diff options
Diffstat (limited to 'docs/howtos/x60_security.html')
| -rw-r--r-- | docs/howtos/x60_security.html | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/docs/howtos/x60_security.html b/docs/howtos/x60_security.html index fc631bf..6abda98 100644 --- a/docs/howtos/x60_security.html +++ b/docs/howtos/x60_security.html @@ -42,6 +42,7 @@ <h1 id="software_requirements">Software requirements</h1> <ul> <li>none (at least in the scope of the article as-is)</li> + <li>You probably want to encrypt your GNU/Linux install using LUKS</li> </ul> <h1> @@ -171,12 +172,12 @@ Not covered yet: </h2> <ul> - <li>Disable cardbus/pcmcia (has fast/direct memory access)</li> + <li>Disable cardbus (has fast/direct memory access)</li> <li>Disable firewire (has fast/direct memory access)</li> <li>Disable flashing the ethernet firmware</li> <li>Disable SPI flash writes (can be re-enabled by unsoldering two parts)</li> <li>Disable use of xrandr/edid on external monitor (cut 2 pins on VGA)</li> - <li>Disable docking station</li> + <li>Disable docking station (might be possible to do it in software, in coreboot upstream as a Kconfig option)</li> </ul> <p> Go to <a href="http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html">http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html</a> @@ -191,13 +192,25 @@ </h2> <ul> <li> - Intrusion detection: randomized seal on screws (need to research) + Intrusion detection: randomized seal on screws<br/> + Just put nail polish with lot of glider on the important screws, take + some good pictures. Keep the pictueres and make sure of their integrity. + Compare the nail polish with the pictures before powering on the laptop. </li> <li> Tips about preventing/mitigating risk of cold boot attack. + <ul> + <li>soldered RAM?</li> + <li>seal RAM door shut (possibly modified lower chassis) so that system has to be disassembled (which has to go through the nail polish)</li> + <li>wipe all RAM at boot/power-off/power-on? (patch in coreboot upstream?)</li> + <li>ask gnutoo about fallback patches (counts number of boots)</li> + </ul> </li> <li> Software-based security hardening (GRUB trust/cryptomount, kernel LUKS/ecryptfs, etc). + <ul> + <li>modify grub to delay password attemps by a few seconds, and fail after a set time (and record all attemps in a counter, writing that to nvram)</li> + </ul> </li> <li> General tips/advice and web links showing how to detect physical intrusions. @@ -205,6 +218,9 @@ <li> For example: <a href="http://cs.tau.ac.il/~tromer/acoustic/">http://cs.tau.ac.il/~tromer/acoustic/</a> </li> + <li> + https://gitorious.org/gnutoo-for-coreboot/grub-assemble/source/a61f636797777a742f65f4c9c58032aa6a9b23c3: + </li> </ul> <h1> @@ -226,7 +242,7 @@ Risk level </h2> <ul> - <li>Modem: highest</li> + <li>Modem (3g/wwan): highest</li> <li>Intel wifi: Near highest</li> <li>Atheros PCI wifi: unknown, but lower than intel wifi.</li> <li>Microphone: only problematic if the computer gets compromised.</li> |