[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] hardware recommendations

Some mainboards also contain drivers in their firmware. One MSI board I
had injected 32 and 64bit drivers into a running windows, they were
intel chipset drivers. Many mainboards and notebooks do that. Some of
them use documentated UEFI features where windows searches for those
blocks in memory, verifies signature and loads them. Other patch the
windows kernel on the fly via interrupt vector hooks like a bootkit.
ARM CPUs are more fragmented, everyone can rent their blueprints and
print their own CPUs, backdoors are less likely than from a single

Use a x86/64 mainboard without EFI or an ARM embedded board. Also don't
forget to epoxy your PCI slots, it's possible to execute unverified code
at boot and at runtime by sticking something in your PCI.

Another advice: Add some notification to your setup for hardware changes
of any kind. In /etc/udev/rules.d/ you can define what to do if certain
hardware is inserted or detached, it even works for kernel modules and
ethernet. You can define a rule for all changes and make it email you a
PGP encrypted kernel log. If someone inserts a new USB device you get
notified. If someone replugs the ethernet cable at the server you get
notified. If malware somehow loads a kernel module you get notified.
Spies hate that!

Jacob Appelbaum wrote:
> On 8/29/15, blaatenator <blaatenator@xxxxxxxxxxxxxxx> wrote:
>> Hi all,
>> The talk of Jacob at DebConf (especially the Citizen Four Q&A) got me
>> thinking about hardware. I know that hardware rng's are suspect, and
>> probably AES cpu extensions as well. And if Lenovo openly puts stuff in
>> the BIOS, who knows what else might be in there. Also someone there
>> mentioned ARM cpu's might be a better bet regarding backdoors (but what
>> is that opinion based on?).
> Intel has AMT and opaque microcode updates, other CPU vendors have
> similar fun hardware features.
> Further reading regarding AMT from the FSF:
>   https://www.fsf.org/blogs/community/active-management-technology
>> There was a mention of a 'sort of' open source smart card product and a
>> certain type of laptop brand (but I didn't catch the names unfortunately).
>> Are there more recommendations regarding this sort of stuff? Like a
>> 'best buy' guide for secure hardware, or ways to work around insecure
>> hardware.
> This is the hardware and software that I mentioned regarding GnuPG:
>   http://www.seeedstudio.com/wiki/FST-01
>   http://www.fsij.org/category/gnuk.html
> This the base of a reasonable Debian ARM system that requires no
> non-free software:
>   http://www.kosagi.com/w/index.php?title=Novena_Main_Page
> All the best,
> Jacob
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to