summaryrefslogtreecommitdiffstats
path: root/docs/howtos/x60_security.html
diff options
context:
space:
mode:
authorFrancis Rowe <info@gluglug.org.uk>2014-08-11 09:00:00 (EDT)
committer Michał Masłowski <mtjm@mtjm.eu>2014-08-22 14:29:49 (EDT)
commit8df313c4d6607181576471e08d7e909c9c0f33e9 (patch)
tree249f6003e3293fd4049ad57c267fa7ec1c4269e4 /docs/howtos/x60_security.html
parent7eca665d684a734d55b0bb26c4f1831d399c5330 (diff)
downloadlibreboot-8df313c4d6607181576471e08d7e909c9c0f33e9.zip
libreboot-8df313c4d6607181576471e08d7e909c9c0f33e9.tar.gz
libreboot-8df313c4d6607181576471e08d7e909c9c0f33e9.tar.bz2
Libreboot release 6 beta 5.r20140811
- build: added 'luks', 'lvm', 'cmosdump' and 'cmostest' to the list of modules for grub.elf - Documentation: added pics showing T60 unbricking (still need to write a tutorial) - build: include cmos.layout (coreboot/src/mainboard/manufacturer/model/cmos.layout) files in libreboot_bin - Documentation: added ../docs/howtos/x60tablet_unbrick.html - Documentation: added ../docs/howtos/t60_unbrick.html - Documentation: added ../docs/howtos/t60_lcd_15.html - Documentation: added ../docs/howtos/t60_security.html - Documentation: added ../docs/howtos/t60_heatsink.html - Documentation: Renamed RELEASE.html to release.html - Documentation: removed pcmcia reference in x60_security.html (it's cardbus) - Documentation: added preliminary information about randomized seal (for physical intrusion detection) in x60_security.html and t60_security.html - Documentation: added preliminary information about preventing/mitigating cold-boot attack in x60_security.html and t60_security.html - Documentation: added info to ../docs/index.html#macbook21 warning about issues with macbook21 - Documentation: X60/T60: added information about checking custom ROM's using dd to see whether or not the top 64K region is duplicated below top or not. Advise caution about this in the tutorial that deals with flashing on top of Lenovo BIOS, citing the correct dd commands necessary if it is confirmed that the ROM has not been applied with dd yet. (in the case that the user compiled their own ROM's from libreboot, without using the build scripts, or if they forgot to use dd, etc). - Split resources/libreboot/patch/gitdiff into separate patch files (getcb script updated to accomodate this change). - Re-added .git files to bucts - Fixed the oversight where macbook21_firstflash wasn't included in binary archives
Diffstat (limited to 'docs/howtos/x60_security.html')
-rw-r--r--docs/howtos/x60_security.html24
1 files changed, 20 insertions, 4 deletions
diff --git a/docs/howtos/x60_security.html b/docs/howtos/x60_security.html
index fc631bf..6abda98 100644
--- a/docs/howtos/x60_security.html
+++ b/docs/howtos/x60_security.html
@@ -42,6 +42,7 @@
<h1 id="software_requirements">Software requirements</h1>
<ul>
<li>none (at least in the scope of the article as-is)</li>
+ <li>You probably want to encrypt your GNU/Linux install using LUKS</li>
</ul>
<h1>
@@ -171,12 +172,12 @@
Not covered yet:
</h2>
<ul>
- <li>Disable cardbus/pcmcia (has fast/direct memory access)</li>
+ <li>Disable cardbus (has fast/direct memory access)</li>
<li>Disable firewire (has fast/direct memory access)</li>
<li>Disable flashing the ethernet firmware</li>
<li>Disable SPI flash writes (can be re-enabled by unsoldering two parts)</li>
<li>Disable use of xrandr/edid on external monitor (cut 2 pins on VGA)</li>
- <li>Disable docking station</li>
+ <li>Disable docking station (might be possible to do it in software, in coreboot upstream as a Kconfig option)</li>
</ul>
<p>
Go to <a href="http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html">http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html</a>
@@ -191,13 +192,25 @@
</h2>
<ul>
<li>
- Intrusion detection: randomized seal on screws (need to research)
+ Intrusion detection: randomized seal on screws<br/>
+ Just put nail polish with lot of glider on the important screws, take
+ some good pictures. Keep the pictueres and make sure of their integrity.
+ Compare the nail polish with the pictures before powering on the laptop.
</li>
<li>
Tips about preventing/mitigating risk of cold boot attack.
+ <ul>
+ <li>soldered RAM?</li>
+ <li>seal RAM door shut (possibly modified lower chassis) so that system has to be disassembled (which has to go through the nail polish)</li>
+ <li>wipe all RAM at boot/power-off/power-on? (patch in coreboot upstream?)</li>
+ <li>ask gnutoo about fallback patches (counts number of boots)</li>
+ </ul>
</li>
<li>
Software-based security hardening (GRUB trust/cryptomount, kernel LUKS/ecryptfs, etc).
+ <ul>
+ <li>modify grub to delay password attemps by a few seconds, and fail after a set time (and record all attemps in a counter, writing that to nvram)</li>
+ </ul>
</li>
<li>
General tips/advice and web links showing how to detect physical intrusions.
@@ -205,6 +218,9 @@
<li>
For example: <a href="http://cs.tau.ac.il/~tromer/acoustic/">http://cs.tau.ac.il/~tromer/acoustic/</a>
</li>
+ <li>
+ https://gitorious.org/gnutoo-for-coreboot/grub-assemble/source/a61f636797777a742f65f4c9c58032aa6a9b23c3:
+ </li>
</ul>
<h1>
@@ -226,7 +242,7 @@
Risk level
</h2>
<ul>
- <li>Modem: highest</li>
+ <li>Modem (3g/wwan): highest</li>
<li>Intel wifi: Near highest</li>
<li>Atheros PCI wifi: unknown, but lower than intel wifi.</li>
<li>Microphone: only problematic if the computer gets compromised.</li>