
Bootstrapping a slightly more secure laptop [video] - ianopolous
https://media.ccc.de/v/33c3-8314-bootstraping_a_slightly_more_secure_laptop
======
wonko1
In summary: Coreboot+Linux as a bootloader

I think I've seen this before in an HPC context. But they've build a firmware
distribution called Heads. It boots using coreboot then fires up a Linux
kernel from flash.

The kernel is then used as a second stage bootloader. It takes about 2 seconds
to get Linux booted from flash.

They can then boot the system OS, optionally using kexec to smoothly
transition to the system kernel.

Very neat! Along the way they've also done other important work, like put
together a minimal firmware for the Management engine (a second CPU in Intel
system with its own OS, and many many issues).

The biggest problem here is same issue that coreboot has. Coreboot support is
really limited. I think it down supports Lenovo X220s, but late time I looked
not much modern hardware.

~~~
mmastrac
> put together a minimal firmware for the Management engine

I thought that management engine CPU was still a black box, and the best
anyone has done is neuter the firmware running there by judiciously zeroing
bits out.

------
shade23
Slides ->
[https://lab.dsst.io/slides/33c3/8314.html](https://lab.dsst.io/slides/33c3/8314.html)
Slides(pdf)->[https://lab.dsst.io/slides/33c3/slides/8314.pdf](https://lab.dsst.io/slides/33c3/slides/8314.pdf)

------
nickik
What would be really interesting is to use this with a UAF/U2F. The TPM
produces a value, this value could be used the same way the domain name gets
used in 'normal' UAF/U2F (as the AppID). The UAF/U2F authenticator would only
sign the challenge if the TPM is correct, saving you from the Evil Maid
attack. This the same mechanism that protect from phishing in the web.

Then you can validate the signed token, and if everything is correct you can
use the TPM value to decrypt the harddisk.

Right now I am using my remembered password plus static password mode of my
Yubikey to have a fake 2FA decryption requirement on boot but UAF/U2F would be
way cooler.

It there something wrong with this idea?

~~~
watersb
Essentially no, you are not wrong.

I am working on setting up a system with a YubiKey 4 in this way. Apple FDE
can accept a certificate for verification. Or simply the password.

I haven't set up LUKS like this in a long, long time. But I will get there
soon..

------
wonko1
An unrelated but interesting point he noted was that Apple are one of the only
vendors that provide long term firmware updates (he mentioned 8 years). It's a
shame nobody else really does this.

------
delinka
Secure _what_? Please add "laptop" to the title as it is on the original.

~~~
sctb
Sorry about that, added.

------
mrkgnao
pinging 'dang and co, typo in title

~~~
sandebert
Does that even work? Have they got some code on the back end that alerts as
soon as an admin name is mentioned? Or do you just assume they read
everything? (Do they!?)

~~~
taspeotis
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

    
    
        Please don't post on HN to ask or tell us something (e.g. to ask us
        questions about Y Combinator, or to ask or complain about moderation).
        If you want to say something to us, please send it to hn@ycombinator.com.
    

But the title of the talk is actually "Bootstraping [sic] a slightly more
secure laptop." Look at the first slide.

~~~
chrismorgan
… and now we’ve lost the word “laptop”.

