Re: [Tails-dev] Tails Hardware

Supprimer ce message

Répondre à ce message
Auteur: intrigeri
Date:  
À: The Tails public development discussion list
Anciens-sujets: [Tails-dev] Tails Hardware
Sujet: Re: [Tails-dev] Tails Hardware
Hi,

(the "starting a new thread on each follow-up" problem was addressed
off-list; thank you, Michael! :)

I'm glad I've asked the question of the target audience, since as
we'll see below, it's a little bit tricky.

Michael English wrote (16 Mar 2016 00:22:11 GMT) :
> First, we should identify the problem. Tails does not replace all of the
> software on one's computer. There is additional storage on the SPI flash
> chip which carries the BIOS and ME, and there is the USB stick which has
> its own firmware. As shown by LegbaCore, this software outside of Tails
> can be easily infected. “Since almost no organizations in the world
> provide BIOS patch management, it is almost guaranteed that any given
> system has at least one exploitable BIOS vulnerability that has
> previously been publicly disclosed. Also, the high amount of code reuse
> across UEFI BIOSes means that BIOS infection is automatable and
> reliable.” Once the firmware is infected, the malware is more privileged
> than all applications and operating systems. Basically, Tails is
> completely useless on insecure hardware.


This last sentence is only true in face of a very small class of
adversaries, given Tails threat model. Against a much bigger class of
adversaries, Tails is still very useful, even when run on
insecure hardware.

> Your question about the audience is a bit of a leading question. All
> Tails users should be the audience. Currently, Tails only has
> documentation about warnings of firmware vulnerabilities. However,
> readers have no course of action to take against this serious problem.
> Anyone who cares about their privacy/security/freedom enough to run
> Tails should purchase or configure secure hardware.


It seems to be that you're assuming that 1. all current Tails users
face very powerful adversaries, and that 2. we should optimize our
work towards this use case. I don't think the former is correct
currently, and I beg to disagree with the latter. I think that Tails
is useful against a wide range of adversaries, including some who
won't exploit hardware/firmware security issues, and I would like it
to stay this way. I would not be happy to see Tails disregard a big
part of its current (and presumably, future) audience, because the
"don't care enough" to "purchase or configure secure hardware".

In particular, I want us to go on being as inclusive as we reasonably
can wrt. those who cannot (economically) afford purchasing secure
hardware, or who cannot (technically) configure secure hardware.

> One solution to the vulnerable SPI flash chip that we can document is
> Libreboot. Unlike Coreboot, Libreboot is completely open-source without
> the Intel FSP and provides easy to understand documentation.


Yes, I would totally agree to link to documentation explaining how to
do that, from the place in our own doc that states that firmware can
be part of what your adversary controls. Now, we need to be extra
clear regarding what are the pre-requisites in terms of time and
skills, because sending people to a place where they won't understand
a thing is not exactly helpful for them :)

> There are
> two options to get a Libreboot X200. First, one can buy a refurbished
> Lenovo ThinkPad X200 from a electronics store like Newegg in the United
> States. (I assume that there is a European equivalent.) Then, he or she
> can follow the relatively easy-to-understand instructions on the
> Libreboot website for installing the BIOS
> https://libreboot.org/docs/hcl/x200.html and removing the ME
> https://libreboot.org/docs/hcl/gm45_remove_me.html .


I've tried to follow these instructions and they lead me to
https://libreboot.org/docs/install/x200_external.html, that IMO is
arguably waaaay too hard technically, and requires waaaay too much
time, for the huge majority of our target user base.

> Second, one can buy
> a laptop with Libreboot pre-installed. The Free Software Foundation has
> a list of hardware that respects your freedom and currently includes two
> companies that sell Libreboot laptops:
> https://www.fsf.org/resources/hw/endorsement/respects-your-freedom . I
> personally recommend Minifree which is run by the same person who
> founded Libreboot. When buying a laptop with Libreboot pre-installed,
> one does not have to worry about making a mistake in the installation
> process, financially supports Libreboot, and gets a longer warranty in
> the case of Minifree which offers a whole two year warranty. I do not
> recommend that we specifically promote one company on the Tails website,
> but we should link to the Respects Your Freedom page as an option
> instead of the manual install.


OK, that's an option indeed.

Now, this all boils down to a couple question users need to ask
themselves, i.e. "can I trust Minifree more than Lenovo/Intel to not
backdoor the firmware they install on my computer?", and "can I trust
Minifree's supply chain not to be tampered with by the very same
powerful adversaries that Libreboot aims at resisting against?".

> Another small note about the X200 is that it has a wireless kill switch
> to prevent the leaking of sensitive information over the network without
> the user noticing.


Any reference showing that it's a _hardware_ kill switch, i.e.
one that really disconnects power, instead of merely indicating to the
firmware/OS that the user wishes to turn the Wi-Fi off?

Cheers,
--
intrigeri