Time to get back to the original intent of this blog – talking about my paranoid obsession with information security! So break out your tinfoil hats my friends because this will be a fun ride. I’m looking for the most open source / freedom respecting portable computing experience I can possibly find and I’m going to document my work in real-time so you will get to experience the ups (and possibly the downs) of that path through the universe. With that said, let’s get rolling.
I’ve always been fascinated with Richard Stallman, not just as a character, but because he tries to live out his life according to his beliefs. I’m more of a BSD guy than a GPL person, but the laptop he uses has fascinated me to the point that I have been actively searching for one for myself. After many months searching for that particular Chinese MIPS based laptop, I thought to myself, “there has to be something I can use.”
When I built my OpenBSD router using the APU2 board, I discovered that there are some amd64 systems that use open source BIOS. This one used Coreboot and after some investigation I discovered that there was an even more paranoid open source BIOS called Libreboot out there. That started to feel like it might scratch my itch. From doing more research, I discovered that after the Intel Core Duo chip, all future “Core i” chips have this lovely thing called the Intel Management Engine embedded in them that basically cannot be disabled without making the machine non-functional after a period of time. The particularly creepy thing about the IME is that it operates at a layer above the CPU which means that its use, if compromised, could allow an attacker complete control over your system.
Well, after playing around with some lower-powered systems like my APU2 board, my Thinkpad x230 and my SPARC64 boxes, I thought, if it runs amd64 code and I can run an open source operating system on it, the thing should be powerful enough for me to do most (if not all) of what I need it to do. At this point, I started looking for a viable machine. From a performance perspective, it looked like the Thinkpad x200, T400, T500 and W500 were all viable candidates. After paying attention on eBay for a while, I saw something that was either going to be a sweet deal, or a throwaway piece of garbage!
I found a listing for a Thinkpad T500 that said it didn’t come with a power adapter and was 100% untested. From looking at the photos, it seemed like there was nothing that had been molested about it. All of the outside and bottom panels that should be there in a working system were present. Obviously, nobody was jumping on something this risky so I thought, “what the heck” and dropped a bit at the opening price of $24.99. Yes, you heard that right, $25 bucks! Well, guess what. I won the auction. Now to see what I got.
When the laptop showed up, I discovered it was minus its hard drive (but the outside plastic cover was still in place). I plugged in my x230’s power adapter and hit the button. I got lights and was dropped to the BIOS screen. To my eternal joy, I discovered that the machine I had purchased for $25 was 100% functional and included the T9400 2.54 GHz Core 2 Duo CPU and the 1680×1050 display panel. W00t!
First things first, I need to get this machine a hard drive and get the RAM upgraded from the 2GB that it showed up with to 8GB. Good news is that these two purchases only totaled $50 for the pair. An aftermarket 9-cell replacement battery was another $20. Throw in a supported WiFi card that doesn’t require a non-free blob from Libreboot at $5.99 off of eBay and $5 for a hard drive caddy and I’m looking at about $65 in additional parts bringing the total cost of the laptop, fully loaded up at just over $100. Not bad at all…
Once all of the parts arrived and were installed, now for the fun part. Disassembling the entire thing down to the motherboard so we can re-flash the BIOS with Libreboot. The guide looks particularly challenging for this but hey, I have a nice set of screwdrivers from iFixit and a remarkable lack of fear when it comes to disassembling things. Should be fun!
NOTE: A very important step you need to take is to ensure that you have updated the machine to the latest & greatest BIOS from Lenovo before you start the disassembly process. The update not only flashes the BIOS itself but some other firmware on the board. Additionally, if you ever feel like you will need a VGA option ROM, extract it now before you start disassembling the machine!
Well, fun didn’t even come close. I wish I had shot some pictures along the way because at one point I had a heap of parts in one corner of my “workbench” (the dining room table) and just the bare motherboard, minus the CPU sitting in front of me. With the help of a clip and a bunch of whoops wires (patch cables), I connected my Beaglebone Black to the BIOS chip on the bare motherboard and attempted to read the chip. #fail
I figured out after doing some more digging that you need to use the connector on the left side of the BBB if you hold it with the power connector facing away from you. In addition, you should probably read the entire process through instead of stopping at the exciting pinout connector diagram because I missed the bit about the 3.3v power supply need to have ground connected to pin 2 of the BIOS chip.
Speaking of that infamous 3.3v power supply, I managed to bend a paperclip into a U shape and jam it into the connector of an old ATX power supply I had in a closet and source power from that. I felt like MacGyver for that one!
I was able to successfully read the original Thinkpad BIOS and then flash the Libreboot + Grub2 VESA framebuffer image onto the laptop! I gulped loudly and started the reassembly process. Other than having some cable routing difficulties because the replacement WiFi card didn’t have a 5Ghz antenna, it all went back together. Now for the moment of truth! I hit the power button and everything worked!!!
At this point I happily scurried to download the latest snapshot of OpenBSD – current and install it. Well, things got a little weird here. Looks like I have to use GRUB to boot this machine now and GRUB won’t boot an OpenBSD machine with Full Disk Encryption. That was a bit of a bummer for me. I tilted against that windmill for several days and then finally admitted defeat. So now what to do? Install Arch?
Well, here’s where I think the crazy caught up to me. I decided to be an utter sell out and install Ubuntu Gnome Edition 17.04 (since that will be the default DE going forward) with full disk encryption. I figured I could have fun playing around in a foreign land and try to harden the heck out of that operating system. I called Ubuntu “grandma’s Linux” because a friend of mine installed it on his mom’s laptop for her but I figured what the heck – let’s see how the other half live!
After running that Ubuntu 17.04 install I have to say I was pretty impressed. Instead of the normal 45 minute setup time for me with Arch using my cheat notes, I was rebooting into the OS with a nice graphical full disk encryption prompt inside of five minutes. I love to eat crow so I sent my friend a quick email saying that maybe I was too hard on mee-maw’s laptop OS of choice! 🙂
Now came the fun part of hardening things. I downloaded my new favorite starting point, a tool called “lynis” that sniffs out your system and determines what you can do to improve the security footprint on it. I did find out that the version that you get from the default package repos on Ubuntu was a bit out of date so I downloaded the latest from the lynis website, built it and installed it. Problem solved. I love open source!
After tweaking everything that I thought was reasonable to be tweaked on a non-server OS running a desktop (including adding an encrypted master password to Grub2), I had a reasonable well-hardened system. Next step was to turn the dial to eleven! I use a non log-keeping VPN service with an egress point that is outside of the fourteen eyes nations, so I set that up as an on-demand thing for me to switch on in NetworkManager and it worked just fine – with the one exception that I always forget about – IPv6 leaks your actual IP address on the VPN! So I did some searching and found out to to 100% disable IPv6, did a quick reboot and test and all was well!
I then ran nmap on the localhost interface and found some ports open I didn’t like (SMB, etc.) Just to avoid my paranoia driving me into a catalepsy, I hopped onto my OpenBSD router and did an nmap scan of the laptop from the outside (still on the LAN though). Sure enough, the default firewall configuration was not exposing those ports so I was OK. Now I installed the latest version of the TOR browser and configured my default Firefox to how I like it from the great guide at http://privacytools.io so that I had a minimal footprint even when running outside of the limited protection that TOR gives you.
Now for the thing that most of my security brethren will laugh at me for doing – installing ClamAV with on access scanning. Even though I am quite careful about what I click on, I figure it never hurts to have that extra layer of protection. I set up ClamAV with FreshClam to automatically refresh my subscriptions, made the necessary tweaks to the /etc/clamav/clamd.conf file and voila – I had something that automatically detected and deleted and suspected viral-infected files with a nice Gnome3 popup showing what happened.
At this point, while I didn’t have what I originally set out to do – build a laptop with Libreboot and OpenBSD, I did have a nice compromise that is as well hardened as I can possibly make it and very functional in terms of being able to do what I need to do on a day to day basis. Do I wish it was more portable? Of course. This thing is like a six or seven pounder. However, I feel much more secure in knowing that the vast majority of the code running on this machine is open source and has all the eyes of the community on it, versus something that comes from a vendor that we cannot inspect. My hope is that someone with the talent (unfortunately I lack those skills) takes an interest in getting FDE working with Libreboot on OpenBSD and I will most happily nuke and repave this “ancient of days” machine to run that!
Let me know if you enjoyed this post please! Keep the cards and letters coming. 🙂
Congratulations on fighting the good fight! That T500 must be quite a monster, not really portable but can take a beating or two!
I’d almost say I’d prefer a “normal” BIOS and OpenBSD than LibreBoot and Ubuntu 🙂
Great write up. I learned a lot, thank you!
(written from my own Libreboot’ed T500 🙂
Pingback: Signals: gotta catch ‘em all | BSD Now 209 | Jupiter Broadcasting
You probably need to flash the SeaBIOS payload along with coreboot to do OpenBSD FDE properly, then you can install normally and get rid of GRUB.
What guide did you use for the ClamAV tweaks to the /etc/clamav/clamd.conf file?
Try OpenBSD with a Lenovo x230 equipped w/ i7, 2x8gb, 512gb Samsung Evo msata SSD. Run me_cleaner to paralyze the Intel Management engine. Coreboot should work with this laptop. Wonder if they have a firmware image for a mecleaned x230. At least with coreboot, you can possibly use OpenBSD to apply spectre variant 2/3 / Meltdown intel microcode update mitigation to your cpu; effectively paired with mitigations in place from OpenBSD kernel, that only leaves you with TLBleed & Spectre Variant 1. 1080p fhd screen hack is available utilizing dock display port #2. Chicklet keys on x230 suck. Keyboard mod exists to replace keyboard with old school x220 keyboard. Question is, can you hack coreboot to support this mod?
Intel HD 4000 is *bsd/linux compatible & 1080p playback is O.K.
This is great to read, thanks!
Have you learned anything more in the 16 months since this was written?
Have you tried any other OS such as Qubes OS or Tails on this?