The laptops that we sell are already highly secure, but they can be modified to be even more secure. You can purchase this as a standalone service, and send in your laptop for servicing, or purchase this along with a laptop you wish to buy. If you want us to skip any of the steps below, please tell us!
The purpose of this service is to make physical attempts at compromising the hardware very difficult (but not impossible. just difficult), to the point where you’d have to use a drill and break the laptop open. By the time the attacker is done, your laptop would no longer be useful, and thus would defeat the purpose. Most attackers will want to compromise your hardware, but still have you continue using the machine.
An attacker *could* simply replace your entire machine, and perform the same modifications as below, but this would be very expensive and time consuming for them. Therefore, they are unlikely to bother. This service also mitigates against that possibility (read below).
These security mods are NOT fool proof. They can greatly increase your security, but whether you need them depends upon your threat model. Read for yourself the service we provide (details below) and decide whether you want it.
For all laptops, we will flash a ROM that is configured to enable flash protection. This is done by flashing a ROM that sets all regions in the flash chip read-only. This is done via the Intel Flash Descriptor, using a modified version of ich9gen from Libreboot. It creates a modified Intel Flash Descriptor that, when flashed, sets the entire flash chip read-only. This prevents malicious software running as root from re-flashing the chip, and means that you later need an external SPI programmer if intending to re-flash a new Libreboot ROM. This modified version can be found here: https://notabug.org/libreboot/libreboot/src/ich9util-improvements/resources/utilities/ich9utils. I, Leah Rowe, am the author of ich9utils and I understand the Intel Flash Descriptor very well. I also wrote that custom patch for ich9gen, linked here on this page, specifically for the purpose of providing this security mod.
NOTE: nowadays, all Trisquel installs are encrypted by default (at no extra cost), on laptops that we sell.
OPTIONAL: Send us an encrypted email, with a password that you would like us to use. This password will be set on the boot menu. Without this password, an attacker could boot a USB based GNU+Linux distro on your machine. With this password, use of your computer is restricted only to those who know this passphrase.
This password will also be used for the default encryption passphrase in Trisquel, and the user password. By default, we ship with a standard password for everything, with instructions for how to change it. By sending us an encrypted email with this password, we can encrypt your Trisquel install using this, and an attacker (especially during shipping) cannot gain access to your partition.
You can always change the encryption passphrase again after your laptop arrives at your location, with the modifications performed.
By doing this, an agent (during shipping) cannot replace your HDD/SSD with another one with the same password, because they don’t know that password. Only you and RetroFreedom knows it, but then you change it after the laptop arrives and only you know it.
If you send us this encrypted email, we will also respond (using encryption) with photos of the epoxy on all the external screws of your laptop; with these photos, you can compare when your laptop arrives, to know whether the laptop you receive is the same one and has not been tampered with.
For each laptop, we also put a “mark” on the laptop; it’s different each time, for each customer. We recommend communicating with GPG encrypted email, and this mark will be explained to you, for your specific machine. That, plus the epoxy photos, can let you know if the machine has been replaced, or tampered with.
For this service, we will:
- Remove the speaker (the speaker could potentially leak data over high frequency)
- Remove microphone (could be abused to take external commands), bluetooth (generally it is a security risk), wifi (potential for side channel attacks makes wifi risky if security is important)
- Remove the expresscard slot (or put epoxy inside the connector) – expresscard provides for DMA, which an attacker could exploit by plugging in a device that reads the contents of RAM very quickly, and therefore potentially extract encryption keys from memory)
- Epoxy the RAM to obstruct removal of it, and the 2-screw door to access the RAM (to slow down an attacker that attempts cold-boot attack)
- Epoxy the SATA slots (SATA can potentially be used to initiate a DMA attack). We will supply a USD SATA adapter, and the HDD/SSD inside it. Your laptop will be configured to boot from the USB SSD/HDD; with full disk encryption and use of USB which has no DMA, you can be highly secure. The reason why is here: https://libreboot.org/faq.html#hddssd-firmware
- If present, remove the webcam (or apply tape over it)
- Epoxy all of the screws, to slow down disassembly of the laptop
- Same as X200/X200T/X200S but also: remove firewire slot (firewire is very useful for DMA attacks)
- cardbus/expresscard slot always removed, not epoxied (easier to remove than on X200)
Epoxy is a liquid substance that, when mixed properly, hardens on any surface it is applied to. It’s very difficult to remove (not impossible to remove if you have a hot air jet or some other way to blast hot air onto it, but even then it’s difficult to remove).
Information about some of this (especially pertaining to DMA) is on the Libreboot FAQ: