
ORWL – The first open source, physically secure computer - kungfudoi
https://www.crowdsupply.com/design-shift/orwl
======
JoachimSchipper
Having some physical security in a OSS-hacker-compliant form factor is really
quite nice. This is not going to replace a proper HSM, and almost certainly is
a less secure place to store your data than an iPhone; but it's a good start
for those unwilling to give up on (the performance of) PCs.

It's worth noting that QubesOS, which is supported by this system, protects
against e.g. USB-based attacks by running a virtualized Linux for just the USB
port (simplified.) This has its limitations, but should be pretty decent.

If at all possible, try to ensure that this device is powered down when an
attacker gets it. Several attacks are easier if that's not the case (e.g. USB-
based attacks, but also cold boot attacks on the encrypted disk - the security
monitoring should trigger when one opens the case, but if an attacker can
still extract your disk password from RAM before the RAM fades you're in
trouble...)

~~~
talltower
ORWL will go in stand-by if the user is further than 10meters away from the
device, if moved when away, it will shut down. If the hardware is tampered
with, or chilled, the SSD encryption key is deleted within milliseconds.
iPhone or any other consumer product at this point have less or no physical
protection. The physical level of protection is taken from the payment
industry standard and applied to the consumer device. The scanning of RAM
content and possibilities of EM scanning, side channel attacks are all covered
in the secure section of ORWL by the Maxim Secure controller. Nothing is
impossible, but we tried to make it really really hard to get hold of the SSD
encryption key and what we refer to as the Root of Trust. Qubes is really
helpful with many other attack vectors.

~~~
a3n
If you guys succeed, you should think about making phones.

~~~
talltower
We are actually talking about this. Thanks for your interest.

~~~
staticelf
If you made such a phone I would buy it. I hope you guys have a great success
because it seems like an awesome product.

~~~
dandelion_lover
Alternatively, you could consider [http://neo900.org/](http://neo900.org/).

------
nickpsecurity
In a rare event, I actually like what I see here. They've clearly studied
prior designs in high-security space, likely HSM and smartcard mitigations.
The mesh enclosure strategy was adopted by older HSM's. There were potential
bypasses that led to even more features, esp membranes and radiation sensors.
The best ever made, per Ross Anderson's team of talented IC breakers, was
IBM's 4758 whose protections and potential attacks are described here:

[https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c16.pdf](https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c16.pdf)

Best route is just to clone that thing somehow. IBM themselves already
depreciated it in favor of a new product. Might still try to patent sue you or
pull some other crap but worst case should be Chinese clones becoming
available after new design is published. :) Designers of ORWL should try to
copy more of the IBM thing's techniques to close gap between the two.

Far as design itself, I like that it's relatively simple, leverages a secure
IC, easy to disassemble, will allow low-level modifications like firmware, and
can run standard software. The next step will be a model that replaces the
Intel chip with OpenSPARC, OpenPOWER, or RISC-V multicore with added
components for trusted boot or I/O protections. Some are available with some
coming online. Next step is using crypto to protect confidentiality &
integrity of anything leaving SOC boundary so RAM is untrusted. There will be
a lot of money involved for initial development and prototyping of even the
first, open chip. So, I understand if they're taking it one step at a time.
That's cool as long as they keep the advertising honest about risks they're
keeping in for compatibility, etc.

------
brian_herman
How do they deal with the intel management engine in all intel chips?
[https://libreboot.org/faq/](https://libreboot.org/faq/)

~~~
teaearlgraycold
Didn't know about this. They should have gone with AMD.

~~~
DashRattlesnake
If you want to get away from that kind of thing, right now I think you're
options are POWER8:
[https://www.raptorengineering.com/TALOS/prerelease.php](https://www.raptorengineering.com/TALOS/prerelease.php)

AMD has something similar to the Intel Management Engine:
[https://libreboot.org/faq/#amd](https://libreboot.org/faq/#amd)

~~~
na85
If only I had ~8000 dollars to spend on a desktop I'd be waist-deep in porting
Linux packages.

~~~
lallysingh
AFAIK IBM's spent a good amount of engineering effort on making linux stuff
run on power.

~~~
apaprocki
Yes, in practice the only things that really need "porting" to POWER are low-
level compilers, languages, runtimes, tooling, etc. that may have arch-
specific code. Sometimes IBM does this (e.g. Google v8 + Node.js), sometimes
not... yet? (e.g. rust).

------
alainv
Any plans to offer a 16GB RAM version? The commentary from Qubes users in the
3.2 release thread [1] seems to indicate 8GB would be borderline for Qubes.

[1]
[https://news.ycombinator.com/item?id=12604417](https://news.ycombinator.com/item?id=12604417)

~~~
talltower
The current Intel chipset we selected does only support RAM up to a max of
8GB. We heard the Qubes users loud and clear and the request for 16GB RAM. We
will only be able to offer this in a next revision though.

------
startling
Since the monitor is external, I wonder if they've considered monitors as
attack surface:
[https://github.com/RedBalloonShenanigans/MonitorDarkly](https://github.com/RedBalloonShenanigans/MonitorDarkly)

~~~
talltower
Correction. The temperature monitor is INSIDE the secure shell.

~~~
dogma1138
He's talking about display monitors AKA the screens which can be exploited via
the i2c bus over the graphical interface (e.g. HDMI).

The GP is 100% correct, if you can't trust your keyboard, mouse, and the
monitor the "secure computer" concept in this case is problematic, while it
does reduce the attack surface somewhat it just focuses the attention of the
adversary onto a different vector.

If we take their "cleaning man/evil maid" scenario then while implanting the
computer might not be possible, implanting the keyboard, mouse or screen would
be very possible, and in fact somewhat easier than implanting a regular
computer with decent security measures such as an encrypted drive.

Add a USB storage device with a micro-controller to the keyboard and you own
the computer once it's connected, a monitor today comes with a CPU powerful
enough to run custom code which can be used to exfiltrate data as well.

Additionally both the keyboard and the monitor could potentially be used to
exploit software flaws on the software running on the ORWL unit also.

The concept is interesting however this is mostly "security theater" any
adversary which would be sophisticated enough to require taking these measures
would likely be able to circumvent them, and for the rest these measures don't
really do anything; if you use this for day to day operations or on-net
activity you'll get pwned via the network; if you keep secrets on this thing
worthy of sending some one into your home to implant your PC then they'll
implant something else which is connected to it.

Oddly enough the only "high tier" adversary that this might thwart would be
law enforcement since their computer forensic SOP would pretty much melt down
when encountering something which is tamper resistant.

But hey, you gotta start somewhere.

~~~
thisrod
I'm a bit surprised that, in 2016, there is no standard way for a computer to
authenticate its keyboard and monitor. Has anyone even thought about how that
could be done?

~~~
wtallis
HDCP is arguably the standard for authenticating the monitor, but it's not
quite intended for this purpose. I'm not aware of a standard for
authenticating input devices, but disabling USB HID and relying solely on
tamper-evident PS/2 input devices goes a long way.

------
verandaguy
It's an interesting concept, for sure – but could someone more knowledgeable
than me explain whether this leaves the system vulnerable to the potential,
alleged backdoors present in Intel's chips via the Intel Management Engine?

~~~
talltower
Our long term plan is to limit ME capabilities using the BIOS configuration.
We just released the SOW of the 1st BIOS with Eltan on the WiKi.
[https://www.orwl.org/wiki/index.php?title=File%3ASowDESIGN-S...](https://www.orwl.org/wiki/index.php?title=File%3ASowDESIGN-
SHIFTORWLPUBLIC20160902.pdf) We are planning to investigate how to further
limit ME capabilities with Eltan and we will update the SOW as we make
progress. We also believe that the current secure micro controller
implementation severely limit the ME capability through power management and
the SSD key management.

------
joewee
The proximity based lockdown is interesting but won't prevent the likely
scenario of being grabbed while you are using the computer. Silkroad is a
famous incident, but I think its the only option in any scenerio where the
attacker knows you are using an encrypted disk.

I'm curious about your supply chain risk mitigation. Given that the project is
open source, can you publish a list of all of your suppliers and the country
of production?

Great work overall, looks like a nice design.

~~~
Archi1
Thank you for the feedback! This is still a desktop so if the device is
grabbed the power won't stay long. You need NFC to restart and then enter your
password. We are still working on opening as much as we can of the design.
Bill of Material and drawings will be detailed on www.orwl.org/wiki

~~~
brbsix
If your device is grabbed by the FBI from the Glen Park library, I don't think
they'll be turning it off. Wouldn't they use some sort of device[0] to
maintain the power supply? I assume they would also be aware a key fob was in
use, at least if you were using reasonably well-known hardware like the ORWL.

I noticed the campaign details indicated the power supply voltage is
monitored. Will this protect against a hot-plug?

[0]: [http://www.cru-
inc.com/products/wiebetech/hotplug_field_kit_...](http://www.cru-
inc.com/products/wiebetech/hotplug_field_kit_product/)

~~~
Fragment
If anyone's wondering, here's the important bit:
[https://youtu.be/erq4TO_a3z8?t=259](https://youtu.be/erq4TO_a3z8?t=259)

I suppose this technique could be modified for most UK pugs too, but I've no
idea how you'd manage it for a recessed EU-type socket.

------
calebm
I was very recently looking into physically secure computing solutions, and
the "industry standard" seems to be the SafeNet Network HSM, formerly Luna SA
Network-Attached HSM (for example, it's what Amazon uses for their CloudHSM
service:
[https://aws.amazon.com/cloudhsm/](https://aws.amazon.com/cloudhsm/)), which
costs like $30,000. With that number in mind, the ORWL price of $700 is quite
enticing!

~~~
talltower
Yes, HSMs are very expensive and after talking to a few people in this
industry we got the impression, some of the ORWL features are not present in
HSMs. Like the ability to Geo-lock the device using the key (mounted in the
ceiling). Waling away with the device will render it useless as the keyFOB is
missing.

------
saynsedit
Appreciate the fully secure boot process, even if the Intel situation isn't
fully secure. Wish I had an external uC with burned-in firmware on my machine
that I trusted to verify my BIOS firmware and orchestrate the boot process.

~~~
talltower
Thanks. We agree with your statement fully. We are raising the threshold of
entry to your personal data substantially, but we are still far from
perfection. We did a number of steps up in the security ladder. We are also
taking steps to minimize ME abilities in ORWL. Our long term plan is to limit
ME capabilities using the BIOS configuration. We just released the SOW of the
1st BIOS with Eltan on the WiKi.
[https://www.orwl.org/wiki/index.php?title=File%3ASowDESIGN-S...](https://www.orwl.org/wiki/index.php?title=File%3ASowDESIGN-
SHIFTORWLPUBLIC20160902.pdf) We are planning to investigate how to further
limit ME capabilities with Eltan and we will update the SOW as we make
progress. We also believe that the current secure micro controller
implementation severely limit the ME capability through power management and
the SSD key management.

------
Cieplak
Enjoy spending the next 10k years auditing the security of the chipset with
your scanning tunneling microscope.

~~~
murbard2
Even if it doesn't protect yourself against some transistor level NSA
backdoor, that doesn't mean it can't thwart other attackers who would usually
take advantage of physical access.

------
BinaryIdiot
Now this is really cool! Though as with all things wireless I'd worry about
working and somehow the key fob getting interfered with and boom computer
locks up or if a sensor thinks I'm moving the computer when it's really just
an Earth quake or maybe even my cat jumping on the table and then the
encryption key is deleted.

So I love the idea but not sure of the practicality. Those sensors has to
essentially work perfectly at all times and I'm not convinced until it's
released and reviewed.

~~~
talltower
The SSD encryption key will only be deleted in case of a tamper event, NOT
when the unit is moved. Tamper events are: * freezing the unit * drilling the
secure enclosure or other wise breaking the traces on it * prying the
enclosure off the PCB So I don't think you have to be too worried about a
false trigger of a key erasing.

~~~
yellowapple
Is there a specific temperature about which I should be concerned? I live in a
cold climate and would hate to lose data (even if it is backed up) in the
event that I lose heating.

------
nornagon
> The battery itself is projected to last about six months without being
> connected to power.

It seems like a lot of the security of the device depends on active scanning
(e.g. the LDS clamshell mesh, the IMU, the temp sensor, etc.), which stops
working after 6 months. Is the vector of a malicious actor taking the device
and waiting 6 months before breaking in considered not worth protecting
against?

~~~
wiml
The webpage says it zeroes the key material when the battery runs low. So
it'll fail "secure" in that case, presumably.

~~~
nornagon
Ah, I missed that bit! Thanks :)

------
Dzugaru
> If someone has physical access to your computer with secure documents
> present, it’s game over!

Err, why? Is AES encryption not sufficient? And the key is secure in my head -
not something someone could steal.

So, why is this even a thing?

~~~
ge0rg
Unless you also want to perform the AES operations in your head, you have to
rely on the hardware and software of your computer to perform them. An
attacker could then replace the AES routine you use with one that stores a
shadow copy of your key, or exfiltrates it over some covert channel.

~~~
gravypod
What if the crypto side of things is remove-able and carry-able on your
person? Or what if it could be subdermally implanted so you know no one can
pick pocket you and replace it?

Just a thought.

~~~
JoshTriplett
> What if the crypto side of things is remove-able and carry-able on your
> person?

You might as well have the entire computer removable and portable.

~~~
howardbeware
And that's pretty much what ORWL is.

------
jpalomaki
In past I've heard about couple of cases where people had some startup idea
that involved some clever application/algorithm that would have had to be
deployed to customers premises but kept secret.

With slight modifications (* ) this sounds like a low cost, but easy to deploy
solution to the problem. Some of the security would be lost, but you would
still get a reasonably tamper proof computer that is capable of running
standard software stack for <$1K.

With the same kind of changes you could also build a low cost HSM solution
based on this.

(* ) Instead of controlling booting, the keyfob could be used to
enable/disable console access and the device should be able to recover from
short power losses.

------
0xdeadbeefbabe
By the way, making other people secure is big business. For that reason I can
see a pointy haired decision maker buying loads of these for the functionaries
to use. I wouldn't really want one of these for myself though.

------
lightedman
This doesn't seem all that secure. Against an Evil Maid attack, your best
mitigation is to be able to keep everything, OS and all, on a portable drive
which is self-encrypting; essentially an encrypted PE.

~~~
saynsedit
Why not? Seems secure against evil maid to me (barring hardware backdoors like
Intel).

~~~
howardbeware
They explicitly address several attacks here:
[https://www.crowdsupply.com/design-shift/orwl#specific-
attac...](https://www.crowdsupply.com/design-shift/orwl#specific-attacks-and-
mitigations)

~~~
saynsedit
None of those are evil maid attacks.

~~~
talltower
Let me state a section of our product description here, detailing the way we
are approaching the "Evil Maids" USB volume boot blocked at BIOS, BIOS access
controlled by security key + PIN, Intel TPM is enabled, and we do not enter a
passphrase to unlock encryption (unlike software based full disk encryption)
In addition, attacks that don’t rely on booting to a USB device are protected
by powering off the USB interface when the user keyfob is out of range More
details here:
[https://www.orwl.org/wiki/index.php?title=Resources#Resource...](https://www.orwl.org/wiki/index.php?title=Resources#Resources)

------
uxcn
_ORWL was designed specifically to prevent undetected tampering with any of
its electrical components, including the entire motherboard and storage drive.
When tampering is detected, ORWL immediately and irrevocably erases all your
data, even if it is unplugged at the time._

and...

 _Upon any tampering, the secure microcontroller instantly erases the
encryption key, causing all data on the SSD to be irrevocably lost._

If only the key is deleted, wouldn't that leave the drive susceptible to brute
force?

~~~
pstrateman
Uhh.. yes but enjoy brute forcing a 256 bit key.

See you in a few trillion years.

~~~
libeclipse
Quite a lot more than a few trillion.

~~~
dmichulke
You have to account for Moore's Law within the few trillions GP mentioned

~~~
grandsham
Bruce Schneier and others[1] have done the math on brute forcing 256 bit keys:
even with a perfectly efficient computer using the least amount of energy
possible, you would have to deplete the entire energy content of the Sun to
just iterate over a 225 bit keyspace once, let alone do anything meaningful
with those keys.

Moore's Law doesn't really factor into it.

[1][http://security.stackexchange.com/a/6149](http://security.stackexchange.com/a/6149)

~~~
uxcn
It's estimated there are 10^80 atoms [1] in the visible universe, so 2^256 is
definitely a huge number. I didn't realize 256 bit brute force was nigh
feasible with only a solar system.

I'm a bit surprised the quantum algorithm only gives a polynomial speedup.

[1]
[https://en.wikipedia.org/wiki/Observable_universe#Matter_con...](https://en.wikipedia.org/wiki/Observable_universe#Matter_content)

~~~
learningbot
10^80 = (10^3)^80/3 = 1000^80/3 = 1000^26.67

2^256 = (2^10)^25.6 = 1024^25.6

These number seem very close.

------
DenisM
I wonder how realistic it is to get the simplest ARM design and make "your
own" chip? I mean there should be blueprints somewhere, if you could ask
someone to make a small batch of these chips? It would be too small to be
worth it for someone to inject a backdoor into it. Or you could make that into
an FPGA... Am I talking nonsense?

~~~
monocasa
If you're going to go through the process of taping out your own chips, RISC-V
is probably your best bet at the moment.

------
Animats
This appears to be a good solution to the wrong problem. Maybe if they team
with someone working on secure computer software...

~~~
eeZah7Ux
Kudos to the open source design but they should not encourage users to run
windows on it.

~~~
mastazi
The promotional video shows someone using Linux. Do they mention Windows
somewhere else on their site?

~~~
yellowapple
They mention Windows compatibility as an explicit and mandatory goal of the
project in the Crowdsupply project page.

~~~
mastazi
Thanks, I missed that bit.

------
SRSposter
its great that the hardware privacy front is progressing

------
partycoder
"open source and secure", powered by a potentially backdoored Intel processor
(i.e: through the Intel Management Engine).

------
j2kun
Where does the name come from? When pronouncing it I can't help but notice
it's very close to "Orwell"

~~~
wastedhours
In their post on the Ubuntu blog [0] they say it is pronounced "or-well".
Assumedly ironically.

[0] [https://insights.ubuntu.com/2016/09/29/meet-orwl-the-
first-o...](https://insights.ubuntu.com/2016/09/29/meet-orwl-the-first-open-
source-physically-secure-computer/)

------
betolink
Great project! but unless the computer is used to do only offline tasks then
having a physical key is as useful as locking a door and leaving the keys on
(hardware level backdoors, zero-day attacks, lack of end to end cryptography
etc.)

------
ausjke
made a product like this before that passed FIPS 140-3, same idea, i.e. a
battery-backup-mcu + mainboard.

------
ingenter
Did you think about manufacturing or designing your own ARM CPUs and releasing
HDL for the CPU?

~~~
talltower
We thought long and hard about the type of platform we want to use for this
project. While the x86 platform has many shortcomings, it also provides a big
ecosystem of OS and SW, as well as support. The fact that we have two
subsystems, secure micro controller being in charge of supplying (and denying)
power from the x86 gives us a lot of leverage and protection.

------
Prad
I'd be very interested to see this applied to phones.

------
qplex
Remember to put glue into the USB ports.

------
zitterbewegung
Not sure why the ubuntu.com is linked instead of the crowd supply link which
has all the information including the ability to purchase one. See
[https://www.crowdsupply.com/design-
shift/orwl](https://www.crowdsupply.com/design-shift/orwl)

~~~
sctb
Thanks, we updated the link from [https://insights.ubuntu.com/2016/09/29/meet-
orwl-the-first-o...](https://insights.ubuntu.com/2016/09/29/meet-orwl-the-
first-open-source-physically-secure-computer/).

------
JohnStrange
"When tampering is detected, ORWL immediately and irrevocably erases all your
data"

IMHO that is beyond stupid, it's criminally irresponsible.

Well, to be fair, perhaps there are _some_ uses cases, just not many. I'd
rather go with tamper-proof seals instead.

~~~
masukomi
how is it "criminally" irresponsible on a personal computer? I should be able
to delete my own data whenever i want to, unless ordered by a court not to.
Also OpenBSD has had the ability to wipe the system on failed password
attempts for many years now.

~~~
JohnStrange
It's criminally irresponsible to sell such a computer, because it will easily
result in data loss and not all users are educated enough to understand the
consequences of such a flawed "security" design. Of course, you can claim that
it's ultimately the customers fault in this case, and I agree, but they should
nevertheless expect some lawsuits.

There is always a tradeoff between security and data integrity, something
which the people who downvoted my post apparently don't understand. When even
your mom can mount a 100% successful denial of service attack with a
screwdriver, then you're screwed.

If you disagree, I challenge you to show me a use reasonable case that
couldn't also be solved by _actual_ physical security or by locking down
booting and the BIOS and using tamper-evident seals.

~~~
howardbeware
The same argument could be applied to nearly any product. Knowing how to use
the product is the user's responsibility and helping educate users is the
manufacturer's responsibility. If you don't have data back ups, regardless of
the type of computer, then you're setting yourself up for disappointment.

~~~
JohnStrange
True, maybe I overreacted. What worries me is that is apparently supposed to
be sold as a general computing device. Tamper-resistant hardware may be used
in the military to protect implementations and keys stored in hardware that
will eventually get stolen. For other types of data stored? Probably not so
much. As I said, reasonable uses for this kind of device are limited.

For ordinary users, deleting everything immediately when someone tampers with
it is a recipe for disaster. Sure, they can backup everything in encrypted
form, but then the data is not really deleted when somebody tampers with the
machine, isn't it?

Regarding the security, well, apart from software-based attacks, how about
installing a tiny USB keylogger inside a USB cable that is already used by the
user? Or in the keyboard itself? Or a camera that records your keystrokes?

That's what the <insert agency or special interest group of your choice> would
be doing in such a case.

------
na85
I scowled when I read about the Intel chip, and I stopped reading when they
mentioned USB. Assuming for a moment that there's no hidden backdoor in the
Intel chip (which seems exceedingly unlikely from all that I've read regarding
IME, not to mention the un-auditable microcode), all this fancy hackery is
still going to get pwned by BadUSB.

Secure computing cannot and will not move forward until we have a way to
mitigate against this.

~~~
wiml
They address this a bit. Their CPU supports device virtualization and the
default OS install dedicates a VM to just the USB ports, and the USB data
lines are electrically disconnected from the HCIs when the machine is in
locked mode.

I'd be more concerned about the wifi and bluetooth chips' firmware.

------
jimmytidey
Isn't the phrase Evil Maid a bit off-key? I'm sure this must have been
discussed at great length elsewhere.

We could express the same idea without the power and gender relations implied.

~~~
nickpsecurity
It's the common name of the attack that people get. So it's useful whether PC
types, who are a tiny minority of many audiences, like it or not. I'm not sure
how "Evil Maid" label was derived. I do know from espionage reading that the
most common form of the attack came from maids in hotels of business or
government people passing through. Janitors and maintenance types, too, but
they were in a trusted, protected building instead of a third party's. French
intelligence is particularly notorious for using maids or other hotel
employees. Calling it a (adjective-here) Maid attack given all the maids
involved makes since for historical and current significance of that attack
vector. As in, the label is also a reminder to watch your ass and never leave
gear unattended in hotels. ;)

~~~
jimmytidey
DSK conspiracy theories are a fun example of French intelligence services in
hotels. Certainly, the phrase has a titillating James Bond aspect to it.

If you haven't heard the phrase before it sounds weird, I do understand it's
not intended maliciously.

I don't think I'd use the term without quotes in my own writing.

~~~
nickpsecurity
I Googled it. I don't know if it's true or not but it was entertaining. :) My
memory is fuzzy here but I think one of my sources on it was the leaked MOD
Security Manual of UK that talked about what various countries pull the most
on their agents or diplomats. I know it was in a few places way before that
DSK story. The one on Russia was worse, though. It said they not only would
bug your hotel when they knew you were coming but might create a way to ensure
you landed in a bugged one even if you switched at last minute. Very
determined professionals over there haha.

