User:GNUtoo/laptop
1 Description
1.1 Goals
This profile is for laptops, its goals are:
- Maximize battery time, minimize power consumption and heat
- Enhance security
1.2 Targeted laptops
- Lenovo X60
- Lenovo X60 tablet
- Lenovo T60
They all run coreboot with the native GPU initialization.
1.3 Coreboot payload
All the previously mentioned laptops have grub as payload, that permits to improve the physical security: The goal is to ensure that the laptop has not been tampered with since the user inspected it(by disassembly).
We will assume that:
- The physical hdd and its firmware cannot be trusted.
- The user will be able to physically disassemble and check his hardware at some point.
- The laptop will have to be able to run 100% free software and will have to be trusted after physical disassembly.
- An attacker can access the "BIOS" flash chip, but cannot do it without beeing noticed thanks to the seals.
To do that:
- First the user checks the hardware by disassembling it.
- Then the user installs coreboot with grub as a payload and a custom grub.cfg:
- The grub.cfg will set a grub password
- The rootfs will be on a LUKS partition, including its /boot, that is possible because grub is in flash.
- grub.cfg will instruct grub to open the LUKS partition, the user will have to type one more password
- Optionally the user can put a key inside the initramfs that can decrypt the LUKS partition to not have to type one more time the same password (grub already opened the LUKS partition).
- Then the user seals it with some nail polish that produce good random patern when applied on screws: the goal is to seal the most important screws: more specifically the screwes that have to be removed to access the important parts, like the RAM, the BIOS flash chip, the CPU etc...
Limits: That setup could only verify that the hardware wasn't tempered with while beeing unattended.
- The software won't magically get safer.
- It won't guarantee that the packages of your distribution matches its source code. Instead this is the goal of the "reproducible builds", which isn't addressed by this setup.
2 Coreboot Setup
etc/grub.cfg example, inside the flash chip along with coreboot and grub:
#Serial (in case you have the dock) serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 terminal_input --append serial terminal_output --append serial # Keyboard configuration, very important. terminal_input --append at_keyboard #add keyboard support. terminal_output --append cbmemc set prefix=(crypt0)/home/gnutoo/local/lib/grub # Encrypted rootfs (also contains /boot) set keyargs="cryptkey=rootfs:/etc/keys/parabola_x60.key" set luks_rootfs="lvm/500G_7200_x60-rootfs" set common_args="root=/dev/mapper/root cryptdevice=/dev/mapper/500G_7200_x60-rootfs:root" set superusers="root" # Example password for 'parabola': password_pbkdf2 root grub.pbkdf2.sha512.10000.F4AA5C22C4159B8F077906C045E5738E038BDA1080C78E9B99F13533D6A7FD9719F5BC1F9FE58228C27A16553A3E1B1FF33278DFD1B8189EFA063B3F3EF58EE2.676257A6E7FF43A7A60EA657DA17A3CBAB9F047E051EAEA873A89F5EA024E9E81329C4D4A50EF9E9A391F4A27DAD01D8F73D955D2CF47470EB070F62CF90D893 set timeout=1 set default=0 # Don't set to --unrestricted else any partition that # has the same lvm name can be used menuentry 'Parabola GNU/Linux-libre [quiet tty0]' { cryptomount ${luks_rootfs} set root='crypto0' echo 'Loading Linux libre kernel ...' linux /boot/vmlinuz-linux-libre-lts ${common_args} ${keyargs} video=efifb:off console=tty0 quiet echo 'Loading initial ramdisk ...' initrd /boot/initramfs-linux-libre-lts.img }
3 Parabola Setup
3.1 Networking
/etc/udev/rules.d/10-network.rules
# Howto: # ------ # ls /sys/class/net/ # udevadm info -a -p /class/net/enp0s29f0u1 # Then write the rule: # SUBSYSTEM=="net", ACTION=="add", ... # udevadm control --reload-rules # replug the device # Some interfaces naming, for instance: # SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:01:02:03:04:05", NAME="pe0" # Embedded devices(GTA02, GTA04 etc...) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="cdc_ether", NAME="usb0", RUN+="/usr/bin/netctl start $name" #################### # General Settings # #################### # Random MAC address SUBSYSTEM=="net", ACTION=="add", RUN+="/etc/udev/scripts/mac.sh $name"
This script will be called by udev, it generates and log the random mac addresses. Since I use cryptsetup and LUKS, storing it is not an issue.
/etc/udev/scripts/mac.sh
#!/bin/sh iface=$1 logfile="/var/log/mac_addrs.log" date="$(date)" echo "-- ${date} --" >> ${logfile} echo "${iface}" >> ${logfile} /usr/bin/macchanger -e ${iface} 2>&1 >> ${logfile} echo "--END ${date} --" >> ${logfile}
3.2 Modules
/etc/modprobe.d/blacklist.conf
# Annoyances blacklist pcspkr # beeps all the time # iwl3945 confuses NetworkManager # when the laptop is used with an external wifi card blacklist iwl3945 # Security issues (DMA) blacklist firewire_ohci blacklist firewire_core blacklist pcmcia blacklist pcmcia_core blacklist pcmcia_rsrc blacklist yenta_socket
3.2.1 /etc/modprobe.d/thinkpad.conf
# Make intel-backlight the only backlight # so it get chosen by kde (thinkpad_backlight # has no effect) options thinkpad_acpi brightness_enable=0
3.3 Power saving
3.3.1 Introduction
- For more details look at the corresponding arch wiki page
3.3.2 /etc/sysctl.d/01-pm.conf:
# NMI seems to be used only for debugging by the kernel # See https://en.wikipedia.org/wiki/Non-maskable_interrupt for more details kernel.nmi_watchdog = 0 # Reduces disk power consumption vm.dirty_writeback_centisecs = 1500 # Laptop mode (5 seconds) vm.laptop_mode = 5
3.3.3 /etc/udev/rules.d/01-pm.rules:
# Wifi power saving (Reduce heat, increase battery life) ACTION=="add", SUBSYSTEM=="net", KERNEL=="wlan*", RUN+="/usr/bin/iw dev %k set power_save on" ############## # Runtime PM # ############## # PCI ACTION=="add", SUBSYSTEM=="pci", ATTR{power/control}="auto" # SATA ACTION=="add", SUBSYSTEM=="scsi_host", KERNEL=="host*", ATTR{link_power_management_policy}="min_power" # hdparm ACTION=="add", KERNEL=="[hs]d[a-z]", ATTR{queue/rotational}=="1", RUN+="/usr/bin/hdparm -B 1 -M 128 /dev/%k" # Disable unused "wake on lan" ACTION=="add", SUBSYSTEM=="net", KERNEL=="eth*", RUN+="/usr/bin/ethtool -s %k wol d" # Wifi power saving (Reduce heat, increase battery life) ACTION=="add", SUBSYSTEM=="net", KERNEL=="wlan*", RUN+="/usr/bin/iw dev %k set power_save on" # Various subsystems runtime power management ACTION=="add", SUBSYSTEMS=="*", TEST=="power/control", ATTR{power/control}="auto" ACTION=="add", SUBSYSTEMS=="*", TEST=="parameters/power_save", ATTR{parameters/power_save}="1"
3.3.4 /etc/sysctl.d/01-pm.conf
# Also look at that module parameter: # power_save_controller:Reset controller in power save mode. (bool) options snd_hda_intel power_save=1
3.4 anti runtime-passwords bruteforcing
3.4.1 /etc/pam.d/passwd-backoff
Will be explained more later on. PAM include file for increasing the delay at each 3 failed password attempts:
#%PAM-1.0 # First 3 attempts without any delay auth sufficient pam_unix.so nodelay try_first_pass nullok #Then increase the delay progressively from 10 seconds to way more auth sufficient pam_faildelay.so delay=10000000 auth sufficient pam_unix.so nullok auth sufficient pam_faildelay.so delay=60000000 auth sufficient pam_unix.so nullok auth sufficient pam_faildelay.so delay=3600000000 auth sufficient pam_unix.so nullok
3.4.2 /etc/pam.d/system-auth
--- system-auth 2013-09-28 23:23:48.000000000 +0200 +++ system-auth 2014-08-09 11:36:37.477867975 +0200 @@ -1,4 +1,5 @@ #%PAM-1.0 +auth include passwd-backoff auth required pam_unix.so try_first_pass nullok auth optional pam_permit.so
4 General
/etc/systemd/system/scripts/pm.sh:
#!/bin/sh # this file is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. echo '1500' > /proc/sys/vm/dirty_writeback_centisecs echo '0' > /proc/sys/kernel/nmi_watchdog # Sound runtime PM echo '1' > /sys/module/snd_hda_intel/parameters/power_save # Do a for x in for host in /sys/class/scsi_host/host*/link_power_management_policy ; do echo 'min_power' > ${host} done # PCI runtime PM for pci_control in /sys/bus/pci/devices/*/power/control ; do echo 'auto' > ${pci_control} done # USB runtime PM for usbdev in /sys/bus/usb/devices/*/power/control ; do echo 'auto' > ${usbdev} done # Network interfaces for iface in $(ls /sys/class/net/|grep -v lo) ; do ethtool -s ${iface} wol d done iw dev pw0 set power_save on
/etc/systemd/system/powertop.service:
# This file is not part of systemd. # # this file is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. [Unit] Description=Consume less power and produce less heat DefaultDependencies=no #Wants=display-manager.service #After=display-manager.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/systemd/system/scripts/pm.sh [Install] WantedBy=multi-user.target