I have mandatory BIOS password on my work computer. Some Catbert character thought of it as good security feature. Now, whenever I need to reboot my computer, I need to sit next to it.
I used to grab cap of coffee while it was rebooting and all I needed to do was to log into Windows once that is done. Now I need to sit next to it through whole shutdown process waiting for BIOS password and only then I can get a coffee. If there is some update in progress, that waiting period usually puts me in “I will kill this guy” state. I really hate waiting…
During that useless time my mind often wonders to my first Pentium-class computer. There you could set “stealth” BIOS password (I forgot official name of that feature). If such password was set, system would boot up without asking for anything. Everything seemed normal until you tried to use keyboard or mouse – they were locked. Only once you entered your password BIOS would release control of PS/2 ports and Windows would take over. Since Windows worked normally even without password, you could rely on this feature even across reboots.
I have pretty good idea why that feature is gone – USB. BIOS can intercept and handle PS/2 keyboards quite easily even once Windows are up and running. Since Windows talk with keyboard over BIOS, it can choose whether to pass characters or not. With USB things get complicated.
Once Windows take over USB control (and that is fairly early in boot process) there is no simple way BIOS can restrict it. Only approach that would work in that case would be some hardware virtualization. BIOS would have control over physical USB and Windows would get virtualized version controlled by BIOS.
I am quite sure that someone would do it if there weren’t three big problems – compatibility, performance and cost. Compatibility would be easiest to solve. Performance (latency) could be lowered by employing ASICs. However cost to do that would be high. And all that because of feature that is not that necessary to begin with.
Sometimes I long for simpler times… :)