Access to the hardware settings as well as boot sequence and settings related to certain hardware/software functionality of a computer is protected by an access password for the Basic Input/Output Services (BIOS). While a simple and memorable password can help mitigate the risk of password loss, it provides weaker security, especially if the password is reused across multiple machines of a large fleet. This disclosure describes techniques for automated, decentralized management of machine-specific BIOS password using a centrally managed policy file that each machine fetches to determine if the current BIOS password is to be rekeyed. If a BIOS password change is required, the BIOS password for the machine is generated and stored locally, and then stored in a central repository. The password change operation on each machine is organized into sub-processes arranged in a strict sequence such that any sub-process can begin only after the previous one and cannot be executed again until the entire chain has finished. A syncer function is executed at the end of each sub-process to update the execution state on the local disk prior to initiation of the next sub-process. The decentralized operation is interruptible at any stage and provides operational flexibility and scale without the risk for password loss.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Shukla, Parth, "Interruptible Decentralized Automated Management of BIOS Passwords at Scale", Technical Disclosure Commons, (August 03, 2021)