Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Laptop Hardware Security #244

Draft
wants to merge 60 commits into
base: main
Choose a base branch
from
Draft

Laptop Hardware Security #244

wants to merge 60 commits into from

Conversation

TommyTran732
Copy link
Member

No description provided.

Copy link

cloudflare-workers-and-pages bot commented Jun 10, 2024

Deploying privsec-dev with  Cloudflare Pages  Cloudflare Pages

Latest commit: 6ff18d4
Status: ✅  Deploy successful!
Preview URL: https://4fa2b80c.privsec-dev-2oz.pages.dev
Branch Preview URL: https://laptop-hardware-security.privsec-dev-2oz.pages.dev

View logs

@TommyTran732 TommyTran732 marked this pull request as draft June 10, 2024 09:47
Copy link

netlify bot commented Jun 10, 2024

Deploy Preview for privsec-dev ready!

Name Link
🔨 Latest commit 6ff18d4
🔍 Latest deploy log https://app.netlify.com/sites/privsec-dev/deploys/666774f691f5d000086394b4
😎 Deploy Preview https://deploy-preview-244--privsec-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Copy link
Member

@wj25czxj47bu6q wj25czxj47bu6q left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Post images should not be placed in the /static directory. Follow the correct format as in https://github.com/PrivSec-dev/privsec.dev/tree/main/content/posts/knowledge/ChromeOS%20Questionable%20Encryption.

@TommyTran732
Copy link
Member Author

Are we gonna start moving other posts later too? Because there are a lot of them in /static

Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>

Intel CSME provides critical security features, including but not limited to:
- Boot Guard (The basis of SRTM, as discussed above)
- Firmware TPM (Generally better than dedicated TPMs by being not being vulnerable to bus sniffing)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

firmware tpm is less secure than hardware tpm

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and ptt is hardware tpm while psp is not

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What? PTT is firmware TPM

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I donot really understand PTT and AMD fTPM well. But I think firmware solution is less secure than hardware solution. Perhaps SoC TPM like Pluton is the best.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

like this fTPM exploit

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But I think firmware solution is less secure than hardware solution. Perhaps SoC TPM like Pluton is the best.
Not how it works.

I am well aware of faultpm. It doesn't change the fact that fTPM are not vulnerable to stuff like bus sniffing like dTPM.

To start off, the best laptops I have found are modern the Dell Latitude/Precision laptops with an Intel vPro Enterprise CPU. The second best group of laptops I have found are modern Lenovo Thinkpads with Intel vPro Enterprise or AMD Ryzen Pro CPUs. These are relatively easy to acquire and share these common security properties:

- Have Intel Boot Guard or AMD Platform Secure Boot to protect the firmware
- Have regular firmware updates ([monthly updates for Dell](https://www.dell.com/support/kbdoc/en-us/000197092/dell-drivers-and-downloads-update-release-schedule), and [bi-monthly updates for Thinkpads](https://support.lenovo.com/us/en/solutions/ht515365-thinkpad-driver-and-firmware-update-release-schedule))

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems it's not strictly one update per month. Sometimes there's several months without updates.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also Dell and Lenovo never promised how long they would support their PCs

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems it's not strictly one update per month. Sometimes there's several months without updates.

Yes, its a general rule. It doesn't always hold.

Also Dell and Lenovo never promised how long they would support their PCs

They typically support them for years and years. Even 8th gen Dell and Lenovo are still getting updates.

@duck09
Copy link

duck09 commented Oct 11, 2024

Have the Microsoft Surface line of laptops been considered? Not the ARM ones (not sure if they they have memory encryption) but the Surface Laptop 6 for example. I'm pretty sure they meet all the requirements and the only downside would be Linux support but this is an article about general Laptop Hardware Security. Thoughts?

@wj25czxj47bu6q wj25czxj47bu6q added the [c] new content Pull requests that add an entirely new article label Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
[c] new content Pull requests that add an entirely new article
Development

Successfully merging this pull request may close these issues.

4 participants