mirror of
https://github.com/PrivSec-dev/privsec.dev.git
synced 2025-05-02 14:26:25 -04:00
Change format
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
fe2794e76a
commit
772ed6c82f
8 changed files with 15 additions and 5 deletions
content/posts/knowledge/Laptop Hardware Security
dell.pngindex.mdintel-amt-misinfo.pngintel-me-misinfo-1.pngintel-me-misinfo-2.pnglibrem14.pnguefi-secure-boot-misinfo.png
static/images
BIN
content/posts/knowledge/Laptop Hardware Security/dell.png
Normal file
BIN
content/posts/knowledge/Laptop Hardware Security/dell.png
Normal file
Binary file not shown.
After ![]() (image error) Size: 1.7 MiB |
|
@ -9,7 +9,7 @@ While browsing privacy forums, I often see a lot discussions regarding laptop ha
|
||||||
|
|
||||||
In this post, I will walk you through a quick overview of how hardware security is generally implemented for laptops, what to look for, and what to avoid. We will not discuss MacBooks or Chromebooks, as they are vastly different from normal x86 Windows/Linux hardware.
|
In this post, I will walk you through a quick overview of how hardware security is generally implemented for laptops, what to look for, and what to avoid. We will not discuss MacBooks or Chromebooks, as they are vastly different from normal x86 Windows/Linux hardware.
|
||||||
|
|
||||||

|

|
||||||
|
|
||||||
## The Benchmark
|
## The Benchmark
|
||||||
|
|
||||||
|
@ -84,7 +84,7 @@ This excercise also achieves nothing to protect against a hypothetical scenario
|
||||||
|
|
||||||
Another misinformation regarding CSME is that it is provides some kind of [shady "remote management" system](https://www.fsf.org/blogs/community/active-management-technology) for your computer. In reality, this is the AMT component which only exists on Intel vPro CPUs. It is meant for IT teams to manage systems with technologies like Serial over LAN, Solarwind, etc.
|
Another misinformation regarding CSME is that it is provides some kind of [shady "remote management" system](https://www.fsf.org/blogs/community/active-management-technology) for your computer. In reality, this is the AMT component which only exists on Intel vPro CPUs. It is meant for IT teams to manage systems with technologies like Serial over LAN, Solarwind, etc.
|
||||||
|
|
||||||

|

|
||||||
|
|
||||||
Here are some facts about it:
|
Here are some facts about it:
|
||||||
- You can disable it firmware settings.
|
- You can disable it firmware settings.
|
||||||
|
@ -102,7 +102,7 @@ Some people recommend buying AMD instead of Intel to avoid the possibility of ha
|
||||||
|
|
||||||
Another false claim regarding Secure Boot by the Free Software Foundation is that UEFI Secure Boot is somehow Microsoft's evil attempt to lock users out of their computer by [only allowing it to run Microsoft approved software](https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/whitepaper-web):
|
Another false claim regarding Secure Boot by the Free Software Foundation is that UEFI Secure Boot is somehow Microsoft's evil attempt to lock users out of their computer by [only allowing it to run Microsoft approved software](https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/whitepaper-web):
|
||||||
|
|
||||||

|

|
||||||
|
|
||||||
In reality, most if not all laptops with UEFI Secure Boot allows you to disable it - you can run whichever operating system you want. While it is true that certain lines of laptops like Razer do not allow custom key enrollment, proper business laptops like Dell Latitude/Precision and Lenovo Thinkpad do. You can enroll your own Secure Boot key and tell your laptop to boot only the system you trust.
|
In reality, most if not all laptops with UEFI Secure Boot allows you to disable it - you can run whichever operating system you want. While it is true that certain lines of laptops like Razer do not allow custom key enrollment, proper business laptops like Dell Latitude/Precision and Lenovo Thinkpad do. You can enroll your own Secure Boot key and tell your laptop to boot only the system you trust.
|
||||||
|
|
||||||
|
@ -133,12 +133,22 @@ The problem with this design is that everything hinges on the boot block doing i
|
||||||
|
|
||||||
#### PureBoot & Purism
|
#### PureBoot & Purism
|
||||||
|
|
||||||

|

|
||||||
|
|
||||||
Purism sells their laptops with PureBoot, a fork of Heads. It works in pretty much the same way, with a few extra features.
|
Purism sells their laptops with PureBoot, a fork of Heads. It works in pretty much the same way, with a few extra features.
|
||||||
|
|
||||||
Here is what Purism claims in their marketing material:
|
Here is a quick sample of Purism's marketing material:
|
||||||
|
|
||||||
|
They claim that:
|
||||||
|
- It can protect against firmware tampering
|
||||||
|
- PureBoot is somehow better than other laptops which have real protection
|
||||||
|
- The Intel ME is a backdoor
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
blah
|
||||||
|
|
||||||
|
As we have discussed above, this does not work, cannot work, has never worked, and will never work.
|
||||||
|
|
||||||
|
|
||||||
### RYF and the Illusion of Freedom
|
### RYF and the Illusion of Freedom
|
Before ![]() (image error) Size: 609 KiB After ![]() (image error) Size: 609 KiB ![]() ![]() |
Before ![]() (image error) Size: 166 KiB After ![]() (image error) Size: 166 KiB ![]() ![]() |
Before ![]() (image error) Size: 137 KiB After ![]() (image error) Size: 137 KiB ![]() ![]() |
Before ![]() (image error) Size: 358 KiB After ![]() (image error) Size: 358 KiB ![]() ![]() |
Before ![]() (image error) Size: 679 KiB After ![]() (image error) Size: 679 KiB ![]() ![]() |
Binary file not shown.
Before ![]() (image error) Size: 292 KiB |
Loading…
Add table
Add a link
Reference in a new issue