Skip to content

Commit

Permalink
Create admin-restriction.md
Browse files Browse the repository at this point in the history
  • Loading branch information
electrikjesus authored Mar 1, 2024
1 parent 1971778 commit afac834
Showing 1 changed file with 37 additions and 0 deletions.
37 changes: 37 additions & 0 deletions knowledgebase/bliss-bass/features/admin-restriction.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Admin Restriction

Some Bass Lockdown builds come with a password restricted Admin mode. We use a grub flag to pass the password through to the system, which then creates a sha256 hash of that string and compares it against the hash saved within the system. \
In order to enter Admin mode, you must manually boot into Grub by tapping the ‘shift’ key while booting, and select the Admin mode menu option, then tap ‘e’ to edit. From there, you will add:


```
'BLISSBOOTMODE_PASSWORD=your_companies_complex_password_schema1234'
```


Where ‘your_companies_complex_password_schema1234’ is replaced with the password set in the source. Failure to enter the correct password here will result in the device rebooting into Lockdown mode.

In order to meet the strict security needs, changes in the bootloader are made to always default to Lockdown mode. So in the event of a failed password attempt, the device will reboot and boot back into the default Lockdown mode unless the user prompts the grub menu to show and enters the correct bootmode password in order to boot into Admin mode or Debugging Admin mode.


### Creating a New Admin Password

To create a new Admin mode password, you will need to generate a new hash and update the source file located at vendor/branding/security/blissmode_password. The supported characters for the password are (24 characters [a-z][A-Z][0-9][@#$%&]). To generate a new hash, we use the simple script:


```
$ echo -n "your_companies_complex_password_schema1234" | sha256sum > blissmode_password
```


In order to confirm that a set password is working, you can run a check on the hashed sum values from Linux: \



```
$ BLISSMODE_PASSWORD="your_companies_complex_password_schema1234"; if [ "$(echo -n "$BLISSBOOTMODE_PASSWORD" | sha256sum)" != "$(cat blissmode_password)" ]; then echo "its a match"; else echo "password does not match"; fi
its a match
```


We also leave feedback of a password check success or failure in the debugging shell at boot. To access that, please select the **Debugging Admin** boot option from Grub.

0 comments on commit afac834

Please sign in to comment.