1.1 : 29-10-2013 - Moved Recovery HD mount/dismount into their own functions for easy access
# Version 1.2 : 29-10-2013 - OS Version checking because Recovery path changes
# Set up path variables for easy access and change
MLmntpath='/Volumes/Mac OS X Base System'
MVmntpath='/Volumes/OS X Base System'
toolpath='Applications/Utilities/Firmware Password Utility.app/Contents/Resources/setregproptool'
basesyspath='/Volumes/Recovery HD/com.apple.recovery.boot/BaseSystem.dmg'
recoverypath="Recovery HD"
# Set up working variables from info passed to the script
# This will determine how the script functions.
# Accepted inputs are as follows:
# initial - This will install the first EFI password on the system. This requires the security mode to be supplied.
# change - This will change the EFI password as long as the correct old password is supplied.
# remove - This will remove the EFI password as long as the correct old password is supplied.
operatingmode=$4
# Get password details in the next two variables
newpassword=$5
oldpassword=$6
# Get the security mode. Required for the "initial" operating mode.
# Acceptable inputs are as follows:
# full - This will require password entry on every boot
# command - This only requires password entry if boot picker is invoked with alt key.
securitymode=$7
# Which OS is this running on?
osvers=$( sw_vers -productVersion | awk -F. '{print $2}' )
# Ok now let's set up the functions in bash to open and close the recovery partition.
function openrecovery {
if [ ${osvers} -eq 8 ];
then
/usr/sbin/diskutil mount "$recoverypath"
/usr/bin/hdiutil attach -quiet -nobrowse "$basesyspath"
elif [ ${osvers} -eq 9 ]
then
/usr/sbin/diskutil mount "$recoverypath"
/usr/bin/hdiutil attach -quiet -nobrowse "$basesyspath"
else
echo "Error: Mount Recovery Partition: I've no idea what this OS version is! "${osvers}
exit 1
fi
}
function closerecovery {
if [ ${osvers} -eq 8 ];
then
/usr/bin/hdiutil detach "$MLmntpath"
/usr/sbin/diskutil unmount "$recoverypath"
elif [ ${osvers} -eq 9 ]
then
/usr/bin/hdiutil detach "$MLmntpath"
/usr/sbin/diskutil unmount "$recoverypath"
else
echo "Error: Mount Recovery Partition: I've no idea what this OS version is! "${osvers}
exit 1
fi
}
# First of all, check the OS to see if this is supported or not. Less than 10.8 is not supported.
if [[ ${osvers} -lt 8 ]];
then
echo "Unsupported OS version detected. Terminating script operation."
exit 1
fi
# Now depending on specified mode, sanity check and run the appropriate commands
case "$operatingmode" in
initial)
# Check to see if the security mode has been specified properly. Exit if not as command will fail.
if [[ "$securitymode" == "" ]]; then
echo "Error: Missing security mode in policy. e.g. full"
exit 1
fi
if [[ "$securitymode" != "full" && "$securitymode" != "command" ]]; then
echo "Error: Incorrect security mode specified in policy. e.g. full"
exit 1
fi
# Mount the Recovery partition
openrecovery
# Enable the EFI password
if [ ${osvers} -eq 8 ];
then
"$MLmntpath/$toolpath" -p $newpassword -m $securitymode
elif [ ${osvers} -eq 9 ]
then
"$MVmntpath/$toolpath" -p $newpassword -m $securitymode
else
echo "Error: setregproptool: I've no idea what this OS version is! "${osvers}
exit 1
fi
# Unmount the Recovery partition
closerecovery
;;
change)
# Check if new password has been specified properly.
if [[ "$newpassword" == "" ]]; then
echo "Error: Missing new password in policy."
exit 1
fi
# Check if old password has been specified properly.
if [[ "$oldpassword" == "" ]]; then
echo "Error: Missing old password in policy."
exit 1
fi
# Check to see if the security mode has been specified properly. Exit if not as command will fail.
if [[ "$securitymode" == "" ]]; then
echo "Error: Missing security mode in policy. e.g. full"
exit 1
fi
if [[ "$securitymode" != "full" && "$securitymode" != "command" ]]; then
echo "Error: Incorrect security mode specified in policy. e.g. full"
exit 1
fi
# Mount the Recovery partition
openrecovery
# Change the EFI password
if [ ${osvers} -eq 8 ];
then
"$MLmntpath/$toolpath" -m $securitymode -p $newpassword -o $oldpassword
elif [ ${osvers} -eq 9 ]
then
"$MVmntpath/$toolpath" -m $securitymode -p $newpassword -o $oldpassword
else
echo "Error: setregproptool: I've no idea what this OS version is! "${osvers}
exit 1
fi
# Unmount the Recovery partition
closerecovery
;;
remove)
# Check if old password has been specified properly.
if [[ "$oldpassword" == "" ]]; then
echo "Error: Missing old password in policy."
exit 1
fi
# Mount the Recovery partition
openrecovery
# Remove the EFI password
if [ ${osvers} -eq 8 ];
then
"$MLmntpath/$toolpath" -d -o $oldpassword
elif [ ${osvers} -eq 9 ]
then
"$MVmntpath/$toolpath" -d -o $oldpassword
else
echo "Error: setregproptool: I've no idea what this OS version is! "${osvers}
exit 1
fi
# Unmount the Recovery partition
closerecovery
;;
*)
# This should only activate if the operating mode hasn't been specified properly.
echo "Error: Incorrect operating mode specified in policy. e.g. initial, change or remove"
;;
esac
# All done!
exit 0