-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Laptop Hardware Security #244
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Tommy <[email protected]>
Deploying privsec-dev with Cloudflare Pages
|
✅ Deploy Preview for privsec-dev ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Post images should not be placed in the /static
directory. Follow the correct format as in https://github.com/PrivSec-dev/privsec.dev/tree/main/content/posts/knowledge/ChromeOS%20Questionable%20Encryption.
Are we gonna start moving other posts later too? Because there are a lot of them in /static |
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
|
||
Intel CSME provides critical security features, including but not limited to: | ||
- Boot Guard (The basis of SRTM, as discussed above) | ||
- Firmware TPM (Generally better than dedicated TPMs by being not being vulnerable to bus sniffing) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
firmware tpm is less secure than hardware tpm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and ptt is hardware tpm while psp is not
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What? PTT is firmware TPM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I donot really understand PTT and AMD fTPM well. But I think firmware solution is less secure than hardware solution. Perhaps SoC TPM like Pluton is the best.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
like this fTPM exploit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But I think firmware solution is less secure than hardware solution. Perhaps SoC TPM like Pluton is the best.
Not how it works.
I am well aware of faultpm. It doesn't change the fact that fTPM are not vulnerable to stuff like bus sniffing like dTPM.
To start off, the best laptops I have found are modern the Dell Latitude/Precision laptops with an Intel vPro Enterprise CPU. The second best group of laptops I have found are modern Lenovo Thinkpads with Intel vPro Enterprise or AMD Ryzen Pro CPUs. These are relatively easy to acquire and share these common security properties: | ||
|
||
- Have Intel Boot Guard or AMD Platform Secure Boot to protect the firmware | ||
- Have regular firmware updates ([monthly updates for Dell](https://www.dell.com/support/kbdoc/en-us/000197092/dell-drivers-and-downloads-update-release-schedule), and [bi-monthly updates for Thinkpads](https://support.lenovo.com/us/en/solutions/ht515365-thinkpad-driver-and-firmware-update-release-schedule)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems it's not strictly one update per month. Sometimes there's several months without updates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also Dell and Lenovo never promised how long they would support their PCs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems it's not strictly one update per month. Sometimes there's several months without updates.
Yes, its a general rule. It doesn't always hold.
Also Dell and Lenovo never promised how long they would support their PCs
They typically support them for years and years. Even 8th gen Dell and Lenovo are still getting updates.
520b835
to
c508504
Compare
Have the Microsoft Surface line of laptops been considered? Not the ARM ones (not sure if they they have memory encryption) but the Surface Laptop 6 for example. I'm pretty sure they meet all the requirements and the only downside would be Linux support but this is an article about general Laptop Hardware Security. Thoughts? |
No description provided.