Security hole in firmware password by installing another boot loader?
I set up a firmware password on my MacBook. One thing I don't understand is how I can install a tool such as rEFIt, and effectively bypass the entire firmware password (i.e. installing it never asked for my original Firmware password).
It says on their website:
[...] since “refit.efi” is configured as the legitimate boot loader, it effectively circumvents the firmware password protection.
Isn't that a huge security hole in setting up a firmware password? Doesn't that mean that the securing a computer by setting up a firmware password is only as strong as an admin account's password (i.e. someone that has privileges to install a tool such as rEFIt)?
Yes, but this is not particularly a problem with rEFIt, it's intrinsic to the way firmware password and admin access relate to each other -- if you have either one, you can take control of the other. For instance, if you have admin access, you can disable or change the firmware password with nvram command, You can also change the boot volume with System Preferences, effectively bypassing the firmware password protection.
Basically, the firmware password is there to protect the integrity of the computer until the OS starts and can start enforcing its idea of access controls, at which point admin passwords are the relevant control. Don't think of firmware password as a higher-level control, it's more of a supplement.
Yes that is correct sadly, although you do need admin access to install an EFI loader to circumvent this most accounts don't have root access and as such you can have an admin account with one password but a different root password altogether. Or you can simply deny your account root access and make another root password.
To add on to this, firmware passwords are not very strong to begin with. If I had physical access to your laptop I can simply reset the PRAM and your password is null and void. It's not supposed to be very strong (to be honest I see no point in it).