Intrigeri,
First, we should identify the problem. Tails does not replace all of the
software on one's computer. There is additional storage on the SPI flash
chip which carries the BIOS and ME, and there is the USB stick which has
its own firmware. As shown by LegbaCore, this software outside of Tails
can be easily infected. “Since almost no organizations in the world
provide BIOS patch management, it is almost guaranteed that any given
system has at least one exploitable BIOS vulnerability that has
previously been publicly disclosed. Also, the high amount of code reuse
across UEFI BIOSes means that BIOS infection is automatable and
reliable.” Once the firmware is infected, the malware is more privileged
than all applications and operating systems. Basically, Tails is
completely useless on insecure hardware.
Your question about the audience is a bit of a leading question. All
Tails users should be the audience. Currently, Tails only has
documentation about warnings of firmware vulnerabilities. However,
readers have no course of action to take against this serious problem.
Anyone who cares about their privacy/security/freedom enough to run
Tails should purchase or configure secure hardware.
One solution to the vulnerable SPI flash chip that we can document is
Libreboot. Unlike Coreboot, Libreboot is completely open-source without
the Intel FSP and provides easy to understand documentation. There are
two options to get a Libreboot X200. First, one can buy a refurbished
Lenovo ThinkPad X200 from a electronics store like Newegg in the United
States. (I assume that there is a European equivalent.) Then, he or she
can follow the relatively easy-to-understand instructions on the
Libreboot website for installing the BIOS
https://libreboot.org/docs/hcl/x200.html and removing the ME
https://libreboot.org/docs/hcl/gm45_remove_me.html . Second, one can buy
a laptop with Libreboot pre-installed. The Free Software Foundation has
a list of hardware that respects your freedom and currently includes two
companies that sell Libreboot laptops:
https://www.fsf.org/resources/hw/endorsement/respects-your-freedom . I
personally recommend Minifree which is run by the same person who
founded Libreboot. When buying a laptop with Libreboot pre-installed,
one does not have to worry about making a mistake in the installation
process, financially supports Libreboot, and gets a longer warranty in
the case of Minifree which offers a whole two year warranty. I do not
recommend that we specifically promote one company on the Tails website,
but we should link to the Respects Your Freedom page as an option
instead of the manual install.
Another small note about the X200 is that it has a wireless kill switch
to prevent the leaking of sensitive information over the network without
the user noticing.
I am unsure what to do about the vulnerable firmware on the USB stick
that runs Tails. As far as I know, there is no open-source USB
drives/firmware. Though, USB drive malware could be almost as damaging
as the BIOS/ME because it can perform MITM attacks between the OS and
flash memory. Here are a couple videos which explain USB stick/SD card
firmware vulnerabilities:
https://www.youtube.com/watch?v=nuruzFqMgIw
https://www.youtube.com/watch?v=CPEzLNh5YIo . Please let me know if
there is a solution to vulnerable USB stick firmware and if some USB
sticks more secure than others.
Cheers,
Michael English
