>> To have a keystroke essentially disable the NVRAM security seems a
>> bit contradictory to me... but I can't argue with the facts.

> No, it's reasonable.  You can't do this on a serial console, so if
> you're making these keystrokes, you've got physical access to the
> machine.  At that point, it's compromised no matter what you do.  You
> can always just open it up and pop in a new NVRAM chip, or steal or
> replace the drive, or whatever.

Physical access to the keyboard does not equal physical access to the
inside of the CPU case.

Demanding the ability to power-cycle the machine as well helps even it
out, some.  It still seems dangerous to me, as for example in a public
lab where the machine has a lock through the case lock point but is
otherwise unrestricted - in particular, the keyboard and power switch
are accessible.  I'd lay long odds lots of universities have labs set
up like that.

Now, if this also depended on a jumper on the main board, I'd have no
problem at all with it.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B