Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Laptop Hardware Security #244

Draft
wants to merge 60 commits into
base: main
Choose a base branch
from
Draft

Laptop Hardware Security #244

wants to merge 60 commits into from

Conversation

TommyTran732
Copy link
Member

No description provided.

@TommyTran732
Laptop Hardware Security
c4fefac 
Signed-off-by: Tommy <contact@tommytran.io>
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Jun 10, 2024
edited
Loading

Deploying privsec-dev with  Cloudflare Pages  Cloudflare Pages

Latest commit: 6ff18d4
Status: ✅  Deploy successful!
Preview URL: https://4fa2b80c.privsec-dev-2oz.pages.dev
Branch Preview URL: https://laptop-hardware-security.privsec-dev-2oz.pages.dev

View logs

@TommyTran732 TommyTran732 marked this pull request as draft June 10, 2024 09:47
@netlify Netlify
Copy link

netlify bot commented Jun 10, 2024
edited
Loading

Deploy Preview for privsec-dev ready!

Name Link
🔨 Latest commit 6ff18d4
🔍 Latest deploy log https://app.netlify.com/sites/privsec-dev/deploys/666774f691f5d000086394b4
😎 Deploy Preview https://deploy-preview-244--privsec-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@TommyTran732
Finish the sentence
846bec0 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Update layout
ad00063 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Update layout
62bbf51 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
RYF
4f27657 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Typo fix
ad183cc 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Typo fix
87ccf0f 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Reword
009b9ab 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Typo fix
141fe62 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Update text
f98c309 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Update text
e81a6cd 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Update text
3a9069e 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Finish up the AMT and DASH section
e90a7c3 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Add fsf nonsense
e279057 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Seucre boot
ea4e667 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Grammar fix
5ee78d5 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Typo fix
6bb69fe 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Minor fixes
5eddf19 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
More fixes
c58426d 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Clarify intel locker is vpro enterprise
0929372 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Explanation for heads
907f919 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Reword
6e6834b 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Purism icon
792cd99 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Typo fix
fe2794e 
Signed-off-by: Tommy <contact@tommytran.io>
wj25czxj47bu6q
wj25czxj47bu6q requested changes Jun 10, 2024
View reviewed changes
Copy link
Member

@wj25czxj47bu6q wj25czxj47bu6q left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Post images should not be placed in the /static directory. Follow the correct format as in https://github.com/PrivSec-dev/privsec.dev/tree/main/content/posts/knowledge/ChromeOS%20Questionable%20Encryption.

@TommyTran732
Copy link
Member Author

Are we gonna start moving other posts later too? Because there are a lot of them in /static

@TommyTran732
Add periods
319e671 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Elaborate on Purism
625db93 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Change formatting
c5a21e4 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Better formatting
c1dffec 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Move to the FSF section
66b1e52 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Add link
5e8aa62 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Update
82b0c9c 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Change formatting
9ee9792 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Clean up
a1d9506 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Clean up more
8293961 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Typo fixes
f38445b 
Signed-off-by: Tommy <contact@tommytran.io>
@friendly-rabbit-35 friendly-rabbit-35 mentioned this pull request Jun 10, 2024
Open
@TommyTran732
Add Lenovo section
4b33134 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Reword
038cdf4 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Add Dell section
82655e0 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Add thinkpad picture
5b88ffc 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Laptops without firmware protection
e09b1b5 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Add Framework
69b20b0 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Stallman and his thinkpad
3d93d8a 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
New purism picture
0f1cffa 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Clean up
51684a2 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Clean up
573c527 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Clean up
1f2c330 
Signed-off-by: Tommy <contact@tommytran.io>
@TommyTran732
Typo fix
6ff18d4 
Signed-off-by: Tommy <contact@tommytran.io>
oppressor1761
oppressor1761 reviewed Jun 20, 2024
View reviewed changes
content/posts/knowledge/Laptop Hardware Security/index.md

Intel CSME provides critical security features, including but not limited to:
- Boot Guard (The basis of SRTM, as discussed above)
- Firmware TPM (Generally better than dedicated TPMs by being not being vulnerable to bus sniffing)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

firmware tpm is less secure than hardware tpm

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and ptt is hardware tpm while psp is not

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What? PTT is firmware TPM

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I donot really understand PTT and AMD fTPM well. But I think firmware solution is less secure than hardware solution. Perhaps SoC TPM like Pluton is the best.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

like this fTPM exploit

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But I think firmware solution is less secure than hardware solution. Perhaps SoC TPM like Pluton is the best.
Not how it works.

I am well aware of faultpm. It doesn't change the fact that fTPM are not vulnerable to stuff like bus sniffing like dTPM.

oppressor1761
oppressor1761 reviewed Jun 24, 2024
View reviewed changes
content/posts/knowledge/Laptop Hardware Security/index.md
To start off, the best laptops I have found are modern the Dell Latitude/Precision laptops with an Intel vPro Enterprise CPU. The second best group of laptops I have found are modern Lenovo Thinkpads with Intel vPro Enterprise or AMD Ryzen Pro CPUs. These are relatively easy to acquire and share these common security properties:

- Have Intel Boot Guard or AMD Platform Secure Boot to protect the firmware
- Have regular firmware updates ([monthly updates for Dell](https://www.dell.com/support/kbdoc/en-us/000197092/dell-drivers-and-downloads-update-release-schedule), and [bi-monthly updates for Thinkpads](https://support.lenovo.com/us/en/solutions/ht515365-thinkpad-driver-and-firmware-update-release-schedule))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems it's not strictly one update per month. Sometimes there's several months without updates.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also Dell and Lenovo never promised how long they would support their PCs

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems it's not strictly one update per month. Sometimes there's several months without updates.

Yes, its a general rule. It doesn't always hold.

Also Dell and Lenovo never promised how long they would support their PCs

They typically support them for years and years. Even 8th gen Dell and Lenovo are still getting updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oppressor1761 oppressor1761 oppressor1761 left review comments

@wj25czxj47bu6q wj25czxj47bu6q wj25czxj47bu6q requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TommyTran732 @wj25czxj47bu6q @oppressor1761