Hi!
I’m totally new to this and what I’m after is to create a secure computer. The F12 menu is a security hole since a user could mount the EFI partition and create a new boot entry. That’s why I’m thinking if it’s possible to mod the BIOS to simply remove the F12 menu or to disable the part of the BIOS that searches for new EFI boot entries?
I have a Gibabyte z170x Gaming 7 mobo.
Cheers,
Olof
@spacelime :
Welcome at Win-RAID Forum!
You probably have to modify one of the system BIOS modules, but I don’t know which one and how to do it.
Regards
Dieter (alias Fernando)
Ok, it sounds like it might be doable at least then =)
I wonder if it would be possible to simply search through the bios image with a hex editor and find the hex code representing an F12 keypress?
EDIT by Fernando: Unneeded parts of the fully quoted text removed (to save space and to improve the readbility)
I do not recommend to modify any system BIOS module, unless you know exactly what and how to do it. The risk of a bricked mainboard is very high and generally not worth the demanded modding effect.
Gigabyte board isn’t a good base for “secure” PC, because of the following reasons:
1. They use a special descriptor layout that effectively disables any security provided by flash descriptor.
2. They don’t have any BIOS reflash protection but AMI BIOS Lock, which is setup-controlled and may even be disabled by default.
3. They don’t validate their BIOS updates, so everything can be flashed with ease.
4. They use legacy password storage mechanism, and your BIOS password can be decrypted in a second, if BIOS image is obtained.
5. Disabling of BBS popup menu doesn’t prevent anyone from booting anything, because with Windows 8.1 and 10 you can select next bootable device from Restart menu, Linux have GRUB shell that is capable of doing the same, and any legacy system that uses MBR (like Windows 7) can be bypassed by writing bottloader code to the MBR directly.
What you need to do instead of disabling F12 menu is to study, enable, and use SecureBoot. It will prevent loading unsigned bootloaders at all, and if you generate keys for yourself and remove preinstalled Microsoft ones, no one can load anything on your system, except you. Start with this guides to know more: 1, 2, 3.
Thank you, I will take that into concideration. I sure don’t want to risk bricking my board. However i says in my bios that it is a "dual bios". As I understand it this simply means that there is a backup that could be used to restore it to the original state in case I would flash it into oblivion. Or is there a risk of breaking this backup as well if not careful?
EDIT by Fernando: Quote codes corrected
Thank you very much for your suggestions. Though I should explain that actually the only person I’m trying to secure the computer against is myself. =)
I just don’t want to spend too much time on the computer and it’s nice not having to resist and instead let the computer handle the restriciton. I used to have my computer set up so that it only let me use it a certain amount of time a day, and I couldn’t cheat even if I wanted to. This worked with the legacy bios because the bootloader whas in the MBR and since I used a non-admin account for everday use I didn’t have rights to modify the MBR. However since upgrading to UEFI I can simply go into disk utility (I’m using OSX primarily), create a new EFI partition and boot up whatever (Yes amazingly OSX let’s you go wild with partitions without even using sudo!). To get around this I need a way to make sure that the computer is always booting into clover (the osx bootloader). That’s why I’m looking into disabling F12.
EDIT by Fernando: Quote codes corrected