Linux Foundation' Linux workstation security checklist

Blibbet blibbet at gmail.com
Thu Sep 17 16:02:31 PDT 2015


On 09/17/2015 12:00 PM, grarpamp wrote:
> On Wed, Sep 16, 2015 at 10:48 AM, Blibbet <blibbet at gmail.com> wrote:
>> Quoting a tweet from Joanna if Invisible Things Lab, on the topic of
>> older hardware (than Purism's current choice):
>>
>> https://twitter.com/rootkovska/status/643414071514148864
>>
>> "and old systems do not have IOMMU (VT-d) which makes them even less
>> secure, trustworthy."
>
> Question this in regards to number of gates available / needed
> for secret malefactor vs gatecount timeline vs time at which govt
> agencies and corp might desire and begin to cooperate or
> independantly perform same.
> ie: Are your your 486 or p55c and chipsets likely to contain malware?
> What about your Skylake?
> Given how ATT / Verizon / Sprint and others totally rolled over for
> Bush/911 what makes you think Intel or AMD or Microsoft are
> any different?
> WTF is up with windows 10? As if 7 vista and xp and Ubuntu
> Linux weren't enough.
>
> search: AnandTech, Intel has now stopped quoting gatecount with Skylake.
> https://en.wikipedia.org/wiki/NSAKEY

Not trying to dis old refurbished x86s. Just pointing out a specific
area to investigate w/r/t older x86 hardware. Joanna's tweet was one
specfic case to look into. Pre-CHIPSEC, it is less clear to me.  I wish
I had a complete list of issues (i.e., the set of things to write for a
CHIPSEC test profile for that hardware).

Old Thinkpads are great, but a LIMITED resource, we can't just rely on
old hardware forever.

I wonder if Cyrix/Via/Transmeta/etc clones are also viable to be
refurbished by Ministry of Freedom, and have any chance of being secure?
I also wonder about MIPS and SunSPARC chips, they have some old boxes to
refurbish, as well as some new MIPS boxes (a recent Chinese one not only
runs MIPS but also x86 and ARM instructions!).

If I were to hold out hope for an ISA that might be trustworthy, it
would be the RISC-V. But that'll take a year or longer. The Raven3 board
just came out, shown at HotChips. I hope that's the chip that Purism
uses for their next laptop, along with the recent Open Hardware GPU,
also announced at HotChips. Until then, I can update my own firmware on
my ARM dev boards, and -- sans FSP blobs -- on Intel dev boards. And I
have an ancient -- i.e., unknown security profile --- x86 with
Libreboot. Wish Libreboot used coreboot's Verifed Boot, for a bit more
protection, but that can be patched.

Not sure about Win10. I've heard they have a freeware version, which is
ad-sponsored, which must be be fun. Ubuntu, or as a friend of mine calls
them, "Spybuntu", has been abusing privacy for years. I wouldn't ever
trust an OS which is run by a single company. Debian isn't run by a
single company. It isn't perfect, but has fewer than most. Does anyone
have any opinion of Mempo, compared to QubesOS? I haven't used it yet,
but it looks interesting. Qubes is great for Intel systems, but what
about non-Intel, eg, ARM, does their isolation tech scale to non-Intel
ISAs? If not, what OS should ARM users use? (Purism recently tweeted
that they're going to get their PureOS to use parts of QubesOS.

I don't presume to have a trustworthy or secure firmware, on any Intel
box, perhaps AMD box, maybe ARM boxes. (The latter two seem to have less
security research than Intel x86/x64 systems, if anyone has good
pointers to ARM/AMD and other modern non-Intel HW, please speak up.)
Eg: http://timeglider.com/timeline/5ca2daa6078caaf4
Or see last slide of most CHIPSEC or LebaCore talks, they have a good
bibilography.

Thanks.



More information about the cypherpunks mailing list