Laptop Hardware Security #244
Conversation
Signed-off-by: Tommy <[email protected]>
Deploying privsec-dev with
|
| Latest commit: |
6ff18d4
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://4fa2b80c.privsec-dev-2oz.pages.dev |
| Branch Preview URL: | https://laptop-hardware-security.privsec-dev-2oz.pages.dev |
✅ Deploy Preview for privsec-dev ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
There was a problem hiding this comment.
Post images should not be placed in the /static directory. Follow the correct format as in https://github.com/PrivSec-dev/privsec.dev/tree/main/content/posts/knowledge/ChromeOS%20Questionable%20Encryption.
|
Are we gonna start moving other posts later too? Because there are a lot of them in /static |
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
Signed-off-by: Tommy <[email protected]>
|
|
||
| Intel CSME provides critical security features, including but not limited to: | ||
| - Boot Guard (The basis of SRTM, as discussed above) | ||
| - Firmware TPM (Generally better than dedicated TPMs by being not being vulnerable to bus sniffing) |
There was a problem hiding this comment.
firmware tpm is less secure than hardware tpm
There was a problem hiding this comment.
and ptt is hardware tpm while psp is not
There was a problem hiding this comment.
What? PTT is firmware TPM
There was a problem hiding this comment.
OK, I donot really understand PTT and AMD fTPM well. But I think firmware solution is less secure than hardware solution. Perhaps SoC TPM like Pluton is the best.
There was a problem hiding this comment.
But I think firmware solution is less secure than hardware solution. Perhaps SoC TPM like Pluton is the best.
Not how it works.
I am well aware of faultpm. It doesn't change the fact that fTPM are not vulnerable to stuff like bus sniffing like dTPM.
| To start off, the best laptops I have found are modern the Dell Latitude/Precision laptops with an Intel vPro Enterprise CPU. The second best group of laptops I have found are modern Lenovo Thinkpads with Intel vPro Enterprise or AMD Ryzen Pro CPUs. These are relatively easy to acquire and share these common security properties: | ||
|
|
||
| - Have Intel Boot Guard or AMD Platform Secure Boot to protect the firmware | ||
| - Have regular firmware updates ([monthly updates for Dell](https://www.dell.com/support/kbdoc/en-us/000197092/dell-drivers-and-downloads-update-release-schedule), and [bi-monthly updates for Thinkpads](https://support.lenovo.com/us/en/solutions/ht515365-thinkpad-driver-and-firmware-update-release-schedule)) |
There was a problem hiding this comment.
It seems it's not strictly one update per month. Sometimes there's several months without updates.
There was a problem hiding this comment.
Also Dell and Lenovo never promised how long they would support their PCs
There was a problem hiding this comment.
It seems it's not strictly one update per month. Sometimes there's several months without updates.
Yes, its a general rule. It doesn't always hold.
Also Dell and Lenovo never promised how long they would support their PCs
They typically support them for years and years. Even 8th gen Dell and Lenovo are still getting updates.
TommyTran732
force-pushed
the
main
branch
4 times, most recently
from
520b835
to
c508504
Compare
|
Have the Microsoft Surface line of laptops been considered? Not the ARM ones (not sure if they they have memory encryption) but the Surface Laptop 6 for example. I'm pretty sure they meet all the requirements and the only downside would be Linux support but this is an article about general Laptop Hardware Security. Thoughts? |
wj25czxj47bu6q
added
the
[c] new content
No description provided.