Computers I Need Not Trust. I Can Verify

These are the machines which I rely on for secure computing. Neither are reliant on much proprietary code at the earliest stages of boot and (as far as I understand) do not come with blatant backdoors like Intel ME/AMD PSP.

ThinkPad T420

A machine which I’ve slowly upgraded over the years to become my favourite system and the one I use for travelling. An i7-3720QM, 16GB of 2133mhz ram, a fhd samsung display with mod controller, upgraded wifi chip, 9 cell battery with samsung cells, msata ssd and a usb 3.0 express card for 5 usb ports total. I use a magnetic type c adapter plugged into a c-to-a adapter for immediate shutdown on breaking the magnetic link using the scripts from. [buskill]

Up until recently I had it flashed with coreboot+seabios with the vgabios, it ran primarily Arch and Debian and did so perfectly. Now it has coreboot+heads and runs QubesOS. I use a NitroKey 3A as my smartcard and security token.

Heads allows me to,

• Use free software on the boot path
• Move the root of trust into hardware (or at least the ROM bootblock)
• Measure and attest to the state of the firmware
• Measure and verify all filesystems

Heads + QubesOS is in my opinion the superior system for verifying the integrity of the physical hardware and OS while also protecting from remote attacks.

NovaCustom NS51

My system for tasks the thinkpad can’t cope with. An i5-1240p with 64GB of 3200mhz ram. [Buy] [Firmware]

It has Dasharo coreboot+UEFI v1.7.2 from 3mdeb. Intel ME is disabled with the HAP bit. The full fimware rom looks like this. More details at the Firmware link.

I bought this machine before it was retired by novacustom, if I had known they would delist it so soon I would have waited for a V54 series but at least this machine still comes with 5 years of security updates from novacustom.

I run QubesOS on this machine aswell but I can’t as accurately detect tampering as I can with my T420. QubesOS does not support Secure Boot and due to the HAP bit being disabled TPM isn’t functional so Anti-Evil-Maid also isn’t an option. I use the same buskill setup as my T420. Taking a sha256sum of all partitions then signing those sums with my gpg key then comparing sums before booting and also applying some old-school anti-tampering techniques are my stopgap while I look for better alternatives. Continued [here].