diff options
author | Alyssa Rosenzweig <alyssa@rosenzweig.io> | 2017-04-04 08:56:58 -0700 |
---|---|---|
committer | Leah Rowe <info@minifree.org> | 2017-04-04 23:48:23 +0100 |
commit | 337183ebbd1114346d2261b6eaebc0381b6515ae (patch) | |
tree | 7c8ce5cd005f42042b4e50e1ce8bcad91c333469 | |
parent | 8791c95748efa02fd8c998706883a0d23ff0e85e (diff) | |
download | librebootfr-337183ebbd1114346d2261b6eaebc0381b6515ae.tar.gz librebootfr-337183ebbd1114346d2261b6eaebc0381b6515ae.zip |
Remove hardware modification information; it's out of scope and does not apply to the new models supported
-rw-r--r-- | docs/hardware/dock.md | 119 | ||||
-rw-r--r-- | docs/hardware/index.md | 17 | ||||
-rw-r--r-- | docs/hardware/t60_heatsink.md | 80 | ||||
-rw-r--r-- | docs/hardware/t60_lcd_15.md | 48 | ||||
-rw-r--r-- | docs/hardware/t60_security.md | 330 | ||||
-rw-r--r-- | docs/hardware/x60_heatsink.md | 101 | ||||
-rw-r--r-- | docs/hardware/x60_keyboard.md | 22 | ||||
-rw-r--r-- | docs/hardware/x60_lcd_change.md | 16 | ||||
-rw-r--r-- | docs/hardware/x60_security.md | 241 | ||||
-rw-r--r-- | docs/index.md | 97 |
10 files changed, 38 insertions, 1033 deletions
diff --git a/docs/hardware/dock.md b/docs/hardware/dock.md deleted file mode 100644 index c65afe11..00000000 --- a/docs/hardware/dock.md +++ /dev/null @@ -1,119 +0,0 @@ -% Notes about DMA and the docking station (X60/T60) - - Use case: - --------- - Usually when people do full disk encryption, it's not really full disk, - instead they still have a /boot in clear. - - So an evil maid attack can still be done, in two passes: - 1) Clone the hdd, Infect the initramfs or the kernel. - 2) Wait for the user to enter its password, recover the password, - luksOpen the hdd image. - - I wanted a real full-disk encryption so I've put grub in flash and I - have the following: The HDD has a LUKS rootfs(containing /boot) on an - lvm partition, so no partition is in clear. - - So when the computer boots it executes coreboot, then grub as a payload. - Grub then opens the LUKS partition and loads the kernel and initramfs - from there. - - To prevent hardware level tempering(like reflashing), I used nail - polish with a lot of gilder, that acts like a seal. Then a high - resolution picture of it is taken, to be able to tell the difference. - - The problem: - ------------ - But then comes the docking port issue: Some LPC pins are exported - there, such as the CLKRUN and LDRQ#. - - LDRQ# is "Encoded DMA/Bus Master Request": "Only needed by - peripherals that need DMA or bus mastering. Requires an - individual signal per peripheral. Peripherals may not share - an LDRQ# signal." - - So now DMA access is possible trough the dock connector. - So I want to be able to turn that off. - - If I got it right, the X60 has 2 superio, one is in the dock, and the - other one is in the laptop, so we have: - ________________ - _________________ | | - | | | Dock connector:| - |Dock: NSC pc87982|<--LPC--->D_LPC_DREQ0 | - |_________________| |_______^________| - | - | - | - | - ___________________|____ - | v | - | SuperIO: DLDRQ# | - | NSC pc87382 LDRQ# | - |___________________^____| - | - | - | - | - ___________________|___ - | v | - | Southbridge: LDRQ0 | - | ICH7 | - |_______________________| - - The code: - --------- - Now if I look at the existing code, there is some superio drivers, like - pc87382 in src/superio/nsc, the code is very small. - The only interesting part is the pnp_info pnp_dev_info struct. - - Now if I look inside src/mainboard/lenovo/x60 there is some more - complete dock driver: - - Inside dock.c I see some dock_connect and dock_disconnect functions. - - Such functions are called during the initialisation (romstage.c) and - from the X60 SMI handler (smihandler.c). - - Questions: - ---------- - 1) Would the following be sufficent to prevent DMA access from the - outside: - > int dock_connect(void) - > { - > int timeout = 1000; - > + int val; - > + - > + if (get_option(&val, "dock") != CB_SUCCESS) - > + val = 1; - > + if (val == 0) - > + return 0; - > [...] - > } - > - > void dock_disconnect(void) { - > + if (dock_present()) - > + return; - > [...] - > } - 2) Would an nvram option be ok for that? Should a Kconfig option be - added too? - - > config DOCK_AUTODETECT - > bool "Autodetect" - > help - > The dock is autodetected. If unsure select this option. - > - > config DOCK_DISABLED - > bool "Disabled" - > help - > The dock is always disabled. - > - > config DOCK_NVRAM_ENABLE - > bool "Nvram" - > help - > The dock autodetection is tried only if it is also enabled - > trough nvram. - -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ -This page is available under the [CC BY SA 4.0](../cc-by-sa-4.0.txt) diff --git a/docs/hardware/index.md b/docs/hardware/index.md deleted file mode 100644 index 5672ef25..00000000 --- a/docs/hardware/index.md +++ /dev/null @@ -1,17 +0,0 @@ -% Hardware modifications - -This section relates to hardware maintenance on supported targets. - -- [ThinkPad X60/X60s/X60T: Change keyboard](x60_keyboard.html) (the - procedure on X200/X200S/X200T is almost identical) - -- [ThinkPad X60/X60S: change the fan/heatsink](x60_heatsink.html) -- [ThinkPad X60/X60s: How to change the LCD - panel](x60_lcd_change.html) (incomplete. pics only for now) -- [ThinkPad T60 15.1" changing LCD panel](t60_lcd_15.html) -- [ThinkPad T60: change the fan/heatsink](t60_heatsink.html) -- [ThinkPad X60/X60S: hardware security](x60_security.html) -- [ThinkPad T60: hardware security](t60_security.html) - -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ -This page is available under the [CC BY SA 4.0](../cc-by-sa-4.0.txt) diff --git a/docs/hardware/t60_heatsink.md b/docs/hardware/t60_heatsink.md deleted file mode 100644 index dc7ec39a..00000000 --- a/docs/hardware/t60_heatsink.md +++ /dev/null @@ -1,80 +0,0 @@ -% Changing heatsink (or CPU) on the ThinkPad T60 - -Using this guide you can also change/upgrade the CPU. - -[Back to previous index](./) - -Hardware requirements {#hardware_requirements} -===================== - -- rubbing alcohol or isopropyl alcohol, and thermal compound for - changing CPU heatsink (procedure involves removing heatsink) - -- thermal compound/paste (Arctic MX-4 is good. Others are also good.) - -Software requirements {#software_requirements} -===================== - -- xsensors -- stress - -Disassembly {#recovery} -=========== - -Remove those screws and remove the HDD:\ -![](../images/t60_dev/0001.JPG) ![](../images/t60_dev/0002.JPG) - -Lift off the palm rest:\ -![](../images/t60_dev/0003.JPG) - -Lift up the keyboard, pull it back a bit, flip it over like that and -then disconnect it from the board:\ -![](../images/t60_dev/0004.JPG) ![](../images/t60_dev/0005.JPG) -![](../images/t60_dev/0006.JPG) - -Gently wedge both sides loose:\ -![](../images/t60_dev/0007.JPG) ![](../images/t60_dev/0008.JPG) - -Remove that cable from the position:\ -![](../images/t60_dev/0009.JPG) ![](../images/t60_dev/0010.JPG) - -Remove the bezel (sorry forgot to take pics). - -On the CPU (and there is another chip south-east to it, sorry forgot to -take pic) clean off the old thermal paste (with the alcohol) and apply -new (Artic Silver 5 is good, others are good too) you should also clean -the heatsink the same way\ -![](../images/t60_dev/0051.JPG) - -This is also an opportunity to change the CPU to another one. For -example if you had a Core Duo T2400, you can upgrade it to a better -processor (higher speed, 64-bit support). A Core 2 Duo T7600 was -installed here. - -Attach the heatsink and install the screws (also, make sure to install -the AC jack as highlighted):\ -![](../images/t60_dev/0052.JPG) - -Reinstall that upper bezel:\ -![](../images/t60_dev/0053.JPG) - -Do that:\ -![](../images/t60_dev/0054.JPG) ![](../images/t60_dev/0055.JPG) - -Attach keyboard:\ -![](../images/t60_dev/0056.JPG) - -Place keyboard and (sorry, forgot to take pics) reinstall the palmrest -and insert screws on the underside:\ -![](../images/t60_dev/0058.JPG) - -It lives!\ -![](../images/t60_dev/0071.JPG) ![](../images/t60_dev/0072.JPG) -![](../images/t60_dev/0073.JPG) - -Always stress test ('stress -c 2' and xsensors. below 90C is ok) when -replacing cpu paste/heatsink:\ -![](../images/t60_dev/0074.JPG) - -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ -This page is available under the [CC BY SA 4.0](../cc-by-sa-4.0.txt) diff --git a/docs/hardware/t60_lcd_15.md b/docs/hardware/t60_lcd_15.md deleted file mode 100644 index 552d067f..00000000 --- a/docs/hardware/t60_lcd_15.md +++ /dev/null @@ -1,48 +0,0 @@ -% Changing the LCD panel on a 15.1" T60 - -This is for the 15.1" T60. If you have another size then the procedure -will differ; for example, on 14.1" you have to remove the hinges and -the procedure is a bit more involved than on 15.1". - -[Back to previous index](./) - -Disassembly {#recovery} -=========== - -Remove those covers and unscrew:\ -![](../images/t60_dev/0059.JPG) ![](../images/t60_dev/0060.JPG) -![](../images/t60_dev/0061.JPG) - -Gently pry off the front bezel. - -Remove inverter board:\ -![](../images/t60_dev/0064.JPG) - -Disconnect LCD cable:\ -![](../images/t60_dev/0065.JPG) - -Remove the panel:\ -![](../images/t60_dev/0066.JPG) - -Move the rails (left and right side) from the old panel to the new one -and then attach LCD cable:\ -![](../images/t60_dev/0068.JPG) - -Insert panel (this one is an LG-Philips LP150E05-A2K1, and there are -others. See -[../hcl/\#supported\_t60\_list](../hcl/#supported_t60_list)):\ -![](../images/t60_dev/0069.JPG) - -Insert new inverter board (see -[../hcl/\#supported\_t60\_list](../hcl/#supported_t60_list) for what is -recommended on your LCD panel):\ -![](../images/t60_dev/0070.JPG) - -Now re-attach the front bezel and put all the screws in. - -It lives!\ -![](../images/t60_dev/0071.JPG) ![](../images/t60_dev/0072.JPG) -![](../images/t60_dev/0073.JPG) - -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ -This page is available under the [CC BY SA 4.0](../cc-by-sa-4.0.txt) diff --git a/docs/hardware/t60_security.md b/docs/hardware/t60_security.md deleted file mode 100644 index 96ee379f..00000000 --- a/docs/hardware/t60_security.md +++ /dev/null @@ -1,330 +0,0 @@ -% Security on the ThinkPad T60 - -Hardware modifications to enhance security on the ThinkPad T60. This -tutorial is **incomplete** at the time of writing. - -[Back to previous index](./) - -Table of Contents -================= - -- [Hardware Requirements](#hardware_requirements) -- [Software Requirements](#software_requirements) -- [The procedure](#procedure) - -Hardware requirements {#hardware_requirements} -===================== - -- A T60 -- screwdriver -- Rubbing or isopropyl alcohol, and thermal compound. -- (in a later version of this tutorial: soldering iron and scalpel) - -Software requirements {#software_requirements} -===================== - -- none (at least in the scope of the article as-is) -- You probably want to encrypt your GNU+Linux install using LUKS - -Rationale -========= - -Most people think of security on the software side: the hardware is -important aswell. - -This tutorial deals with reducing the number of devices that have direct -memory access that could communicate with inputs/outputs that could be -used to remotely command the system (or leak data). All of this is -purely theoretical for the time being. - -Disassembly {#procedure} -=========== - -Remove those screws and remove the HDD:\ -![](../images/t60_dev/0001.JPG) ![](../images/t60_dev/0002.JPG) - -Lift off the palm rest:\ -![](../images/t60_dev/0003.JPG) - -Lift up the keyboard, pull it back a bit, flip it over like that and -then disconnect it from the board:\ -![](../images/t60_dev/0004.JPG) ![](../images/t60_dev/0005.JPG) -![](../images/t60_dev/0006.JPG) - -Gently wedge both sides loose:\ -![](../images/t60_dev/0007.JPG) ![](../images/t60_dev/0008.JPG) - -Remove that cable from the position:\ -![](../images/t60_dev/0009.JPG) ![](../images/t60_dev/0010.JPG) - -Now remove that bezel. Remove wifi, nvram battery and speaker connector -(also remove 56k modem, on the left of wifi):\ -![](../images/t60_dev/0011.JPG)\ -Reason: has direct (and very fast) memory access, and could -(theoretically) leak data over a side-channel.\ -**Wifi:** The ath5k/ath9k cards might not have firmware at all. They -might safe but could have access to the computer's RAM trough DMA. If -people have an intel card(most T60 laptops come with Intel wifi by -default, until you change it),then that card runs a non-free firwamre -and has access to the computer's RAM trough DMA! So the risk-level is -very high. - -Remove those screws:\ -![](../images/t60_dev/0012.JPG) - -Disconnect the power jack:\ -![](../images/t60_dev/0013.JPG) - -Remove nvram battery (we will put it back later):\ -![](../images/t60_dev/0014.JPG) - -Disconnect cable (for 56k modem) and disconnect the other cable:\ -![](../images/t60_dev/0015.JPG) ![](../images/t60_dev/0016.JPG) - -Disconnect speaker cable:\ -![](../images/t60_dev/0017.JPG) - -Disconnect the other end of the 56k modem cable:\ -![](../images/t60_dev/0018.JPG) - -Make sure you removed it:\ -![](../images/t60_dev/0019.JPG) - -Unscrew those:\ -![](../images/t60_dev/0020.JPG) - -Make sure you removed those:\ -![](../images/t60_dev/0021.JPG) - -Disconnect LCD cable from board:\ -![](../images/t60_dev/0022.JPG) - -Remove those screws then remove the LCD assembly:\ -![](../images/t60_dev/0023.JPG) ![](../images/t60_dev/0024.JPG) -![](../images/t60_dev/0025.JPG) - -Once again, make sure you removed those:\ -![](../images/t60_dev/0026.JPG) - -Remove the shielding containing the motherboard, then flip it over. -Remove these screws, placing them on a steady surface in the same layout -as they were in before you removed them. Also, you should mark each -screw hole after removing the screw (a permanent marker pen will do), -this is so that you have a point of reference when re-assembling the -system:\ -![](../images/t60_dev/0027.JPG) ![](../images/t60_dev/0028.JPG) -![](../images/t60_dev/0029.JPG) ![](../images/t60_dev/0031.JPG) -![](../images/t60_dev/0032.JPG) ![](../images/t60_dev/0033.JPG) - -Remove microphone (soldering iron not needed. Just wedge it out -gently):\ -![](../images/t60_dev/0039.JPG)\ -**Rationale:**\ -Another reason to remove the microphone: If your computer -gets[\[1\]](#ref1) compromised, it can record what you say, and use it -to receive data from nearby devices if they're compromised too. Also, -we do not know what the built-in microcode (in the CPU) is doing; it -could theoretically be programmed to accept remote commands from some -speaker somewhere (remote security hole). **In other words, the system -could already be compromised from the factory.** - -Remove infrared:\ -![](../images/t60_dev/0040.JPG) ![](../images/t60_dev/0042.JPG) - -Remove cardbus (it's in a socket, no need to disable. Just remove the -port itself):\ -![](../images/t60_dev/0041.JPG)\ -**Rationale:**\ -It has direct memory access and can be used to extract sensitive details -(such as LUKS keys). See 'GoodBIOS' video linked at the end (speaker -is Peter Stuge, a coreboot hacker). The video covers X60 but the same -topics apply to T60. - -Before re-installing the upper chassis, remove the speaker:\ -![](../images/t60_dev/0043.JPG) ![](../images/t60_dev/0044.JPG)\ -Reason: combined with the microphone issue, this could be used to leak -data.\ -If your computer gets[\[1\]](#ref1) compromised, it can be used to -transmit data to nearby compromised devices. It's unknown if it can be -turned into a microphone[\[2\]](#ref2).\ -Replacement: headphones/speakers (line-out) or external DAC (USB). - -Remove the wwan:\ -![](../images/t60_dev/0045.JPG)\ -**Wwan (3g modem):** They run proprietary software! It's like AMT but -over the GSM network which is probably even worse.\ -Replacement: external USB wifi dongle. (or USB wwan/3g dongle; note, -this has all the same privacy issues as mobile phones. wwan not -recommended). - -This is where the simcard connector is soldered. See notes above about -wwan. Remove simcard by removing battery and then it's accessible (so, -remember to do this when you re-assemble. or you could do it now?)\ -![](../images/t60_dev/0046.JPG) - -Put those screws back:\ -![](../images/t60_dev/0047.JPG) - -Put it back into lower chassis:\ -![](../images/t60_dev/0048.JPG) - -Attach LCD and insert screws (also, attach the lcd cable to the board):\ -![](../images/t60_dev/0049.JPG) - -Insert those screws:\ -![](../images/t60_dev/0050.JPG) - -On the CPU (and there is another chip south-east to it, sorry forgot to -take pic) clean off the old thermal paste (with the alcohol) and apply -new (Artic Silver 5 is good, others are good too) you should also clean -the heatsink the same way\ -![](../images/t60_dev/0051.JPG) - -Attach the heatsink and install the screws (also, make sure to install -the AC jack as highlighted):\ -![](../images/t60_dev/0052.JPG) - -Reinstall that upper bezel:\ -![](../images/t60_dev/0053.JPG) - -Do that:\ -![](../images/t60_dev/0054.JPG) ![](../images/t60_dev/0055.JPG) - -Attach keyboard and install nvram battery:\ -![](../images/t60_dev/0056.JPG) ![](../images/t60_dev/0057.JPG) - -Place keyboard and (sorry, forgot to take pics) reinstall the palmrest -and insert screws on the underside:\ -![](../images/t60_dev/0058.JPG) - -Remove those covers and unscrew:\ -![](../images/t60_dev/0059.JPG) ![](../images/t60_dev/0060.JPG) -![](../images/t60_dev/0061.JPG) - -Gently pry off the front bezel (sorry, forgot to take pics). - -Remove bluetooth module:\ -![](../images/t60_dev/0062.JPG) ![](../images/t60_dev/0063.JPG) - -Re-attach the front bezel and re-insert the screws (sorry, forgot to -take pics). - -It lives!\ -![](../images/t60_dev/0071.JPG) ![](../images/t60_dev/0072.JPG) -![](../images/t60_dev/0073.JPG) - -Always stress test ('stress -c 2' and xsensors. below 90C is ok) when -replacing cpu paste/heatsink:\ -![](../images/t60_dev/0074.JPG) - -Not covered yet: ----------------- - -- Disable flashing the ethernet firmware -- Disable SPI flash writes (can be re-enabled by unsoldering two - parts) - -- Disable use of xrandr/edid on external monitor (cut 2 pins on VGA) -- Disable docking station (might be possible to do it in software, in - coreboot upstream as a Kconfig option) - -Go to -<http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html> -or directly to the video: -<http://mirror.netcologne.de/CCC/congress/2013/webm/30c3-5529-en-Hardening_hardware_and_choosing_a_goodBIOS_webm.webm>. - -A lot of this tutorial is based on that video. Look towards the second -half of the video to see how to do the above. - -Also not covered yet: ---------------------- - -- Intrusion detection: randomized seal on screws - - Just put nail polish with lot of glider on the important screws, - take some good pictures. Keep the pictueres and make sure of their - integrity. Compare the nail polish with the pictures before powering - on the laptop. -- Tips about preventing/mitigating risk of cold boot attack. - - soldered RAM? - - wipe all RAM at boot/power-off/power-on? (patch in coreboot - upstream?) - - ask gnutoo about fallback patches (counts number of boots) -- General tips/advice and web links showing how to detect physical - intrusions. -- For example: <http://cs.tau.ac.il/~tromer/acoustic/> or - <http://cyber.bgu.ac.il/content/how-leak-sensitive-data-isolated-computer-air-gap-near-mobile-phone-airhopper>. -- <https://en.wikipedia.org/wiki/Tempest_%28codename%29> -- https://gitorious.org/gnutoo-for-coreboot/grub-assemble/source/a61f636797777a742f65f4c9c58032aa6a9b23c3: - -Extra notes -=========== - -EC: Cannot be removed but can be mitigated: it contains non-free -non-loadable code, but it has no access to the computer's RAM. It has -access to the on-switch of the wifi, bluetooth, modem and some other -power management features. The issue is that it has access to the -keyboard, however if the software security howto **(not yet written)** -is followed correctly, it won't be able to leak data to a local -attacker. It has no network access but it may still be able to leak data -remotely, but that requires someone to be nearby to recover the data -with the help of an SDR and some directional antennas[\[3\]](#ref3). - -[Intel 82573 Ethernet -controller](http://www.coreboot.org/Intel_82573_Ethernet_controller) on -the X60 seems safe, according to Denis. - -Risk level ----------- - -- Modem (3g/wwan): highest -- Intel wifi: Near highest -- Atheros PCI wifi: unknown, but lower than intel wifi. -- Microphone: only problematic if the computer gets compromised. -- Speakers: only problematic if the computer gets compromised. -- EC: can be mitigated if following the guide on software security. - -Further reading material (software security) -============================================ - -- [Installing Debian or Devuan GNU+Linux with full disk encryption - (including /boot)](../gnulinux/encrypted_debian.html) -- [Installing Parabola GNU+Linux with full disk encryption (including - /boot)](../gnulinux/encrypted_parabola.html) -- [Notes about DMA access and the docking station](dock.html) - -References -========== - -\[1\] physical access {#ref1} ---------------------- - -Explain that black hats, TAO, and so on might use a 0day to get in, and -explain that in this case it mitigates what the attacker can do. Also -the TAO do some evaluation before launching an attack: they take the -probability of beeing caught into account, along with the kind of -target. A 0day costs a lot of money, I heard that it was from 100000\$ -to 400000\$, some other websites had prices 10 times lower but that but -it was probably a typo. So if people increase their security it makes it -more risky and more costly to attack people. - -\[2\] microphone {#ref2} ----------------- - -It's possible to turn headphones into a microphone, you could try -yourself, however they don't record loud at all. Also intel cards have -the capability to change a connector's function, for instance the -microphone jack can now become a headphone plug, that's called -retasking. There is some support for it in GNU+Linux but it's not very -well known. - -\[3\] Video (CCC) {#ref3} ------------------ - -30c3-5356-en-Firmware\_Fat\_Camp\_webm.webm from the 30th CCC. While -their demo is experimental(their hardware also got damaged during the -transport), the spies probably already have that since a long time. -<http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm> - -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ -This page is available under the [CC BY SA 4.0](../cc-by-sa-4.0.txt) diff --git a/docs/hardware/x60_heatsink.md b/docs/hardware/x60_heatsink.md deleted file mode 100644 index 099774a6..00000000 --- a/docs/hardware/x60_heatsink.md +++ /dev/null @@ -1,101 +0,0 @@ -% Changing the fan/heatsink on the ThinkPad X60 - -This guide will teach you how to replace the fan and heatsink on your -ThinkPad X60. - -Table of Contents -================= - -- [Hardware Requirements](#hardware_requirements) -- [Software Requirements](#software_requirements) -- [Disassembly](#procedure) - -Hardware requirements {#hardware_requirements} -===================== - -- isopropyl alcohol (sometimes called rubbing alcohol) -- your new fan and/or heatsink -- CPU thermal compound (some say Arctic MX-4 is good, others are also - 'ok') - -- Something to spread the paste with - -Software requirements (for CPU stress testing) {#software_requirements} -============================================== - -- xsensors utility -- stress utility - -Disassembly {#procedure} -=========== - -Remove those screws:\ -![](../images/x60_heatsink/0000.jpg) - -Push the keyboard forward (carefully):\ -![](../images/x60_heatsink/0001.jpg) - -Lift the keyboard up and disconnect it from the board:\ -![](../images/x60_heatsink/0002.jpg) - -Grab the right-hand side of the chassis and force it off (gently) and -pry up the rest of the chassis:\ -![](../images/x60_heatsink/0003.jpg) - -You should now have this:\ -![](../images/x60_heatsink/0004.jpg) - -Disconnect the wifi antenna cables, the modem cable and the speaker:\ -![](../images/x60_heatsink/0005.jpg) - -Unroute the cables along their path, carefully lifting the tape that -holds them in place. Then, disconnect the modem cable (other end) and -power connection and unroute all the cables so that they dangle by the -monitor hinge on the right-hand side:\ -![](../images/x60_heatsink/0006.jpg) - -Disconnect the monitor from the motherboard, and unroute the grey -antenna cable, carefully lifting the tape that holds it into place:\ -![](../images/x60_heatsink/0008.jpg) - -Carefully lift the remaining tape and unroute the left antenna cable so -that it is loose:\ -![](../images/x60_heatsink/0009.jpg) - -Remove those screws:\ -![](../images/x60_heatsink/0011.jpg) - -Remove those screws:\ -![](../images/x60_heatsink/0012.jpg) - -Carefully remove the plate, like so:\ -![](../images/x60_heatsink/0013.jpg) - -Remove the SATA connector:\ -![](../images/x60_heatsink/0014.jpg) - -Now remove the motherboard (gently) and cast the lcd/chassis aside:\ -![](../images/x60_heatsink/0015.jpg) - -Look at that black tape above the heatsink, remove it:\ -![](../images/x60_heatsink/0016.jpg) - -Now you have removed it:\ -![](../images/x60_heatsink/0017.jpg) - -Disconnect the fan and remove all the screws, heatsink will easily come -off:\ -![](../images/x60_heatsink/0018.jpg) - -Remove the old paste with a cloth (from the CPU and heatsink) and then -clean both of them with the alcohol (to remove remaining residue of the -paste). Apply a pea-sized amount of paste to the both chipsets that the -heatsink covered and spread it evenly (uniformally). Finally reinstall -the heatsink, reversing previous steps. - -**stress -c 2** command can be used to push the CPU to 100%, and -**xsensors** (or **watch sensors** command) can be used to monitor heat. -Below 90C is ok. - -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ -This page is available under the [CC BY SA 4.0](../cc-by-sa-4.0.txt) diff --git a/docs/hardware/x60_keyboard.md b/docs/hardware/x60_keyboard.md deleted file mode 100644 index eae3ec1d..00000000 --- a/docs/hardware/x60_keyboard.md +++ /dev/null @@ -1,22 +0,0 @@ -% Thinkpad X60/X60s/X60t: Change keyboard - -Use this guide to replace the keyboard on your ThinkPad X60. Also works -for X60s and X60 Tablet. - -Although slightly different, this guide can also be followed for the -ThinkPad X200, X200S and X200 Tablet. The screws are in more or less the -same place, and it's the same procedure. - -[Back to previous index](./) - -Just follow these steps, and then reverse {#recovery} -========================================= - -![](../images/x60_keyboard/1.JPG)\ -![](../images/x60_keyboard/2.JPG)\ -![](../images/x60_keyboard/3.JPG)\ -![](../images/x60_keyboard/4.JPG)\ -![](../images/x60_keyboard/5.JPG) - -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ -This page is available under the [CC BY SA 4.0](../cc-by-sa-4.0.txt) diff --git a/docs/hardware/x60_lcd_change.md b/docs/hardware/x60_lcd_change.md deleted file mode 100644 index c8c158b2..00000000 --- a/docs/hardware/x60_lcd_change.md +++ /dev/null @@ -1,16 +0,0 @@ -% Changing the LCD panel on X60 - -This tutorial is incomplete, and only pictures for now. - -[Back to previous index](./) - -![](../images/x60_lcd_change/0001.JPG) -![](../images/x60_lcd_change/0002.JPG) -![](../images/x60_lcd_change/0003.JPG) -![](../images/x60_lcd_change/0004.JPG) -![](../images/x60_lcd_change/0005.JPG) -![](../images/x60_lcd_change/0006.JPG) -![](../images/x60_lcd_change/0007.JPG) - -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ -This page is available under the [CC BY SA 4.0](../cc-by-sa-4.0.txt) diff --git a/docs/hardware/x60_security.md b/docs/hardware/x60_security.md deleted file mode 100644 index fc880548..00000000 --- a/docs/hardware/x60_security.md +++ /dev/null @@ -1,241 +0,0 @@ -% Security on the ThinkPad X60 - -Hardware modifications to enhance security on the ThinkPad X60. This -tutorial is **incomplete** at the time of writing. - -[Back to previous index](./) - -Table of Contents -================= - -- [Hardware Requirements](#hardware_requirements) -- [Software Requirements](#software_requirements) -- [The procedure](#procedure) - -Hardware requirements {#hardware_requirements} -===================== - -- An X60 -- screwdriver -- (in a later version of this tutorial: soldering iron and scalpel) - -Software requirements {#software_requirements} -===================== - -- none (at least in the scope of the article as-is) -- You probably want to encrypt your GNU+Linux install using LUKS - -Rationale -========= - -Most people think of security on the software side: the hardware is -important aswell. - -This tutorial deals with reducing the number of devices that have direct -memory access that could communicate with inputs/outputs that could be -used to remotely command the system (or leak data). All of this is -purely theoretical for the time being. - -Disassembly {#procedure} -=========== - -Firstly remove the bluetooth (if your X60 has this):\ -The marked screws are underneath those stickers (marked in those 3 -locations at the bottom of the LCD assembly):\ -![](../images/x60_security/0000_bluetooth0.jpg)\ -Now gently pry off the bottom part of the front bezel, and the bluetooth -module is on the left (easily removable):\ -![](../images/x60_security/0000_bluetooth.jpg)\ - -If your model was WWAN, remove the simcard (check anyway):\ -Uncover those 2 screws at the bottom:\ -![](../images/x60_security/0000_simcard0.jpg)\ -SIM card (not present in the picture) is in the marked location:\ -![](../images/x60_security/0000_simcard1.jpg)\ -Replacement: USB dongle. - -Now get into the motherboard. - -Remove those screws:\ -![](../images/x60_security/0000.jpg) - -Push the keyboard forward (carefully):\ -![](../images/x60_security/0001.jpg) - -Lift the keyboard up and disconnect it from the board:\ -![](../images/x60_security/0002.jpg) - -Grab the right-hand side of the chassis and force it off (gently) and -pry up the rest of the chassis:\ -![](../images/x60_security/0003.jpg) - -You should now have this:\ -![](../images/x60_security/0004.jpg) - -The following is a summary of what you will remove (already done to this -system):\ -![](../images/x60_security/0001_overview.jpg)\ -Note: the blue lines represent antenna cables and modem cables. You -don't need to remove these, but you can if you want (to make it tidier -after removing other parts). I removed the antenna wires, the modem -jack, the modem cable and also (on another model) a device inside the -part where the wwan antenna goes (wasn't sure what it was, but I knew -it wasn't needed). **This is optional** - -Remove the microphone (can desolder it, but you can also easily pull it -off with you hands). Already removed here:\ -![](../images/x60_security/0001_microphone.jpg)\ -**Rationale:**\ -Another reason to remove the microphone: If your computer -gets[\[1\]](#ref1) compromised, it can record what you say, and use it -to receive data from nearby devices if they're compromised too. Also, -we do not know what the built-in microcode (in the CPU) is doing; it -could theoretically be programmed to accept remote commands from some -speaker somewhere (remote security hole). **In other words, the system -could already be compromised from the factory.** - -Remove the modem:\ -![](../images/x60_security/0001_modem.jpg)\ -(useless, obsolete device) - -Remove the speaker:\ -![](../images/x60_security/0001_speaker.jpg)\ -Reason: combined with the microphone issue, this could be used to leak -data.\ -If your computer gets[\[1\]](#ref1) compromised, it can be used to -transmit data to nearby compromised devices. It's unknown if it can be -turned into a microphone[\[2\]](#ref2).\ -Replacement: headphones/speakers (line-out) or external DAC (USB). - -Remove the wlan (also remove wwan if you have it):\ -![](../images/x60_security/0001_wlan_wwan.jpg)\ -Reason: has direct (and very fast) memory access, and could -(theoretically) leak data over a side-channel.\ -**Wifi:** The ath5k/ath9k cards might not have firmware at all. They -might safe but could have access to the computer's RAM trough DMA. If -people have an intel card(most X60s come with Intel wifi by default, -until you change it),then that card runs a non-free firwamre and has -access to the computer's RAM trough DMA! So the risk-level is very -high.\ -**Wwan (3g modem):** They run proprietary software! It's like AMT but -over the GSM network which is probably even worse.\ -Replacement: external USB wifi dongle. (or USB wwan/3g dongle; note, -this has all the same privacy issues as mobile phones. wwan not -recommended). - -Not covered yet: ----------------- - -- Disable cardbus (has fast/direct memory access) -- Disable firewire (has fast/direct memory access) -- Disable flashing the ethernet firmware -- Disable SPI flash writes (can be re-enabled by unsoldering two - parts) - -- Disable use of xrandr/edid on external monitor (cut 2 pins on VGA) -- Disable docking station (might be possible to do it in software, in - coreboot upstream as a Kconfig option) - -Go to -<http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html> -or directly to the video: -<http://mirror.netcologne.de/CCC/congress/2013/webm/30c3-5529-en-Hardening_hardware_and_choosing_a_goodBIOS_webm.webm>. - -A lot of this tutorial is based on that video. Look towards the second -half of the video to see how to do the above. - -Also not covered yet: ---------------------- - -- Intrusion detection: randomized seal on screws - - Just put nail polish with lot of glider on the important screws, - take some good pictures. Keep the pictueres and make sure of their - integrity. Compare the nail polish with the pictures before powering - on the laptop. -- Tips about preventing/mitigating risk of cold boot attack. - - soldered RAM? - - seal RAM door shut (possibly modified lower chassis) so that - system has to be disassembled (which has to go through the nail - polish) - - wipe all RAM at boot/power-off/power-on? (patch in coreboot - upstream?) - - ask gnutoo about fallback patches (counts number of boots) -- General tips/advice and web links showing how to detect physical - intrusions. -- For example: <http://cs.tau.ac.il/~tromer/acoustic/> or - <http://cyber.bgu.ac.il/content/how-leak-sensitive-data-isolated-computer-air-gap-near-mobile-phone-airhopper>. -- <https://en.wikipedia.org/wiki/Tempest_%28codename%29> -- https://gitorious.org/gnutoo-for-coreboot/grub-assemble/source/a61f636797777a742f65f4c9c58032aa6a9b23c3: - -Extra notes -=========== - -EC: Cannot be removed but can be mitigated: it contains non-free -non-loadable code, but it has no access to the computer's RAM. It has -access to the on-switch of the wifi, bluetooth, modem and some other -power management features. The issue is that it has access to the -keyboard, however if the software security howto **(not yet written)** -is followed correctly, it won't be able to leak data to a local -attacker. It has no network access but it may still be able to leak data -remotely, but that requires someone to be nearby to recover the data -with the help of an SDR and some directional antennas[\[3\]](#ref3). - -[Intel 82573 Ethernet -controller](http://www.coreboot.org/Intel_82573_Ethernet_controller) on -the X60 seems safe, according to Denis. - -Risk level ----------- - -- Modem (3g/wwan): highest -- Intel wifi: Near highest -- Atheros PCI wifi: unknown, but lower than intel wifi. -- Microphone: only problematic if the computer gets compromised. -- Speakers: only problematic if the computer gets compromised. -- EC: can be mitigated if following the guide on software security. - -Further reading material (software security) -============================================ - -- [Installing Debian or Devuan GNU+Linux with full disk encryption - (including /boot)](../gnulinux/encrypted_debian.html) -- [Installing Parabola GNU+Linux with full disk encryption (including - /boot)](../gnulinux/encrypted_parabola.html) -- [Notes about DMA access and the docking station](dock.html) - -References -========== - -\[1\] physical access {#ref1} ---------------------- - -Explain that black hats, TAO, and so on might use a 0day to get in, and -explain that in this case it mitigates what the attacker can do. Also -the TAO do some evaluation before launching an attack: they take the -probability of beeing caught into account, along with the kind of -target. A 0day costs a lot of money, I heard that it was from 100000\$ -to 400000\$, some other websites had prices 10 times lower but that but -it was probably a typo. So if people increase their security it makes it -more risky and more costly to attack people. - -\[2\] microphone {#ref2} ----------------- - -It's possible to turn headphones into a microphone, you could try -yourself, however they don't record loud at all. Also intel cards have -the capability to change a connector's function, for instance the -microphone jack can now become a headphone plug, that's called -retasking. There is some support for it in GNU+Linux but it's not very -well known. - -\[3\] Video (CCC) {#ref3} ------------------ - -30c3-5356-en-Firmware\_Fat\_Camp\_webm.webm from the 30th CCC. While -their demo is experimental(their hardware also got damaged during the -transport), the spies probably already have that since a long time. -<http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm> - -Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\ -This page is available under the [CC BY SA 4.0](../cc-by-sa-4.0.txt) diff --git a/docs/index.md b/docs/index.md index f3c1ca18..afd6ffd4 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,23 +1,20 @@ % Libreboot documentation -Information about this release can be found at -[release.html](release.html). Always check -[libreboot.org](http://libreboot.org) for updates. +Information about this release can be found at [release.html](release.html). +Always check [libreboot.org](/) for updates. -[What is libreboot?](#why) - -[Answers to frequently asked questions about -Libreboot](https://libreboot.org/faq/) +Answers to [frequently asked questions about +Libreboot](https://libreboot.org/faq/). Libreboot is compatible with GNU+Linux and several BSD systems. -For GNU+Linux, have a look at our [list of GNU+Linux distributions that -we recommend](distros/). +For GNU+Linux, have a look at our [list of GNU+Linux distributions that we +recommend](distros/). -For BSD, refer to [the libreboot FAQ](https://libreboot.org/faq/#bsd). -We wish to merge instructions into the official libreboot documentation, -if someone will provide it. We do have some instructions now for NetBSD, -FreeBSD and OpenBSD, but they are still incomplete. See [bsd/](bsd/). +For BSD, refer to [the libreboot FAQ](https://libreboot.org/faq/#bsd). We wish +to merge instructions into the official libreboot documentation, if someone +will provide it. We do have some instructions now for NetBSD, FreeBSD and +OpenBSD, but they are still incomplete. See [bsd/](bsd/). Installing libreboot ==================== @@ -44,28 +41,15 @@ Information for developers Other information ================= -- [Hardware modifications](hardware/) - [Miscellaneous](misc/) About the libreboot project =========================== -Libreboot is a free BIOS or UEFI replacement ([free as in -freedom](https://en.wikipedia.org/wiki/Free_software)); libre *boot -firmware* that initializes the hardware and starts a bootloader for your -operating system. It's also an open source BIOS, but open source fails -to promote freedom; *please call libreboot **[free -software](https://en.wikipedia.org/wiki/Free_software)***. - -Libreboot originally began during December 2013, as a commercial effort -by the [Ministry of Freedom](https://minifree.org) to achieve RYF -endorsement for a modified ThinkPad X60 (the first system to ever be -added to libreboot), which it did then achieve. - -Back then, the name *libreboot* didn't exist; the project was nameless, -referring to itself as a *deblobbed version of coreboot*. The project -named itself libreboot at some point during early 2014, and has since -rapidly expanded to support more hardware and become more user-friendly. +Libreboot is a [free](https://en.wikipedia.org/wiki/Free_software) and Open +Source BIOS or UEFI replacement, initialising the hardware and booting your +operating system. We are a member of the [Peers Community](https://peers.community/) +project, an organisation that supports Free Software. Libreboot is a [coreboot](http://coreboot.org/) distribution (distro) with proprietary software removed, intended to be a @@ -100,28 +84,21 @@ The libreboot project has three main goals: and support. Most people will simply give up before attempting to install coreboot. - - - Libreboot attempts to bridge this divide, making sure that - everything from building to installing coreboot is automated, as - much as is feasibly possible. Secondly, the project produces - documentation aimed at non-technical users. Thirdly, the project - attempts to provide excellent user support via mailing lists and - IRC. +Libreboot attempts to bridge this divide, making sure that everything from +building to installing coreboot is automated, as much as is feasibly possible. +Secondly, the project produces documentation aimed at non-technical users. +Thirdly, the project attempts to provide excellent user support via mailing +lists and IRC. - +Libreboot already comes with a payload (GRUB), flashrom and other +needed parts. Everything is fully integrated, in a way where most of +the complicated steps that are otherwise required, are instead done +for the user in advance. - Libreboot already comes with a payload (GRUB), flashrom and other - needed parts. Everything is fully integrated, in a way where most of - the complicated steps that are otherwise required, are instead done - for the user in advance. - - - - You can download ROM images for your libreboot system and install - them, without having to build anything from source. The build system - is also fully automated, so building from source is easy if you - wanted to do that (for whatever reason). +You can download ROM images for your libreboot system and install +them, without having to build anything from source. The build system +is also fully automated, so building from source is easy if you +wanted to do that (for whatever reason). Libreboot is a coreboot distribution, not a coreboot fork --------------------------------------------------------- @@ -145,16 +122,16 @@ Libreboot is a 'stable' version of coreboot --------------------------------------------- - Coreboot uses the [rolling - release](https://en.wikipedia.org/wiki/Rolling_release) model, which - means that it is not guaranteed to be stable, or to even work at all - on a given day. Coreboot does have a strict code review process, but - being such a large project with so many contributors, regressions - are always possible. +release](https://en.wikipedia.org/wiki/Rolling_release) model, which +means that it is not guaranteed to be stable, or to even work at all +on a given day. Coreboot does have a strict code review process, but +being such a large project with so many contributors, regressions +are always possible. - Libreboot freezes on a particular revision of coreboot, making sure - that everything works properly, making fixes on top of that and - repeating this during each subsequent update to a later version of - coreboot. By doing this, it provides a stronger guarantee to the - user that the firmware will be reliable, and not break their system. +that everything works properly, making fixes on top of that and +repeating this during each subsequent update to a later version of +coreboot. By doing this, it provides a stronger guarantee to the +user that the firmware will be reliable, and not break their system. How do I know what version I'm running? ======================================== @@ -174,7 +151,9 @@ If it exists, you can also extract this *lbversion* file by using the *cbfstool* utility which libreboot includes, from a ROM image that you either dumped or haven't flashed yet. In your distribution, run cbfstool on your ROM image (*libreboot.rom*, in this example): + $ ./cbfstool libreboot.rom extract -n lbversion -f lbversion + You will now have a file, named *lbversion*, which you can read in whatever program it is that you use for reading/writing text files. |