Intrigeri, First, we should identify the problem. Tails does not replace all of the software on one's computer. There is additional storage on the SPI flash chip which carries the BIOS and ME, and there is the USB stick which has its own firmware. As shown by LegbaCore, this software outside of Tails can be easily infected. “Since almost no organizations in the world provide BIOS patch management, it is almost guaranteed that any given system has at least one exploitable BIOS vulnerability that has previously been publicly disclosed. Also, the high amount of code reuse across UEFI BIOSes means that BIOS infection is automatable and reliable.” Once the firmware is infected, the malware is more privileged than all applications and operating systems. Basically, Tails is completely useless on insecure hardware.
Your question about the audience is a bit of a leading question. All Tails users should be the audience. Currently, Tails only has documentation about warnings of firmware vulnerabilities. However, readers have no course of action to take against this serious problem. Anyone who cares about their privacy/security/freedom enough to run Tails should purchase or configure secure hardware. One solution to the vulnerable SPI flash chip that we can document is Libreboot. Unlike Coreboot, Libreboot is completely open-source without the Intel FSP and provides easy to understand documentation. There are two options to get a Libreboot X200. First, one can buy a refurbished Lenovo ThinkPad X200 from a electronics store like Newegg in the United States. (I assume that there is a European equivalent.) Then, he or she can follow the relatively easy-to-understand instructions on the Libreboot website for installing the BIOS https://libreboot.org/docs/hcl/x200.html and removing the ME https://libreboot.org/docs/hcl/gm45_remove_me.html . Second, one can buy a laptop with Libreboot pre-installed. The Free Software Foundation has a list of hardware that respects your freedom and currently includes two companies that sell Libreboot laptops: https://www.fsf.org/resources/hw/endorsement/respects-your-freedom . I personally recommend Minifree which is run by the same person who founded Libreboot. When buying a laptop with Libreboot pre-installed, one does not have to worry about making a mistake in the installation process, financially supports Libreboot, and gets a longer warranty in the case of Minifree which offers a whole two year warranty. I do not recommend that we specifically promote one company on the Tails website, but we should link to the Respects Your Freedom page as an option instead of the manual install. Another small note about the X200 is that it has a wireless kill switch to prevent the leaking of sensitive information over the network without the user noticing. I am unsure what to do about the vulnerable firmware on the USB stick that runs Tails. As far as I know, there is no open-source USB drives/firmware. Though, USB drive malware could be almost as damaging as the BIOS/ME because it can perform MITM attacks between the OS and flash memory. Here are a couple videos which explain USB stick/SD card firmware vulnerabilities: https://www.youtube.com/watch?v=nuruzFqMgIw https://www.youtube.com/watch?v=CPEzLNh5YIo . Please let me know if there is a solution to vulnerable USB stick firmware and if some USB sticks more secure than others. Cheers, Michael English _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
