pull down to refresh
103 sats \ 5 replies \ @ama 30 Dec 2022 \ on: How to know if laptop has been tampered with? bitcoin
Secure boot, UEFI, and the OS allowed by secure boot are actually the malware. You're better of disabling secure boot, installing a really secure open source operating system on a password protected encrypted device, and setting up a strong incremental backup policy on at least two (I currently keep four of them) different password protected encrypted devices, one kept locally and the second one kept off-site.
^^ exactly
You need a laptop with the Intel Management Engine (IME) disabled. The following vendors can help:
Next you need to pick a setup that has a USB key to verify that your bootloader wasn't modified (Measured Boot). This will require PIN entry to load your OS after every upgrade.
And for a final layer of protection, if you're comfortable with linux, consider Qubes!
reply
Thanks, great resources, I did only know of purism so far. I will look into it. I've made no distinction between Secure Boot and Measured Boot so far.
But by now it's obvious to me that an open source firmware is a key requirement.
reply
No doubt about it. If your main board is supported by one, your'e much better off replacing it.
reply
Secure Boot allows to detect evil maid attacks, I can also employ my own key in the laptop firmware and sign my self-compiled kernel with it (maybe not on every laptop but the ones I came across offered this). Learning more on this topic I understand that it may also mean depending on Microsoft and proprietary firmware which I clearly do not want. I want to make sure that noone changed any software on my computer while I was away.
Even the best "really secure open source operating system" can be replaced by a rootkit without you noticing.
I have to admit, using Secure Boot requires trusting the UEFI software but you have to do that anyways. Open Source firmware implementations might be the answer. The reply by @ln123 offers great advice in this direction.
reply
If you have secure boot on, you're almost guarantied to already have some piece of malware on your computer. :-)
reply