[Bradford] Laptop security
John Robert Hudson
j.r.hudson at virginmedia.com
Sat Nov 14 22:29:42 UTC 2015
Hi Alice
When Matt gave his talk on mixed mode UEFI in May, I mentioned that I had not
been able to use UEFI on my Toshiba and it appears that there may be a form of
Windows only UEFI which isn't accessible to efibootmgr. So that may be the root
problem as Lenovo say that 'features may not work with other OS.'
It certainly appears to offer quite a lot of built in security that would baffle
the casual thief.
Wikipedia says that dm-crypt can use TPM. Not sure if that helps.
John
--
On Saturday 14 Nov 2015 18:06:16 Alice . wrote:
> Hi Bradlug,
>
> I recently bought a new laptop and I'm trying to make it as secure as I
> can. There's a couple of areas I'm struggling with that I thought I'd ask
> you lot about. For reference it's a Thinkpad T420 with the latest Fedora.
>
> First UEFI. I understand UEFI secureboot will protect me against evil maid
> attacks better than the legacy BIOS. I've not spent much time trying to get
> this working yet, but it doesn't work out of the box and I'm wondering just
> how much better it is than a password protected bios?
>
> Secondly TPM. There's tools in Fedora to manage the TPM keystore, and that
> seems to work. However, there's no software in the repo to actually use it.
> I'd have to compile software to use it to encrypt the disk and store ssh
> keys. So again, is it worth doing when it would mean running software that
> doesn't get automatic security upgrades? I have similar questions about
> using a Yubico key to do the same things.
>
> The steps I've taken so far (as much as possible) are:
>
> Linux Foundation's workstation security guide -
> https://github.com/lfit/itpol/blob/master/linux-workstation-security.md
>
> NSA-proof SSH configuration -
> https://stribika.github.io/2015/01/04/secure-secure-shell.html
>
> Any other input on getting this right would be welcome. I can cover this
> briefly at the next meeting too if there's interest.
>
> Thanks
> Alice
>
> FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
> GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
More information about the Bradford
mailing list