Hello, On Wed, Mar 20, 2019 at 10:47:41PM -0700, muc4dol...@secmail.pro wrote: > What do other people think? What are other manufacturers I can > consider?
I'm personally a big fan of Lenovo's x230 Thinkpad. Here in Denmark, you can buy them refurbished, for cash, from many different physical shops for around 150-300 USD. If you get the i7 model, they come with a reasonably fast CPU that you can run Qubes OS on without problems. I use this for my daily work with Tor and it's good enough for "Tor the-network-daemon" development, but I think it would be too slow if I had to compile Tor Browser on it often. They are easily upgradable, so I'd advice you to get 16 GB of RAM and a fast SSD disk for it. The hardware upgrades can be applied over time if you don't want to spend too much cash upfront as you normally have to do with the newer laptops that are less "upgradable". For the Intel Management Engine situation, I flashed the laptop with Coreboot and used the https://github.com/corna/me_cleaner code to disable large parts of the management engine itself. I used a "Coreboot distribution" (I don't think this is the right term here, sorry) called Heads. Flashing Coreboot can feel a bit scary the first time, so if you have a friend nearby who have done it before it might be a good idea to have them next to you :-) Do remember to backup your current firmware before you flash the new one onto the mainboard. The Heads firmware bundles Coreboot, the Linux kernel, and some user-land utilities to allow you to boot "directly" into a Linux shell and then use the kexec system-call to load Xen and the Linux kernel to boot into Qubes (or whatever other distribution you may use). This might sound scary, but it comes with some shell scripts that makes all of this easy and it feels more like a "normal" boot loading experience. Heads have some neat features that I think are Good For Security: 1) Your /boot partition remains unencrypted, but your initramfs, Xen hypervisor (if you use Qubes), and Linux kernel image are all signed with your GnuPG key. The GnuPG key is put into your Heads firmware image before you flash it. This means that every time you upgrade Xen or the Linux kernel you need to sign your new kernel(s) with your GnuPG key. I can live with that. When Heads boots it will validate the signatures of your kernel(s) on the (unencrypted & unauthenticated) disk to make sure the signatures are OK. But before it does that, it will do the following: 2) When Heads boots it "measures" the boot steps, firmware loading, etc. from the CPU and validates it against a "known good value" stored in the TPM. This allows you to use a device, that you normally use for 2nd factor authentication, such as a phone, to validate whether the boot process executed "what you would expect". That should allow you to detect certain attacks against your machines' firmware at a small price of convenience during boot. 3) Your disk is encrypted using a key that is "sealed", encrypted using a "disk unlock passphrase", and then stored in the TPM. You do have a backup passphrase that you should use in the case that you need to take the disk out of the machine and mount it on another device (in case the laptop no longer works for example) or if you need to reinitialize your Heads firmware. I can really advice anyone who is interested in this kind of stuff to check out the Heads website at http://osresearch.net/ for more information. The main author, Trammell Hudson, did an excellent presentation at 33c3 about Heads called "Boot strapping slightly more secure systems". You can read more about the presentation and watch the recording by going to https://trmm.net/Heads_33c3 Joanna Rutkowska published the paper called "Intel x86 considered harmful" that is worth a read. You can find it at https://blog.invisiblethings.org/2015/10/27/x86_harmful.html Joanna also did a presentation at 32c3 called "Towards (reasonably) trustworthy x86 laptops" that is worth a watch. It can be seen at https://media.ccc.de/v/32c3-7352-towards_reasonably_trustworthy_x86_laptops On a non-security related note for the x230, if you are more brave than I am: A Russian hacker that goes by the nickname nitrocaster makes some cool Full HD mod chips for the x220/x230. You can read more about them at https://forum.thinkpads.com/viewtopic.php?t=122640 -- I have yet to try this out on a device. You can also "upgrade" (or "downgrade" depending on who you are) the "island keyboard" that comes with the x230 to the "classic Thinkpad keyboard" from an x220 with some minor hardware modifications. You can read about that at https://www.thinkwiki.org/wiki/Install_Classic_Keyboard_on_xx30_Series_ThinkPads I sadly haven't been following the recent developments around measured boots on UEFI based systems, but Trammell Hudson seems involved with this project as well: https://www.linuxboot.org/ -- I might be interesting to check out. If you are on a small budget than what would allow you to mess around and possibly brick an x230 I can recommend an x200, which is less expensive, and can be flashed with Libreboot (another "Coreboot distribution") where the focus is on having a firmware with 100% free/libre software. This includes not having any blobs in the firmware itself :-) You can read more about the libreboot project at https://libreboot.org/ Happy hacking, Alex. -- Alexander Færøy -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
