. Security enhancements for Libreboot X200/T400/X200T/T500/W500/R400/X60/T60etc

100.00

Category:

Description

We at Minifree and I, Leah Rowe, believe that you have the right to privacy and security. You have the right to your own private time where you are alone to your own thoughts, where nobody can spy on you or censor your activities. In spirit of this and in defiance to the current global trend of increased governmental authoritarianism, we provide this as a public service. This is available to everyone, in all nations (we ship internationally). We believe that your business is nobody elses business!

The point of this service, thus, is to provide you with a system that is extremely secure to the point of paranoia. These mods are made under the assumption that you are currently the target of surveillance (e.g. Tailored Access Operation – look it up). However, at the same time we also make every step to ensure that the system is still as easy to use as possible. This service is available for all libreboot-supported laptops

Specifically, what this service provides is a laptop where all radio devices and ports with DMA capability are removed (to reduce the possibility of encryption keys and so on being leaked using DMA based attacks or side channel attacks). We also provide things like hardware-based write protection of the flash chip, in addition to full disk encryption and a host of other things. This is an all in one service, but if there’s anything mentioned below which you don’t want then please tell us when you order. Also: if there’s something not listed here that you would like, tell us!

Send us your Libreboot compatible system and we will tweak it for you. Alternatively, you may purchase a laptop from us and add this service to your cart, and we will do it on the laptop that you ordered. We recommend that if you are sending in your existing laptop, you should apply your own tamper seals and send us encrypted photos before sending. You can apply nail varnish and let it dry. Randomize the pattern of it on each screen. Then we can verify whether it has been opened during transit to Minifree.

Desktops and workstations are also possible, though you should note that none of the currently supported libreboot desktops have built-in radio devices or externel ports that are DMA capable. So on these systems, all we’d really need to do is e.g. write protect and full disk encryption (plus tamper seals). (desktops have PCI/PCIe slots, but these are internal and entirely optional to use)

The default configuration without this service, when you order a laptop from us, is still very secure. This service merely provides enhanced security. More specific technical information is contained below. If you really want a laptop that is as secure as it could possibly be, then this service is for you. The way we do it, you won’t even notice it in everyday usage. The laptop will work normally just like any other laptop, and all of the same software etc that you use will still work perfectly.

NOTE: If all you want is full disk encryption and you are ordering a laptop from our stock instead of sending it in, we will do the encryption for free.

NOTE: This service is per laptop. So if for example you were ordering 5 laptops, you should order 5x quantity for this service

In addition to this service, you could also consider using Tor Browser as your main web browser. Tor protects your privacy online by obscuring your identity. See: torproject.org. We also recommend routing your internet traffic (including Tor) through a VPN. Here is a list of trustworthy VPN providers: https://torrentfreak.com/vpn-services-keep-anonymous-2018/you should also disable JavaScript in your browser at all times. JavaScript (or any other untrusted code) could be used to leak things like encryption keys using the spectre/meltdown attack. – VPN and Tor when combined can be very effective at protecting your online privacy, though this really depends on exactly how you use the internet.

Some of these mods involve soldering. For info on the setup we use:

Leah’s lab

If the mod is being done by me, I use the following:

  • Standard no-clean flux for mainboard contacts (e.g. USB mods)
  • Standard flux paste for tinning wires
  • (usually) 60/40 lead/tin solder, otherwise lead-free. I always use decent solder, not the cheap solder. You get what you pay for in this world.
  • AOYUE 2703A+ soldering station (which is also ESD safe). It has a very decent soldering iron, de-solder gun and hot-air gun on it.
  • De-solder wick (copper braiding) for removing smaller solder joints where the de-solder gun is less effective
  • Component being modded is placed on an anti-static pad connected to ground (mains)
  • My wrist is grounded to the pad, which then goes to mains ground
  • Wire used: stranded copper or similar, usually 30awg or so, unless thicker/thinner is needed. The wire used will always be strong enough that it won’t break (so, no cheap kynar wires).
  • All steps are taken to ensure strong solder connections: this means glass/shiny appearance on the finished joints, without spikes/horns or murky/dirty/misty colours, and we give them a little tug to make sure they won’t come off.

The mod may alternatively be done by my employee, who is unnamed here for his privacy (see: data protection laws. He has not yet provided consent to be named on minifree.org), at his base of operations. Regular shipments are handled by him. Unnamed helps me with orders. He uses a similar setup, and he is extremely competent. He handles most laptop orders.

For the above price, Minifree can do all of the following:

Tamper-resistant screws

The screws for disassembling the laptop will have randomized patterns of hard varnish laced over them. This pattern is nearly impossible to reproduce exactly, when properly random.

Securely send us your GPG pubkey so that we can send signed, encrypted photos of the system back to you. When booting up, you can verify whether the system has been disassembled during transit or at some point in the future.

We recommend keeping the pictures stored *offline*, on a machine that is encrypted and which never has any network connection. Ideally, this machine should be airgapped. So don’t store the pics on your phone please 😛

Please please please remember to also keep several backups at ideally at least two separate locations. If you can, a printed copy of the pictures can also come in handy. The very first thing you should do when receiving these pictures is make as many backups as is feasible for you.

If you *are* storing the pictures on a networked computer (including a mobile phone), then make sure that the device is isolated inside a faraday cage to ensure that no data can be transmitted out into the world, and make sure to remove all physical network connections like ethernet. Regular tinfoil should do the job. The room you’re in or the device itself can be isolated this way, whichever seems most practical to you. However, you should never store such sensitive documents on a device like this in the first place. It’s very important that these pictures are never lost and (more importantly) that they are never tampered with in any way.

Write protection of the flash chip (where libreboot is installed to)

This prevents malicious agents from easily re-flashing malware to your flash chip. This is predominantly for those with physical access to your system, but can also benefit you if, hypothetically, your distro’s package repositories were compromised and an attacker got malware into your system when you updated your distro packages. Details on this are as follows:

  • Write protect the flash chip. This involves soldering the WP pin on the flash chip (write protect pin) to ground (also on the flash chip). On some mainboards it is also possibly to use software-based methods, but we prefer hardware based write protect.
  • NOTE: This won’t be a hard-solder connection. Instead, we will solder jumper wires to the relevant pins on the flash chip, and one wire will be female and the other male on the other end. This way, you can easily detach the bridge if you ever did want to re-flash (e.g. to update libreboot) but then you would re-connect the bridge again after the fact.
  • NOTE2: For T400, we will route the jumper cables so that the bridge connection is *above* the metal cage around the mainboard. This way, you only need to disconnect the bridge by removing the keyboard, where the bridge is easily accessible). The jumper wires used are standard male+female 1mm, the kind that you would use on e.g. a bread board

Remove all networking devices, speakers and microphones from the system (NOTE: some of this is irreversable)

In other words, this will create a completely airgapped machine. This can be useful if, for example, you wish to use the laptop as an offline system for signing files with a private GPG key and you don’t want to risk that key ever leaking out onto a network.

  • The microphone is behind the front bezel of the LCD assembly, on the inverter board. This will be de-soldered and removed.
  • The bluetooth module is present on some systems, near the LCD inverter board. This will be removed
  • Wifi card will be removed (NOTE: WWAN removed on all systems, regardless. This is an extreme privacy risk which is why we remove it)
  • Speaker removed: electrical noise on the board could potentially be leaking data. These speakers could be used by a malicious entity to send data covertly in a high-frequency sound wave. It’s theoretically possible, so we remove that possibility.
  • Radio switch set to permanent off position via hard-solder. The switch itself will be removed internally.

We do not touch the ethernet socket. This is safe to use and it’s not a radio device, so there’s no risk leaving it on there. Just don’t use it if you don’t want it. If you want to destroy it, this is very easy: grab a pair of pliers and just rip out the pins on the jack. This can be done without taking the machine apart.

If you wish to have a more secure ethernet setup, USB is of course what we recommend. ThinkPenguin sells a USB ethernet card which will work very nicely and it is guaranteed to be compatible with Trisquel and other libre setups because it is FSF endorsed. We at Minifree will not supply the USB ethernet cards ourselves

NOTE: As with any complex electronics, there is always the possibility of electrical “noise” regardless, but it’s extremely unlikely that this could be exploited to hurt you in any way.

NOTE2: There’s always the possibility of a USB ethernet device being tampered/bugged during transit. To mitigate this possibility, since USB devices have no DMA and therefore can’t read what’s in memory, we recommend running an encrypted VPN link to the internet. This prevents malicious firmware on the external card (if such firmware is present) from eavesdropping on data.

NOTE3: That thinkpenguin card in particular is recommended because it’s using a relatively recent chipset which means that any malicious firmware (if installed by an agent) is much less likely to have drivers written for it. This of course refers to any device that came installed in your computer at the time it was manufactured. This is only a working theory.

All DMA-capable slots removed

DMA (direct memory access) is when a device has its own access to main memory so that it can operate independently of the CPU. This is a performance decision made in modern computers, to mitigate the slow performance that was seen on older computers where all hardware communication had to be coordinated (including I/O itself) through the CPU.
DMA is *very good* for most things, but for external hotswappable devices it is a security risk because an attacker could easily insert a malicious device into your system while it’s running which can be used to very quickly extract anything in RAM, which could include your encryption keys.

We will do the following:

  • Remove the cardbus/expresscard slot
  • Remove firewire slot (USB ports left intact, since USB devices don’t have DMA)
  • Docking port connector *disabled* (but not removed, because doing so is extremely invasive physically to the mainboard)
  • SATA ports removed* (we will include a SATA to USB adapter and you will boot GNU+Linux from the HDD/SSD via USB)

*For info, see:
https://libreboot.org/faq.html#hddssd-firmware

You can use a standard SATA->USB adapter (they are easy to find online and we already include one with your order) for booting your GNU+Linux system. GNU GRUB, the bootloader used on x86-based libreboot systems, supports booting a Linux kernel from USB.

The most secure way to boot GNU+Linux is on an encrypted USB HDD. We say HDD specifically, since these are easier to securely erase (with a magnet) versus SSDs which use wear leveling and therefore may retain wiped data later on.

NOTE: SSDs are still quite fast even on USB2. The bandwidth is a lot less, but this just refers to serial transmission of data. Random-access will still be instantaneous versus HDD seek time. Most of the perceivable SSD performance improvements is due to eliminated seek time latency and not overall throughput bandwidth, since most people are not going to saturate the latter. USB is capable of a couple hundred Mbps (around 30 MB/s) throughput, theoretically up to 480Mbps but in practice it’s just over half of that.

NOTE: For no extra cost, we can solder a little USB connector where the SATA slot used to be. The palmrest fingerprint reader is USB, so we will re-use the flex cable for that to route a standard USB connection for your USB HDD connection. For T400 you can use the connector for the left-right buttons on the bottom of the palmrest, just remove the connector inside and do the same thing (the touchpad will remain functional, and there is left/right mouse buttons on the keyboard – of course, we can disconnect the touch pad if you want. Not everyone likes touch pads).

Full disk encryption

This includes the /boot/ directory, since GRUB is already present.

For no extra cost, we can also GPG-check your kernel at boot, password protect the GRUB and (if you have more than one storage device) set up RAID.

For info about these changes, see:
https://libreboot.org/docs/gnulinux/grub_hardening.html

Reviews

There are no reviews yet.

Be the first to review “. Security enhancements for Libreboot X200/T400/X200T/T500/W500/R400/X60/T60etc”

Your email address will not be published. Required fields are marked *