Is it possible to add some "bios like" password on the N900?
I already have a password once you boot up the N900, but the problem is that if you use the USB cable while the phone is off, you can still access to your files.

Maybe this idea can be implemented with the dualboot option?
So that it will ask a password before entering the boot menu.

Hooking into /sbin/preinit for input and matching a string is the only option for now.

How can we do this?

Are you sure about this?
I can not access the files.

Hmm that's weird... Somehow it worked for me before (or was it really before I installed the dualboot menu )

Anyway, it's still more safe to have a bios like password so people can't bootup some other OS that is installed (like NITDroid or Ubuntu/MER)

Oh, as low level as that, for the clever-er h4xx0rs.
Inject code somewhere in NOLO that loads some simple password verification screen, jmps to some address in memory, then if the password is OK, jmps back to NOLO?

The real solution for file protection is encryption, every other "if password == "whatever"" method is simply broken. Against some random theft it might be enough, but I always assume that not only idiots can/will eventually steal my phone and this is what you must do if you want real security.

Password input in /sbin/preinit is sufficient for your little sister, some non IT interested "friend", the thief in the metro. But this concept would be based on assumptions about your attacker. And if you want to do it right, you shouldn't underestimate the evil guys. Either way, the lock code is enough for the random, stupid thief who should be more interested in the device than in your files.

And yes HtheB is basically right. It's possible to boot another OS through an USB connection with the flasher and mount the EMMC partitions (if they are not encrypted). The question is always if a thief is smart enough to do that.

Modifing NOLO, while technically interesting(and hard), is definitly overkill.

Activate the lock code, timer 5 minutes. Encrypt the MyDocs partition(for example, with truecrypt) and swap. This will eventually destroy mass-storage mode for it if you don't patch some scripts.
There is some stuff on the home partition as well, but encrypting it requires to modify bootscripts and other stuff. For the beginning, mydocs and lock code should be enough.

If you are new to encryption, there is a learning curve. If you want to do this, read. google. read and google.

closing words:
If you want real security, you must sacrifice some usability.

That behaviour was removed in one of the PR updates (1.1 or 1.2 I think), but of course your general point still stands.

If you want, you can take a look at my /sbin/preinit press-any-key-to-get-shell mod.

Uhhh, I believe it was in the Recovery Shell thread by Pali, a few pages in. I can link to it if people can't find it and say so.

But I THINK you could modify that general concept to give you a terminal-like prompt on the N900 for a password before proceeding. Since /sbin/preinit is effectively the first thing that runs, any time the device turns on, including when it detects being plugged in for charging or USB storage while off, you should be able to at least 'block' a person at that level (though I've noticed the "shutdown" command doesn't work within that shell as I have it installed, so you can't force a device 'off'). What you can also do is modify /sbin/preinit to simply make it ignore the booting 'fork' that it takes for USB storage mode. Instead, where /sbin/preinit has the "case" syntax where it compares the bootstate and then does different things from there, you can just alter the section for bootstate being the charging/usb storage to be identical to the normal boot - that should prevent if from exposing the internal storage to USB until the device has booted up properly, including lock code and/or SIM code.

I've never tried either or these methods, but my educated guess from memory (haven't opened /sbin/preinit in a month or two, was reverse engineering an open source version but collegiate education has left me with no time for that currently).