User:GNUtoo/laptop
From ParabolaWiki
1 Description
1.1 Goals
This profile is for laptops, its goals are:
- Maximize battery time, minimize power consumption and heat
- Enhance security
1.2 Targeted laptops
- Lenovo X60
- Lenovo X60 tablet
- Lenovo T60
They all run coreboot with the native GPU initialization.
1.3 Coreboot payload
All the previously mentioned laptops have grub as payload, that permits to improve the physical security: The goal is to ensure that the laptop has not been tampered with since the user inspected it(by disassembly).
We will assume that:
- The physical hdd and its firmware cannot be trusted.
- The user will be able to physically disassemble and check his hardware at some point.
- The laptop will have to be able to run 100% free software and will have to be trusted after physical disassembly.
- An attacker can access the "BIOS" flash chip, but cannot do it without beeing noticed thanks to the seals.
To do that:
- First the user checks the hardware by disassembling it.
- Then the user installs coreboot with grub as a payload and a custom grub.cfg:
- The grub.cfg will set a grub password
- The rootfs will be on a LUKS partition, including its /boot, that is possible because grub is in flash.
- grub.cfg will instruct grub to open the LUKS partition, the user will have to type one more password
- Optionally the user can put a key inside the initramfs that can decrypt the LUKS partition to not have to type one more time the same password (grub already opened the LUKS partition).
- Then the user seals it with some nail polish that produce good random patern when applied on screws: the goal is to seal the most important screws: more specifically the screwes that have to be removed to access the important parts, like the RAM, the BIOS flash chip, the CPU etc...
Limits: That setup could only verify that the hardware wasn't tempered with while beeing unattended.
- The software won't magically get safer.
- It won't guarantee that the packages of your distribution matches its source code. Instead this is the goal of the "reproducible builds", which isn't addressed by this setup.
2 Coreboot Setup
etc/grub.cfg example, inside the flash chip along with coreboot and grub:
#Serial (in case you have the dock)
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input --append serial
terminal_output --append serial
# Keyboard configuration, very important.
terminal_input --append at_keyboard #add keyboard support.
terminal_output --append cbmemc
set prefix=(crypt0)/home/gnutoo/local/lib/grub
# Encrypted rootfs (also contains /boot)
set keyargs="cryptkey=rootfs:/etc/keys/parabola_x60.key"
set luks_rootfs="lvm/500G_7200_x60-rootfs"
set common_args="root=/dev/mapper/root cryptdevice=/dev/mapper/500G_7200_x60-rootfs:root"
set superusers="root"
# Example password for 'parabola':
password_pbkdf2 root grub.pbkdf2.sha512.10000.F4AA5C22C4159B8F077906C045E5738E038BDA1080C78E9B99F13533D6A7FD9719F5BC1F9FE58228C27A16553A3E1B1FF33278DFD1B8189EFA063B3F3EF58EE2.676257A6E7FF43A7A60EA657DA17A3CBAB9F047E051EAEA873A89F5EA024E9E81329C4D4A50EF9E9A391F4A27DAD01D8F73D955D2CF47470EB070F62CF90D893
set timeout=1
set default=0
# Don't set to --unrestricted else any partition that
# has the same lvm name can be used
menuentry 'Parabola GNU/Linux-libre [quiet tty0]' {
cryptomount ${luks_rootfs}
set root='crypto0'
echo 'Loading Linux libre kernel ...'
linux /boot/vmlinuz-linux-libre-lts ${common_args} ${keyargs} video=efifb:off console=tty0 quiet
echo 'Loading initial ramdisk ...'
initrd /boot/initramfs-linux-libre-lts.img
}
3 Parabola Setup
3.1 Networking
/etc/udev/rules.d/10-network.rules
# Howto:
# ------
# ls /sys/class/net/
# udevadm info -a -p /class/net/enp0s29f0u1
# Then write the rule:
# SUBSYSTEM=="net", ACTION=="add", ...
# udevadm control --reload-rules
# replug the device
# Some interfaces naming, for instance:
# SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:01:02:03:04:05", NAME="pe0"
# Embedded devices(GTA02, GTA04 etc...)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="cdc_ether", NAME="usb0", RUN+="/usr/bin/netctl start $name"
####################
# General Settings #
####################
# Random MAC address
SUBSYSTEM=="net", ACTION=="add", RUN+="/etc/udev/scripts/mac.sh $name"
This script will be called by udev, it generates and log the random mac addresses. Since I use cryptsetup and LUKS, storing it is not an issue.
/etc/udev/scripts/mac.sh
#!/bin/sh
iface=$1
logfile="/var/log/mac_addrs.log"
date="$(date)"
echo "-- ${date} --" >> ${logfile}
echo "${iface}" >> ${logfile}
/usr/bin/macchanger -e ${iface} 2>&1 >> ${logfile}
echo "--END ${date} --" >> ${logfile}
3.2 Modules
/etc/modprobe.d/blacklist.conf
# Annoyances blacklist pcspkr # beeps all the time # iwl3945 confuses NetworkManager # when the laptop is used with an external wifi card blacklist iwl3945 # Security issues (DMA) blacklist firewire_ohci blacklist firewire_core blacklist pcmcia blacklist pcmcia_core blacklist pcmcia_rsrc blacklist yenta_socket
3.2.1 /etc/modprobe.d/thinkpad.conf
# Make intel-backlight the only backlight # so it get chosen by kde (thinkpad_backlight # has no effect) options thinkpad_acpi brightness_enable=0
3.3 Power saving
3.3.1 Introduction
- For more details look at the corresponding arch wiki page
3.3.2 /etc/sysctl.d/01-pm.conf:
# NMI seems to be used only for debugging by the kernel # See https://en.wikipedia.org/wiki/Non-maskable_interrupt for more details kernel.nmi_watchdog = 0 # Reduces disk power consumption vm.dirty_writeback_centisecs = 1500 # Laptop mode (5 seconds) vm.laptop_mode = 5
3.3.3 /etc/udev/rules.d/01-pm.rules:
# Wifi power saving (Reduce heat, increase battery life)
ACTION=="add", SUBSYSTEM=="net", KERNEL=="wlan*", RUN+="/usr/bin/iw dev %k set power_save on"
##############
# Runtime PM #
##############
# PCI
ACTION=="add", SUBSYSTEM=="pci", ATTR{power/control}="auto"
# SATA
ACTION=="add", SUBSYSTEM=="scsi_host", KERNEL=="host*", ATTR{link_power_management_policy}="min_power"
# hdparm
ACTION=="add", KERNEL=="[hs]d[a-z]", ATTR{queue/rotational}=="1", RUN+="/usr/bin/hdparm -B 1 -M 128 /dev/%k"
# Disable unused "wake on lan"
ACTION=="add", SUBSYSTEM=="net", KERNEL=="eth*", RUN+="/usr/bin/ethtool -s %k wol d"
# Wifi power saving (Reduce heat, increase battery life)
ACTION=="add", SUBSYSTEM=="net", KERNEL=="wlan*", RUN+="/usr/bin/iw dev %k set power_save on"
# Various subsystems runtime power management
ACTION=="add", SUBSYSTEMS=="*", TEST=="power/control", ATTR{power/control}="auto"
ACTION=="add", SUBSYSTEMS=="*", TEST=="parameters/power_save", ATTR{parameters/power_save}="1"
3.3.4 /etc/sysctl.d/01-pm.conf
# Also look at that module parameter: # power_save_controller:Reset controller in power save mode. (bool) options snd_hda_intel power_save=1
3.4 anti runtime-passwords bruteforcing
3.4.1 /etc/pam.d/passwd-backoff
Will be explained more later on. PAM include file for increasing the delay at each 3 failed password attempts:
#%PAM-1.0 # First 3 attempts without any delay auth sufficient pam_unix.so nodelay try_first_pass nullok #Then increase the delay progressively from 10 seconds to way more auth sufficient pam_faildelay.so delay=10000000 auth sufficient pam_unix.so nullok auth sufficient pam_faildelay.so delay=60000000 auth sufficient pam_unix.so nullok auth sufficient pam_faildelay.so delay=3600000000 auth sufficient pam_unix.so nullok
3.4.2 /etc/pam.d/system-auth
--- system-auth 2013-09-28 23:23:48.000000000 +0200 +++ system-auth 2014-08-09 11:36:37.477867975 +0200 @@ -1,4 +1,5 @@ #%PAM-1.0 +auth include passwd-backoff auth required pam_unix.so try_first_pass nullok auth optional pam_permit.so
4 General
/etc/systemd/system/scripts/pm.sh:
#!/bin/sh
# this file is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
echo '1500' > /proc/sys/vm/dirty_writeback_centisecs
echo '0' > /proc/sys/kernel/nmi_watchdog
# Sound runtime PM
echo '1' > /sys/module/snd_hda_intel/parameters/power_save
# Do a for x in
for host in /sys/class/scsi_host/host*/link_power_management_policy ; do
echo 'min_power' > ${host}
done
# PCI runtime PM
for pci_control in /sys/bus/pci/devices/*/power/control ; do
echo 'auto' > ${pci_control}
done
# USB runtime PM
for usbdev in /sys/bus/usb/devices/*/power/control ; do
echo 'auto' > ${usbdev}
done
# Network interfaces
for iface in $(ls /sys/class/net/|grep -v lo) ; do
ethtool -s ${iface} wol d
done
iw dev pw0 set power_save on
/etc/systemd/system/powertop.service:
# This file is not part of systemd. # # this file is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. [Unit] Description=Consume less power and produce less heat DefaultDependencies=no #Wants=display-manager.service #After=display-manager.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/systemd/system/scripts/pm.sh [Install] WantedBy=multi-user.target
