Re: [tor-talk] [OT] Secure laptop advice

[Alexander Færøy <ahf@xxxxxxxxxxxxxx>]

Hello,

On Wed, Mar 20, 2019 at 10:47:41PM -0700, muc4dollol@xxxxxxxxxxx wrote:
> What do other people think? What are other manufacturers I can
> consider?

I'm personally a big fan of Lenovo's x230 Thinkpad. Here in Denmark, you
can buy them refurbished, for cash, from many different physical shops
for around 150-300 USD. If you get the i7 model, they come with a
reasonably fast CPU that you can run Qubes OS on without problems. I use
this for my daily work with Tor and it's good enough for "Tor
the-network-daemon" development, but I think it would be too slow if I
had to compile Tor Browser on it often. They are easily upgradable, so
I'd advice you to get 16 GB of RAM and a fast SSD disk for it. The
hardware upgrades can be applied over time if you don't want to spend
too much cash upfront as you normally have to do with the newer laptops
that are less "upgradable".

For the Intel Management Engine situation, I flashed the laptop with
Coreboot and used the https://github.com/corna/me_cleaner code to
disable large parts of the management engine itself. I used a "Coreboot
distribution" (I don't think this is the right term here, sorry) called
Heads. Flashing Coreboot can feel a bit scary the first time, so if you
have a friend nearby who have done it before it might be a good idea to
have them next to you :-) Do remember to backup your current firmware
before you flash the new one onto the mainboard.

The Heads firmware bundles Coreboot, the Linux kernel, and some
user-land utilities to allow you to boot "directly" into a Linux shell
and then use the kexec system-call to load Xen and the Linux kernel to
boot into Qubes (or whatever other distribution you may use). This might
sound scary, but it comes with some shell scripts that makes all of this
easy and it feels more like a "normal" boot loading experience.

Heads have some neat features that I think are Good For Security:

1) Your /boot partition remains unencrypted, but your initramfs, Xen
   hypervisor (if you use Qubes), and Linux kernel image are all signed
   with your GnuPG key. The GnuPG key is put into your Heads firmware
   image before you flash it.

   This means that every time you upgrade Xen or the Linux kernel you
   need to sign your new kernel(s) with your GnuPG key. I can live with
   that.

   When Heads boots it will validate the signatures of your kernel(s) on
   the (unencrypted & unauthenticated) disk to make sure the signatures
   are OK.

   But before it does that, it will do the following:

2) When Heads boots it "measures" the boot steps, firmware loading, etc.
   from the CPU and validates it against a "known good value" stored in
   the TPM. This allows you to use a device, that you normally use for
   2nd factor authentication, such as a phone, to validate whether the
   boot process executed "what you would expect". That should allow you
   to detect certain attacks against your machines' firmware at a small
   price of convenience during boot.

3) Your disk is encrypted using a key that is "sealed", encrypted using
   a "disk unlock passphrase", and then stored in the TPM. You do have a
   backup passphrase that you should use in the case that you need to
   take the disk out of the machine and mount it on another device (in
   case the laptop no longer works for example) or if you need to
   reinitialize your Heads firmware.

I can really advice anyone who is interested in this kind of stuff to
check out the Heads website at http://osresearch.net/ for more
information. The main author, Trammell Hudson, did an excellent
presentation at 33c3 about Heads called "Boot strapping slightly more
secure systems". You can read more about the presentation and watch the
recording by going to https://trmm.net/Heads_33c3

Joanna Rutkowska published the paper called "Intel x86 considered
harmful" that is worth a read. You can find it at
https://blog.invisiblethings.org/2015/10/27/x86_harmful.html Joanna also
did a presentation at 32c3 called "Towards (reasonably) trustworthy x86
laptops" that is worth a watch. It can be seen at
https://media.ccc.de/v/32c3-7352-towards_reasonably_trustworthy_x86_laptops

On a non-security related note for the x230, if you are more brave than
I am: A Russian hacker that goes by the nickname nitrocaster makes some
cool Full HD mod chips for the x220/x230. You can read more about them
at https://forum.thinkpads.com/viewtopic.php?t=122640 -- I have yet to
try this out on a device. You can also "upgrade" (or "downgrade"
depending on who you are) the "island keyboard" that comes with the x230
to the "classic Thinkpad keyboard" from an x220 with some minor hardware
modifications. You can read about that at
https://www.thinkwiki.org/wiki/Install_Classic_Keyboard_on_xx30_Series_ThinkPads

I sadly haven't been following the recent developments around measured
boots on UEFI based systems, but Trammell Hudson seems involved with
this project as well: https://www.linuxboot.org/ -- I might be
interesting to check out.

If you are on a small budget than what would allow you to mess around
and possibly brick an x230 I can recommend an x200, which is less
expensive, and can be flashed with Libreboot (another "Coreboot
distribution") where the focus is on having a firmware with 100%
free/libre software. This includes not having any blobs in the firmware
itself :-) You can read more about the libreboot project at
https://libreboot.org/

Happy hacking,
Alex.

-- 
Alexander Færøy
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk