Designing my ideal secure laptop

This is just something I dream of.. And maybe actually build some day, when I have some extra cash or when I switch to a new laptop. The goal is as follows. But to be frank, it's so I can have the peace of mind knowing that no one, not even the CIA or Russian hackers can get into my laptop. I feel threatened by China and the GFW. I want a laptop that survives the worst case if I ever had to travel into China and use it under their massive surveillance system. And to leak no information when I get stopped by the TSA and they searched my laptop.

  • Portable (laptop)
  • Usable as daily driver
  • As resistant to cyber attack as possible
  • Resistant to physical attack

I want it to be portable, so I can carry it with me. Yes, that increases the possiblity of it being stolen. But I do need a computer when I go to conferences, working outside, at my parent's home, etc.. This is non-negotiable. I can only mitegate data theft by encrypting my harddrive and requiring passwords for BIOS and boot.

First of all, define usable. For me an usable laptop has to have a reasonable batterylife, I can do all my daily tasks on - coding, banking, browsing the web and some light gaming. The final item might mean I need to install Windows on it. So be it. It's ok as long as encrypt my other OS' partition so Windows as no change of reading them. For all the other task's I'll be doing on it. I'm considering Linux, FreeBSD or OpenBSD. Linux because it's a given it'll work, FreeBSD because of Jail support and OpenBSD for their famous security. In any case full disk encryption will be enabled.

Hardware wise there isn't much pratical option. I'll just trust hardware vendors aren't putting rootkits into CPUs and firmware. RISC-V is not mature yet. While POWER9 (the only other 100% open firmware CPU) is not sutable for laptop nor there's a POWER laptop. Intel and AMD are the only options.

The threat model

For this project, even though very unlikely. I want to design my system to protect my sensitive personal data agasint the threats:

  • Thefts stealing my laptop
  • Goverment agencies scraping data when I cross borders
  • Hackers getting into my system via remote exploits
  • Passive network surveillance

It's good security practice to assume a system being compermised once it gets stolen by someone. In my case, I consider my laptop would be gone for good if someone every stole it. Or Goverment agencies would make a disk copy when they are checking my loggage. The best I can do is to setup the system in a way that no one besides me can ever use it. The best anyone else can do is to reset the UEFI and wipe the the entire disk for a fresh installation of Windows. My solution here is 3 folds. A boot/UEFI password, full disk encryption and login via physical security key.

UEFI password can easily be bypassed. But would be enough to detur thefts from using my laptop at all and leave it somewhere. Full disk encryption with a very strong password (or even stored on a secure key) could prevent goverment agencies reading contents on my disk, hopefully forever. Even if they confiscate the device. And logging in through hardware key prevents any actors from looking at my keyboard and learn my password in a Cafe when I'm working outsude.

Preventing remote explotation, I think, is really down to compartmentalization and the OS. Linux and FreeBSD have container supprot to prevent exploited applications from access the rest of the system. OpenBSD provides solid hardening to prevent exploit in the first place and very detailed security settings to only allow applications the premissions it need to function. All three systems are well suited for security. Personally I prefer OpenBSD for this because a) it's famous for security and b) security throuh obscurity works in my favour. Security through obscurity is only a problem when it's the only line of defense. With OpenBSD, I get high security by default. And because less people uses OpenBSD, it's also less common to see exploits for OpenBSD and applications running on it.

In most cases defending passive surveillance like China's Golden Shield Program or US' Prism bowils down to anonymizing your traffic. However I don't want to connect to Tor 24-7. Tor is slow (compared to clearnet), doesn't work in China and only hides your metadata. The last one is the last straw on the camal. Tor hides how you are talking to. It's useful to connect to some secreat remote server or chating without observers seeing. But I don't have these needs. I have no problem that systems know I am connected to Matrix or Jami. These services anonymizs the communication anyways. What I do need is DNSCrypt or DoH to prevent DNS poisining. And browser plugins to enforce HTTPS trafic, enable ESNI to encrypt domain names.

OS selection

Linux

Linux is proberpally the easiest to come up. Likely I'll run Arch Linux installed on BTRFS with LUKS encryption. Why? Because I'm familare with Arch and enjoy AUR very much. BTRFS along with regular snapshots allows me to recover accidentally deleted files and/or ransomware attacks - I hope I'm good enough to not get ransomwared. Arch also has the advitage of being a rolling release distro. I don't have to wait for a distro release to get new compilers, new editors, etc..

FreeBSD

FreeBSD is less likely to fully support hardware I ended up selecting. But FreeBSD Jail is a huge upgrade from Linux's offerings. On Linux, Flatpaks and Snaps supposed to encoprate containers to installed applications, to disallow unwanted access to the rest of the system. But Flatpaks and Snaps are unusably slow to download and has a very limited app selection. I don't want to "remember" that I am supposed to install from Flatpak only to forget later. FreeBSD Jail is tightly integrated with their packaging system. The pkg command can install packages inside a jail. For example, it can install Firefox in a jail. Even a 0 day was used to exlpoit browsers, the Jail would prevent hackers from accessing all my other files.

FreeBSD also supports all the other features I need. GELI for disk encryption and ZFS to protect data loss or ransomware. The one down side of FreeBSD is that it's like a versioned distro. FreeBSD release a new version once in a while. I had to wait to get new compilers and tools. But FreeBSD updates frequently enough that I think this is not a deal breaker.

OpenBSD

OpenBSD has a much smaller userbase compared to FreeBSD and Linux. However it boasts some pretty good security designs. Hardened kernel making kernel exploits less pratical. Hardened libc makes userland less exploitable. And OpenBSD has arguably better code quality while having less overall lines of code. OpenBSD has a downside that it is also a versioned system. And it does not speek GPT natively for partition. Certainlly more difficult to setup and less likely to work on a given hardware.

Hardware

There isn't too much hardware that is "more secure" than others in my opinion. Purism and System76 have laptops with IME (Intel Managment Engine) disabled and very firendly to Linux. And their offerings are just not worth the extra cost. IME and PSP theoretically can take over the entire system and read akk your messages. But from my experience working in hardware lab. It's too difficult and not commerically viable to put extra data-stealing code into a CPU. And that code has to also parse Linux/Windows/BSD kernel structures, understand userland layout, talk to network devices without the OS noticing/crashing, etc... It's certainlly better if IME doesn't exist. But I think it does not pose as a serious threat.

I likely will go after a massmarket laptop. Like a HP Envy x360 13. It has soldered memory. Which may actually be a good thing. Soldered memory means impossible someone to pull off cold boot attack. Or Huawei MateBook X for it's OpenBSD support.

Network hardening

Nothing too crazy here. dnscrypt-proxy to enforce system wide encrypted DNS. Ban all incomming traffic. Randomized MAC address on each boot.

Sinario simulation

The ideal setup is as follows. I have my secure laptop with UEFI password, encrypted Linux/BSD, normal Windows installation and boots into Windows by default. The disk encryption key is stored on a seprate physical keys. Which I don't bring along with me. I always boot my device at home and can't boot into UNIX after shutdown and use privileged commands if I'm outside. dnscrypt-proxy is always on to encrypt DNS queries.

TSA confiscate device after landing

Laptop shall be in my backpack all times and booted then suspened into UNIX. If TSA asked me to hand over my laptop for security screaning. I would swiftly hold down the power button to shutdown the device. They had to boot it when they try to search it, then ask for the UEFI password. Which I would cooperate and provide (since it encrypts nothing). Hopefully they'll be happy with my cooperation and hand me back my laptop after searching Windows. In case they get technical, finding that the Windows drive space does not match the spec of the system. I'll again cooperate and explain it's because there's also an installation of UNIX on it. If they asked me to log into UNIX. I'll just reply what I can't. Booting UNIX requires a physical USB device that I don't carry for security. And they can image the harddrive or even have the device, but there's absolutelly nothing I can do. Hopefully they will give my device back. But I can be sure my data is secure even if they took the entire thing away.

Operating in China

China's GFW (Great Firewall) is a massive surveillance and cyber attack system that poisins the network enviroment within China - to control information and public opinion. It's a hostile network enviroment. Here DNS encryption alleviates some attack by not getting DNS posionsed. Browser plugins and enforcing HTTPS keeps GFW from seeing the content.

The GFW is much more capable than this. It can do metadata analysis. But I'm happy that I none of my direct information leaks. Since I don't live there. It's ok that I don't have a full armor to protect me.

Stolen my a theft at a Cafe

This one is easy. A normal theft don't know how to use UNIX. They are forced to shutdown the device even if I were logged in (the lockscree will be activated once they close the screen). Which they discover there's a boot password. And hopefully ditch the device. Some smarter thefts might be able to reset the entire CMOS storage to reset the password. Even so, they can't get into UNIX or read anything in it. They can wipe the disk and install Windows. Which is fine since that also wipes my data.

Author's profile
Martin Chang
Systems software, HPC, GPGPU and AI. I mostly write stupid C++ code. Sometimes does AI research. Chronic VRChat addict
  • marty1885 \at protonmail.com
  • GPG: 76D1 193D 93E9 6444
  • Jami: a72b62ac04a958ca57739247aa1ed4fe0d11d2df