Anti Evil Maid and Lenovo x230

hey,
im using a lenovo x230 with the bios version 2.77 and want to use aem. the thing with aem is, at version 2.77 it seems like its not compatible. because i cleared my secure chip and if i do tpm_clear -z it says authentication failed
if i downgrade bios to 2.70 it still works
i also tried to reset only tpm key on 2.70 and upgrade back to 2.77 but no chance to get it working with aem (tpm_clear -z or anti-evil-maid-tpm-setup -z)
also ive seen on the lenovo page the x230 is unsupported now, so there would be no newer bios updates anymore
how are you handling this? i mean the bios is one of the first things on the laptop which would load up if you boot your laptop / pc so this must be secure, if not the hole qubes os wouldnt help here out

and coreboot would be also not an option as i understand it here:

or does this mean im only out of luck if i used this me_cleaner?

If you cleaned your ME you can’t use AEM.

If you use coreboot/heads there is no point in using AEM, as you already have a superior solution.

so coreboot would clean my ME?

no im still using the standard lenovo bios, but im struggling around with using coreboot to fix upcoming cves (because BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit), 8.1, 8, 7 (32-bit, 64-bit), XP - ThinkPad X230, X230i - Lenovo Support DE is eol) or use aem but i guess aem with a unsecure bios wouldnt be that helpful?

what would be your solution? or what are devs alternative here?

When you build heads (including coreboot) that certainly happens. However, I am unsure which of the two projects is doing it and whether it can be skipped (it should).

@Plexus, can you answer this question?

not certainly. you can choose to leave ME alone (or not)

it is made in heads build, you can skip it if you want. ME neutering is the standard option, but if you build it yourself you must run the correct script (it is documented)
Even for the x230 alone there are several options on the way: x230 x230-maximized, x230-hotp-verification, x230-hotp-maximized. You can build it yourself already.

you can see it here: heads/boards at master · osresearch/heads · GitHub

i mean a updated bios support would be supercool, but aem is also important for me because im taking my laptop with me when i travel anywhere or if i have to go to my office
but i guess plexus would also say stay a updated (secure) because would be more important than aem
but ill wait to plexus reply
hopefully there is a solution to get both or maybe the versions 2.70 to 2.77 arent that important

You can apply me_cleaner on a stock Lenovo BIOS, as well as with
coreboot.
coreboot has a configuration option to clear ME using a variety of
methods, depending on the chipset. On an x230 it will only strip some
modules, and apply disabling flags.
Heads is built atop coreboot, and uses the coreboot configuration to
clean ME

So, what would be more secure for me (because I’m traveling with my notebook)
Using aem or use me_cleaner and get an updated bios?

BTW. I’ve found this:
https://doc.coreboot.org/security/intel/txt.html
So would this mean intel txt would work with coreboot?
How hard would it be to set this up? I’m not that deep into this, so I would say I am an advanced user but I’m not comparable to a person which finished a bachelor degree

I think intel TXT requires ME enabled.

If you have a supported motherboard it’s straightforward. It’s just a
config option in the coreboot build.
But it’s not available for the x230, (or many other Lenovo).

So what would be the best solution? Setup aem or switch over to coreboot to get a supported bios again?

Or what would you do if you need this laptop to travel with?

There is no best solution, and what I would do is probably irrelevant
to you.
You have to assess your security profile, and factor in your technical
knowledge. Also take account of where you will be travelling, how
likely you are to be under investigation, and what you need your laptop
for while you are away.
Using heads, (like using Qubes), may be a red flag. If your equipment is
likely to be inspected, then it may be as well to be running a stock
BIOS and Windows on a commodity laptop, while you travel.
If you are prepared, you can fairly easily flash on arrival, and set up
a minimal Qubes system for use. This may be the best solution for you,
or perhaps not.

To me, Anti Evil Maid would seem to require Flashing Heads onto the X-230, which means opening up laptop, attaching a clip to chips inside to Flash. Then use a preset HOTP key to detect if the computer has been tampered with.

Notice the Qubes OS webpage, “Certified Hardware” down on the bottom. Mostly modded Lenovo computers. Insurgo sells “Certified Hardware” and provides a complete list of changes. After trying to emulate what they do for some months, I think they are not overcharging for what they do. NitroKey, the other “Certified Hardware” looks to be an excellent offering as well. They sell one of the HOTP USB keys needed to detect “Anti-Evil Maid.”

Perhaps as important is to develop a set of rules as to operations. Like using either Tor, or a VPN to tunnel out of hotel, or other public WiFi. I have heard the Whonix website has lot of good documentation on things like that. Having a copy of Tails Linux might also useful. https://tails.boum.org/

Unman has a far larger experience than I.

There are options to roll back the standard Lenovo BIOS/EFI, if that is the direction you want to go.

thanks for your 2 last answeres, this helped me a lot now

@catacombs where to get these hotp usb keys? and did you got a ez tutorial for users like me which arent that deep into this?
and this hotp is acting like the aem software in qubes?
https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html
if so, why are they saying anything like that:
Q: But, two-factor authentication can also be used to prevent Evil Maid, right?
A: No.

yubikey isnt able to do that?

anyhow… im using a vpn everytime with a killswitch

i would be soo thankful if you could answer to this, and hopefully that would be my last questions :slight_smile:
sorry to be “that” dumb in this.

Curious. Could you elaborate more why “using heads and qubes might be a red flag?”.

To be more specific with my question, are we in the community aware of any actors that have explicitly stated that these are red flags to look for and document in their analysis of individuals? If anyone or any group has stated such could you share sources please?

@ConoRZ if you decide to follow qubes certified laptop specifications with your x230 and pick up a librem or insurgio key (same thing), I’ll gladly help you (or anyone) get ME_Cleaner, along heads, and librem key setup properly.

But other than that, whatever AEM is, doesn’t sound secure or unspoofable, whereas a librem key you keep on your body forever, unless you were Honey_trapped, I doubt could be spoofed or faked. But until you get librem key, I can’t help you.

Edit: I am alreadly recieving PMs about about heads/coreboot/skulls, first I only know heads for x230 and librem / nitro-key (they are same) please see to get started: Lenovo X230 - Heads - Wiki

Second, there’s often no reason to PM me because I believe this takes away the opportunity for the community to learn and grow together from public questions and communal troubleshooting. So just including your question by @'in me in threads such as this one is enough to get my attention.

Third, I’m not a heads developer or anything, I just know how to get it installed on x230 and was able to decipher it’s poorly written and / or non-existent documentation.

You will stand out of the crowd. The person asking you to boot your computer sees Windows and Mac all day long. Then you come along with Heads/Qubes … you are different and will hence get more attention.

They literally copied down the serial number as something like: xen-virtual-bios or something like that.

Now in situations like this, I simply start the HVM and make if full screen before showing the computer. It then looks like any other Windows PC.

Fullscreen? I’m guessing this a r.4.1 feature. But good obfuscation idea.

Nope. R4.0. Resolution of your HVM needs to match screen. Right click on title bar of qube and select fullscreen.

1 Like