diff options
author | Francis Rowe <info@gluglug.org.uk> | 2014-08-11 09:00:00 (EDT) |
---|---|---|
committer | Michał Masłowski <mtjm@mtjm.eu> | 2014-08-22 14:29:49 (EDT) |
commit | 8df313c4d6607181576471e08d7e909c9c0f33e9 (patch) | |
tree | 249f6003e3293fd4049ad57c267fa7ec1c4269e4 /docs/howtos/x60_security.html | |
parent | 7eca665d684a734d55b0bb26c4f1831d399c5330 (diff) | |
download | libreboot-r20140811.zip libreboot-r20140811.tar.gz libreboot-r20140811.tar.bz2 |
Libreboot release 6 beta 5.r20140811
- build: added 'luks', 'lvm', 'cmosdump' and 'cmostest' to the list of
modules for grub.elf
- Documentation: added pics showing T60 unbricking (still need to
write a tutorial)
- build: include cmos.layout
(coreboot/src/mainboard/manufacturer/model/cmos.layout) files in
libreboot_bin
- Documentation: added ../docs/howtos/x60tablet_unbrick.html
- Documentation: added ../docs/howtos/t60_unbrick.html
- Documentation: added ../docs/howtos/t60_lcd_15.html
- Documentation: added ../docs/howtos/t60_security.html
- Documentation: added ../docs/howtos/t60_heatsink.html
- Documentation: Renamed RELEASE.html to release.html
- Documentation: removed pcmcia reference in x60_security.html (it's
cardbus)
- Documentation: added preliminary information about randomized seal
(for physical intrusion detection) in x60_security.html and
t60_security.html
- Documentation: added preliminary information about
preventing/mitigating cold-boot attack in x60_security.html and
t60_security.html
- Documentation: added info to ../docs/index.html#macbook21 warning
about issues with macbook21
- Documentation: X60/T60: added information about checking custom
ROM's using dd to see whether or not the top 64K region is
duplicated below top or not. Advise caution about this in the
tutorial that deals with flashing on top of Lenovo BIOS, citing the
correct dd commands necessary if it is confirmed that the ROM has
not been applied with dd yet. (in the case that the user compiled
their own ROM's from libreboot, without using the build scripts, or
if they forgot to use dd, etc).
- Split resources/libreboot/patch/gitdiff into separate patch files
(getcb script updated to accomodate this change).
- Re-added .git files to bucts
- Fixed the oversight where macbook21_firstflash wasn't included in
binary archives
Diffstat (limited to 'docs/howtos/x60_security.html')
-rw-r--r-- | docs/howtos/x60_security.html | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/docs/howtos/x60_security.html b/docs/howtos/x60_security.html index fc631bf..6abda98 100644 --- a/docs/howtos/x60_security.html +++ b/docs/howtos/x60_security.html @@ -42,6 +42,7 @@ <h1 id="software_requirements">Software requirements</h1> <ul> <li>none (at least in the scope of the article as-is)</li> + <li>You probably want to encrypt your GNU/Linux install using LUKS</li> </ul> <h1> @@ -171,12 +172,12 @@ Not covered yet: </h2> <ul> - <li>Disable cardbus/pcmcia (has fast/direct memory access)</li> + <li>Disable cardbus (has fast/direct memory access)</li> <li>Disable firewire (has fast/direct memory access)</li> <li>Disable flashing the ethernet firmware</li> <li>Disable SPI flash writes (can be re-enabled by unsoldering two parts)</li> <li>Disable use of xrandr/edid on external monitor (cut 2 pins on VGA)</li> - <li>Disable docking station</li> + <li>Disable docking station (might be possible to do it in software, in coreboot upstream as a Kconfig option)</li> </ul> <p> Go to <a href="http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html">http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html</a> @@ -191,13 +192,25 @@ </h2> <ul> <li> - Intrusion detection: randomized seal on screws (need to research) + Intrusion detection: randomized seal on screws<br/> + Just put nail polish with lot of glider on the important screws, take + some good pictures. Keep the pictueres and make sure of their integrity. + Compare the nail polish with the pictures before powering on the laptop. </li> <li> Tips about preventing/mitigating risk of cold boot attack. + <ul> + <li>soldered RAM?</li> + <li>seal RAM door shut (possibly modified lower chassis) so that system has to be disassembled (which has to go through the nail polish)</li> + <li>wipe all RAM at boot/power-off/power-on? (patch in coreboot upstream?)</li> + <li>ask gnutoo about fallback patches (counts number of boots)</li> + </ul> </li> <li> Software-based security hardening (GRUB trust/cryptomount, kernel LUKS/ecryptfs, etc). + <ul> + <li>modify grub to delay password attemps by a few seconds, and fail after a set time (and record all attemps in a counter, writing that to nvram)</li> + </ul> </li> <li> General tips/advice and web links showing how to detect physical intrusions. @@ -205,6 +218,9 @@ <li> For example: <a href="http://cs.tau.ac.il/~tromer/acoustic/">http://cs.tau.ac.il/~tromer/acoustic/</a> </li> + <li> + https://gitorious.org/gnutoo-for-coreboot/grub-assemble/source/a61f636797777a742f65f4c9c58032aa6a9b23c3: + </li> </ul> <h1> @@ -226,7 +242,7 @@ Risk level </h2> <ul> - <li>Modem: highest</li> + <li>Modem (3g/wwan): highest</li> <li>Intel wifi: Near highest</li> <li>Atheros PCI wifi: unknown, but lower than intel wifi.</li> <li>Microphone: only problematic if the computer gets compromised.</li> |