> I'd say at the moment bootloader passwords are unsupported as IIRC, there are issues with keyboard not working correctly in a bunch of places.
Yeah, I think this isn't meant as a true security _control_ (certainly any matter of physical access yields many ways). But it is a defense-in-depth type measure that at least slows down someone with physical access. Definitely agree things like Bluetooth keyboards will probably never work.
Another way of looking at it is a permission separation model where, e.g., a legitimate employee might not have access to change bootloader on their own machine (think: corporate managed device) whereas someone in IT might.
To clarify further, we also recommend the use of --unrestricted, whereby password is only required for modifying configuration and not booting at all.
The CIS community also generally feels that other parameters in there might be relevant to protect, hence the suggestion to chmod 400 all the time, rather than conditionally based on password.
From that context, in my mind, I think that this still justifies the permission changes by default and not chmod back to 444 without a password being present.
A few things to add to this discussion:
> I'd say at the moment bootloader passwords are unsupported as IIRC, there are issues with keyboard not working correctly in a bunch of places.
Yeah, I think this isn't meant as a true security _control_ (certainly any matter of physical access yields many ways). But it is a defense-in-depth type measure that at least slows down someone with physical access. Definitely agree things like Bluetooth keyboards will probably never work.
Another way of looking at it is a permission separation model where, e.g., a legitimate employee might not have access to change bootloader on their own machine (think: corporate managed device) whereas someone in IT might.
To clarify further, we also recommend the use of --unrestricted, whereby password is only required for modifying configuration and not booting at all.
The CIS community also generally feels that other parameters in there might be relevant to protect, hence the suggestion to chmod 400 all the time, rather than conditionally based on password.
From that context, in my mind, I think that this still justifies the permission changes by default and not chmod back to 444 without a password being present.