Anti Evil Maid and Lenovo x230

Sven · September 2, 2021, 4:30pm

@deeplow: I have no idea why, but discourse decided to remove an entire paragraph from my previous post. The paragraph accidentally started with a space, maybe that’s what caused it?.

You will stand out of the crowd. The person asking you to boot your computer sees Windows and Mac all day long. Then you come along with Heads/Qubes … you are different and will hence get more attention.

From my own experience: I once spend 20 minutes arguing with a corporate security person trying to explain that what I have is not a Windows PC and I don’t have a “command prompt” where they can type in the command to retrieve the serial number as instructed. Realizing that this person had no idea what on earth I was talking about I booted into my Windows HVM and let them do as they were instructed.

They literally copied down the serial number as something like: xen-virtual-bios or something like that.

Now in situations like this, I simply start the HVM and make if full screen before showing the computer. It then looks like any other Windows PC.

deeplow · September 2, 2021, 4:53pm

That was the cause of the error. Discourse needs a way to know what’s a quotation and what’s not. This had happened before

ConoRZ · September 2, 2021, 7:14pm

after a pm discussion with @anon93834559 do the heads option with libremkey / nitrokey… they should be the same
im choosing the nitrokey because im an european so it would be cheaper for me
just only got one questionto be sure:
the Nitrokey Pro 2 == libremkey right?
so i dont need the nitrokey storage 2?

there would be no way to build an own “libremkey”?

Justin · September 3, 2021, 5:46am

Greetingz @ConoRZ,

I use a Nitrokey Pro (not storage) with heads x230 using TOTP. I have not used the heads HOTP config but am fairly certain you don’t need the storage version for that.

There was an interesting post by stallmanrocks a few years ago on qubes-users that mentions the Tomu.

I read it after I’d got a YubiKey 4 (only used with TOTP), but your question prompted me to find that again. If anyone has other alternatives or experiences, I’m also curious.

ConoRZ · September 3, 2021, 6:13am

Thanks for your answer, I already got a yubikey but the thing is, there would be no way to get a tamper protection, probably I have to buy also a nitrokey but I’ll do this next month

I buyed this month a pixel 4a so there would be no money left for a nitrokey
But would be happy when pixel would be arrived, I’ll install graphene os there instantly

catacombs · September 3, 2021, 3:08pm

“I buyed this month a pixel 4a so there would be no money left for a nitrokey
But would be happy when pixel would be arrived, I’ll install graphene os there instantly”

Pixel 4A with 5G is somewhat fragile, screen easily cracks. I had installed an Otterbox screen protector and bumper cushion as well. Cracked screen phone still works.

Graphene Install works exactly as described. No Problems. I do wonder if this is the altered OS that the FBI used on the expensive Secure phone they sold to -Drug Dealers-, and later used to take them down.

michael · September 3, 2021, 7:11pm

correct, the Librem Key is re-branded Nitrokey Pro 2. see:

once you have a Nitrokey Pro 2, you’ll need to flash your x230 with Heads. if you have having difficulty with building & flashing Heads, you can use Skulls to make the process easier:

specifically:

github.com

merge/skulls/blob/master/x230/README.md#moving-to-heads

# Skulls - [Thinkpad X230](https://pcsupport.lenovo.com/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x230)

![seabios_bootmenu](front.jpg)

## Latest release
Get it from our [release page](https://github.com/merge/skulls/releases)
* __coreboot__: We take coreboot's master branch at the time we build a release image.
* __microcode update__: revision `0x21` from 2019-02-13
* __SeaBIOS__: version [1.16.2](https://seabios.org/Releases) from 2023-01-20

### release images to choose from
We release multiple different, but _very similar_ images you can choose from.
They all should work on all versions of the X230. These are the
differences; (xxxxxxxxxx stands for random characters in the filename):
* `x230_coreboot_seabios_xxxxxxxxxx_top.rom` includes the _proprietary_
[VGA BIOS](https://en.wikipedia.org/wiki/Video_BIOS) from Intel
which is non-free software. It is executed in "secure" mode.
* `x230_coreboot_seabios_free_xxxxxxxxxx_top.rom` includes the
[VGA BIOS](https://en.wikipedia.org/wiki/Video_BIOS)
[SeaVGABIOS](https://www.seabios.org/SeaVGABIOS) which is free software.

This file has been truncated. show original

Sven · September 3, 2021, 8:45pm

Why do you say that?

The way heads uses the Yubikey or the Nitro/LibremKey is as a PGP smart card to sign your binaries.

The attestation works using TOTP and a authenticator app you run on your smart phone. I am using andOTP on my Pixel 4a running Graphene OS.

In addition to that you can also enable HOTP using a Nitro/LibremKey. I have the Nitrokey Storage 2. If you do that and attestation is successful you get a little green led flashing … otherwise it’ll flash red. However this is an additional feature and you can absolutely have tamper protection with TOTP and the authenticator app alone.

Justin · September 3, 2021, 10:20pm

@ConoRZ Not sure exactly which yubikey you have or what kind of tamper “protection” you expect. I mentioned that I use the Yubikey 4 because it is not listed on Prerequisites for Heads | Heads - Wiki but works fine for me with Heads (TOTP only).

In case you missed it, the Heads FAQ includes a HOTP vs TOTP entry and the Heads Threat model | Heads - Wiki has links to further info.

Best regards …

ConoRZ · September 4, 2021, 5:17am

because i thought this “tamper” protection is anything special which is communicating with bios / tpm chip etc.
like with a custom tpm

yep, also because of the red / green blinking led i thought this would be inpossible with a yubikey
i also want to use HOTP, so i have to buy a nitrokey, but i think ill do today the heads flash with TOTP and would upgrade later to HOTP

ConoRZ · September 4, 2021, 5:21am

thanks for this stuff, this helped me a lot to understand it!
but what i would understand as tamper protection i cant tell it you, because nitrokey was calling this:
Tamper-resistant smart card

and to the person with skull:
thanks, i guess ill look this in the next hour up, because ill start in the next hour to flash heads

ConoRZ · September 4, 2021, 6:13am

ok little update:
i was wanted to do skulls / heads but the thing is:
1.) im in my work and didnt noticed that i have to take a screw driver with me xD
2.) idk how i could connect my raspberry pi to my laptop because i guess i didnt got pins for it and 2. i need this “clip” to connect it to the chip

to get this in my work wouldnt be that problem because i could ask a person if the person would be able to bring this to my work

… now i have to figure out how to organise the clip…

Justin · September 4, 2021, 7:32am

Glad the links helped and you seem to be serious about your project. Not sure which pi you have but maybe these links will be helpful.

github.com

Qubes-Community/Contents/blob/master/docs/coreboot/x230.md#physical-setup

# Coreboot on Lenovo X230

This howto describes how to install Coreboot on a Lenovo X230.
This document is still a draft and needs some cleanup.

In order to flash the bios chip on the X230 you need special equipment to read and write to the two BIOS chips.
An easy way which for an in-place flashiung procedure is to use a raspberry pi and a special flashing clip to read from and write to the Bios chip.

The setup looks like this:

Lenovo X230 (target) BIOS Chip <-- Pomodo Flash Clip <-- Raspberry Pi <-- Building Machine.

Because you need to build coreboot and this takes a long time on a raspberry pi, this howto assumes that you have an additional laptop/PC which will be used as building machine.
The building machine will compile the coreboot ROm file and the raspberry pi is only used to read and write from and to the target device.

## Links
I have looked at the following ressources to learn more about coreboot adn write this howto

- https://www.coreboot.org/Board:lenovo/x230
- https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi

This file has been truncated. show original

https://www.chucknemeth.com/laptop/lenovo-x230/flash-lenovo-x230-coreboot

One other thing to consider before going further is whether or not you want to do any EC firmware modifications (e.g. disable the EC’s authentic battery validation check). If you wish to do any EC firmware modifications its best to do them before installing Heads. More info available at https://github.com/hamishcoleman/thinkpad-ec

Keep us updated and good luck!

ConoRZ · September 4, 2021, 7:52am

Justin:

Glad the links helped and you seem to be serious about your project. Not sure which pi you have but maybe these links will be helpful.
Contents/docs/coreboot/x230.md at master · Qubes-Community/Contents · GitHub
Hardware Flashing with Raspberry Pi · bibanon/Coreboot-ThinkPads Wiki · GitHub
Flashing my Lenovo x230 with Coreboot [Chuck Nemeth]

One other thing to consider before going further is whether or not you want to do any EC firmware modifications (e.g. disable the EC’s authentic battery validation check). If you wish to do any EC firmware modifications its best to do them before installing Heads. More info available at GitHub - hamishcoleman/thinkpad-ec: Infrastructure for examining and patching Thinkpad embedded controller firmware

Keep us updated and good luck!

i got the pi 3b+ i guess, would have to look up when im home again
but im also not sure if i got jumper cables, but i guess i would fail on find a clip

would i get any benefits if i flash ec?

and am i allowed to write you a pm and update the posts after it?

EDIT: got jumper cables but im missing the clip, i guess ducktabe to hold pins would be too unsecure

unman · September 4, 2021, 1:46pm

You should update the EC in any case.
Flashing with that mod allows you to fit a proper x220 keyboard in place
of the chiclet, and have it mostly working, and also use 3rd party batteries.

You can get a cheap clip readily enough.

ConoRZ · September 4, 2021, 6:42pm

oh ok thanks

anyhow… idk if i want to try flash with clip, if i would buy a clip i would receive it in 2 weeks… thats the thing im troubling now

but anyhow, im troubling also now with dd (cant find the code option) because its soo slowly flashing, im unsure if my slot got problems or if its my sd card… i mean my sd card is pretty old now
also format it was pretty slow

catacombs · September 5, 2021, 1:41pm

I have been told by someone, before Flashing. Remove main battery. Remove CMOS battery. Remove SSD. Of course, be aware of static.

For myself, Use a check list. Like a Pilot.

I damaged a Clip. Inside one of the trenches of the clip. a bit of yellow foil curling out of trench. I think I damaged this by trying to allow the clip to self guide itself onto proper place of chip.

When I should have put a lot of light on chip before, finding the exact place to lay Clip on. Opening the Clip to nearly its widest. Putting it down exactly the first time.

I dunno. I have never done this before.

When I used Skulls on the upper chip, which worked. The note said Core Boot with ECC 2.77.
I am not sure what all the implications of all that is. I do know that before I Flashed, I had a 128 GB SSD, After I flashed, I installed a larger different model SSD, (SK hynix Gold s31 SSD 250 GB. and installed Mint Linux onto it. (Waiting until I could get Heads installed) Looks like it was installed with FAT. I have Mint Linux in one partition, and two partitions with 111 GB. Not sure how that happened. Still at boot, the note says SeaBios, and lists the Crucial 128 GB as the drive. Still it works. but it means that some information was retained from what was on Clip to after Flash. Maybe that was on the second (lower chip) which did not Flash correctly. ??

I see one note for Flashing on X230, that for the “From” computer to Ch431, to use Fedora 30, Debian 9, or Qubes (no number) Someone else, in another note, said he had problems doing Flash because he used Fedora (also not mentioning which version number) when using Debian would much easier. Not sure if my From computer will install Debian which works with Wireless chip installed. or which version of Debian is required. That is, if I use Debian 9, and the wireless chip works, maybe it will not mesh with the later Flash software, or if I use Debian 11, the other way, will the Flash work with Debian 11. When I tried, I used one of the long term version of Ubuntu, and had to have someone to explain how to download/install software for Flash, and do a make something. I don’t have that list of instructions anymore.

Someone offer this link already: Heads

A successful Flash on the top chip offers a lot of detail as it goes along. You know it happened.

Plexus · September 6, 2021, 1:03pm

Sorry @Sven im late - you can select to neuter ME as part of coreboot build. Re. heads, yes it will neuter ME if you follow the instructions as by default they grab the IFD and ME portions and do t he work on it heads/blobs/xx30 at master · linuxboot/heads · GitHub

ConoRZ · September 6, 2021, 1:09pm

If I got the skulls tutorial correctly, if there would be some updates I have to flash my bios chip again with my raspberry right?
My work colleague would solder this temporary for flash at Wednesday

qubicrm · September 6, 2021, 10:38pm

The standard option is to enable internal flashing after initial external flashing. Internal flashing means you can flash another image from heads.