Sorry, I just noticed that the link to installing Libreboot on the X200 is incorrect. Here is the correct link: https://libreboot.org/docs/install/x200_external.html .
Michael English: > Intrigeri, > > First, we should identify the problem. Tails does not replace all of the > software on one's computer. There is additional storage on the SPI flash > chip which carries the BIOS and ME, and there is the USB stick which has > its own firmware. As shown by LegbaCore, this software outside of Tails > can be easily infected. “Since almost no organizations in the world > provide BIOS patch management, it is almost guaranteed that any given > system has at least one exploitable BIOS vulnerability that has > previously been publicly disclosed. Also, the high amount of code reuse > across UEFI BIOSes means that BIOS infection is automatable and > reliable.” Once the firmware is infected, the malware is more privileged > than all applications and operating systems. Basically, Tails is > completely useless on insecure hardware. > > Your question about the audience is a bit of a leading question. All > Tails users should be the audience. Currently, Tails only has > documentation about warnings of firmware vulnerabilities. However, > readers have no course of action to take against this serious problem. > Anyone who cares about their privacy/security/freedom enough to run > Tails should purchase or configure secure hardware. > > One solution to the vulnerable SPI flash chip that we can document is > Libreboot. Unlike Coreboot, Libreboot is completely open-source without > the Intel FSP and provides easy to understand documentation. There are > two options to get a Libreboot X200. First, one can buy a refurbished > Lenovo ThinkPad X200 from a electronics store like Newegg in the United > States. (I assume that there is a European equivalent.) Then, he or she > can follow the relatively easy-to-understand instructions on the > Libreboot website for installing the BIOS > https://libreboot.org/docs/hcl/x200.html and removing the ME > https://libreboot.org/docs/hcl/gm45_remove_me.html . Second, one can buy > a laptop with Libreboot pre-installed. The Free Software Foundation has > a list of hardware that respects your freedom and currently includes two > companies that sell Libreboot laptops: > https://www.fsf.org/resources/hw/endorsement/respects-your-freedom . I > personally recommend Minifree which is run by the same person who > founded Libreboot. When buying a laptop with Libreboot pre-installed, > one does not have to worry about making a mistake in the installation > process, financially supports Libreboot, and gets a longer warranty in > the case of Minifree which offers a whole two year warranty. I do not > recommend that we specifically promote one company on the Tails website, > but we should link to the Respects Your Freedom page as an option > instead of the manual install. > > Another small note about the X200 is that it has a wireless kill switch > to prevent the leaking of sensitive information over the network without > the user noticing. > > I am unsure what to do about the vulnerable firmware on the USB stick > that runs Tails. As far as I know, there is no open-source USB > drives/firmware. Though, USB drive malware could be almost as damaging > as the BIOS/ME because it can perform MITM attacks between the OS and > flash memory. Here are a couple videos which explain USB stick/SD card > firmware vulnerabilities: https://www.youtube.com/watch?v=nuruzFqMgIw > https://www.youtube.com/watch?v=CPEzLNh5YIo . Please let me know if > there is a solution to vulnerable USB stick firmware and if some USB > sticks more secure than others. > > Cheers, > Michael English > _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
