You cannot do this on modern AMD
Yes, but you can disable the PSP. I’m not sure if it has upsides and can be trusted, though.
Yes, sure. But my question was if there is risk if I am offline, not when it’s plugged out.
There is always a risk, no matter what.
If i was to write some malware that was specifically designed just for you, with the intention of getting your files on your USB stick, and my recon showed that you do sometimes take your computer offline; then I would factor that into my malware.
For example, I would make it copy the entire contents of any block device matching the description I defined (your USB stick). I would then get it to encrypt those files using my server’s public key (so you couldn’t recognise them), and either store them in your RAM, or somewhere obscure on your boot device.
Then, when it detected a network interface, it would send over those files to me.
Just to be thorough, in case the network interface only had LAN access, I would then instruct the malware to propagate itself onto all network devices, with copies of the encrypted files, in the hope that one of them would eventually make its way to an internet connection, and then send it to me.
(This was less about accuracy about what malware can actually do, and more about trying to get you into the habit of realizing that there is ALWAYS a risk)
reason that amd hardware can disable psp is:
Shortly after SA-00086 was patched, vendors for AMD processor mainboards started shipping BIOS updates that allow disabling the AMD Platform Security Processor
All the more reason to avoid it.
Same thing
Do you recommend disabling it?
And what BIOS update do I need to do so? Haven’t found any more precise information about that.
depend on how you trust that
you should disable that because it with disable psp at “some level” in “some motherboard” and “some cpu model” although not everything (still better than nothing)
don’t think me using amd cpu (apu)
that picture is cut from a research paper
Hi, I have researched more about the PSP and BIOS in general. I don’t think my laptop is compatible with LibreBoot so I may have to stick with AMD’s firmware. I need another version in order to disable PSP.
Would you download it to do so? Because I mean, right now, I am having the provider’s firmware anyway.
But the thing with bad DNS you said unsettled me.
1 Like
Something that helps, somewhat, maybe, for the bad DNS is checking the HTTPS certificate for websites. In theory, bad DNS or MITM attacks against HTTPS sites are difficult because the certificates are difficult to forge. The attacker can certainly copy the certificate (they’re public anyway), but will need to do one of:
- Extract the private key from the genuine server.
- Trick Verisign, Thawte, or one of the other authorities into signing a fake certificate.
- Install their own root certificate in your browser so that your browser will trust any certificate they forge.
Obviously, with three ways forward, an attack is certainly possible, but still difficult.
2 Likes
note:libreboot doesn’t work with qubes os
what is your motherboard because it only possible on some motherboard and if your motherboard is supported then you need bios update
LibreBoot doesn’t seem to work for my PC.
I will download the official BIOS update, but possibly not now.
If I do it later, will it have the same effect (no backdoor), or is there a backdoor to everything that I have done before I disabled PSP?
there always backdoor in proprietary software
it may intended or by mistake placed there
disable PSP only reduce some backdoor
[quote]
there always backdoor in proprietary software
it may intended or by mistake placed there
disable PSP only reduce some backdoor
[quote]
This is either meaningless or false, if intended to contrast proprietary
with libre software.
I have worked with developers where the security team had absolute
veto over product. That software received much greater scrutiny
than most open source projects, although the code was proprietary.
You could argue that the open source model leads to less secure
outcomes in practice. Look at the way in which users are encouraged to
participate, and the (often false) assumption that many eyes are
actually reviewing the code and code changes.
Since LibreBoot was mentioned, I would never use it. Partly because of
Leah herself, but also because it does have a “backdoor”. The same
goes for any of the Libre distros.
This is because they don’t apply microcode, and therefore ship products
that are insecure by design. In fact, libre distros remove the warnings
from the kernel so that users are not even warned that they are open to
attack. There is a trade off between free software and security here - I
don’t believe the right thing to do is to hide this choice from users.
When I comment in the Forum or in the mailing lists I speak for myself.
3 Likes
that is what i had learned
after reading that, this lead me to confusion and in the combination with this topic, i started to assuming qubes os is insecure by design
does this mean windows more secure than linux and qubes?
what?
where you read this
No, it means that proprietary software is not automatically more/less secure than open-source.
@unman must be speaking about Spectre and Meltdown, which are not fixed in the (old) hardware able to run Libreboot.
2 Likes
disable PSP only reduce some backdoor
Yes, but this wasn’t the actual question.
It was this:
If I do it later, will it have the same effect (no backdoor from PSP), or is there a backdoor to everything that I have done before I disabled PSP?
It was that that really brought it home to me.
Libreboot has a completely incoherent position - they encourage users to
update the EC firmware, but not to apply updated microcode. So they
prefer to have closed firmware with known vulnerabilities rather
than apply updated closed microcode.
This may make good sense if you value libre over everything else.
But it doesn’t allow you to promote libreboot as more secure than a
standard updated BIOS, or than coreboot with updated microcode. That’s
dishonest.
The same applies to the kernel modifications in libre kernel. It doesn’t
enhance user freedom if you don’t give them important information, and
take active steps to hide that from them.
Again, this wont bother most users of free software. But it does impact
the claim that free software is more secure.
When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes
Libreboot now agree with you, see these links:
https://lists.gnu.org/archive/html/libreplanet-discuss/2022-01/msg00019.html
1 Like
And yet, Leah continues to provide a broken system, just to comply with
FSF.
Hi Thamil
You dont need an antivirus on Qubes OS, but what you can do is, you can change your DNS with 9.9.9.9
https://www.quad9.net/ and block malicous websites like phishing sites and co.
If you use browser like Mozilla Firefox or the mail application like Thunderbird, this applications use the sandboxing technologie, which protect your machine too.
https://wiki.mozilla.org/Security/Sandbox
If you wanna have additional protection in your Firefox Browser, you can install the
- Emsisoft Browser Protection
- uBlock Origin from Raymond Hill
If you wanna protect all your devices at home in the network, you can use also a firewall like
- Firewalla
- PFsense (with Snort)
- Bitdefender Box
- Trend Micro Home Network Security Device
- Asus Router with AiProtection (TrendMicro)
- Netgear Router with Armor (Bitdefender)
What all this solutions are doing is, they check your DNS connections and block bad malicious sites and connections (botnet, phishing…), which give you an additional protection layer. From the other threats, you are protected with the sandboxing and vm concept and technologies.
let me know if you have any further questions - cheers