Secure & Privacy Laptop Setup

Device requirements and selection

At the moment we have a multitude of laptop manufacturers such as: Asus, Lenovo, HP, MSI, Dell and many others. But not all of them can provide laptops possessing really that can be considered reliable and safe. Mandatory Requirements:

• Regular BIOS updates
• Compatibility with fwupdmgr
• Secure Boot - verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted.
• TPM 2.0 - is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys
• Processor must support:
• • Intel:
• • • Intel® Total Memory Encryption - Multi Key - encrypts the entire physical memory of a system with a multiple encryption keys
• • • Intel® Hardware Shield Eligibility - Three layers of protection: protection below the OS layer, application and data protection, and protection against advanced threats
• • • Intel® Control-Flow Enforcement Technology - detects compromises to Control Flow Integrity with a Shadow Stack (SS) and Indirect Branch Tracking (IBT)
• • • Intel® Boot Guard - is a hardware-based Root of Trust (RoT) technology for platform boot and UEFI Secure Boot is defined by the UEFI standards to verify IA firmware signatures prior to boot
• • AMD:
• • • Memory Guard - encrypts the entire physical memory of a system with the random key
• • • Shadow Stack - protect against control-flow attacks by checking the normal program stack against a hardware-stored copy
• • • Secure Processor - dedicated security processor validates code before it is executed to improve data and application integrity
• Not exorbitant prices
• Hardware Tampering Protection

At this time, we know of no alternatives for fwupd and will use the HSI:4 (v1.9.21) security level. We can immediately check if the model we are interested in is in the List of Devices as well as their Level of Security (Data may not be accurate). With a quick glance at the update statistics, we can see that Dell and Lenovo are actively supporting their users with constant updates via the fwupdmgr platform. This condition is not mandatory, but it greatly enhances the end-user experience. It saves him from the need to check for BIOS updates on the manufacturer's website, prevents erroneous installation of updates that are not intended for his device, as well as with other problems such as the lack of BIOS update via USB and most importantly often manufacturers publish updates in the form of .exe files that significantly complicates the ability to update for inexperienced users.

By creating a parser, we got the following result:

{ "HSI:4": [ "ASUSTeK COMPUTER INC. ROG Flow Z13 GZ301ZE_GZ301ZE ROG Flow Z13", "ASUSTeK COMPUTER INC. Vivobook_ASUSLaptop X1504VA_X1504VA Vivobook", "Dell Inc. Latitude 3420 Latitude", "Dell Inc. Latitude 5530 Latitude", "Dell Inc. Latitude 5330 Latitude", "Dell Inc. Latitude 5420 Latitude", "SAMSUNG ELECTRONICS CO., LTD. 950XED Galaxy Book2 Pro" ] }

This list is just a small fraction of all the devices that can have a supported HSI:4 level. It is always necessary to look at the processor specifications and BIOS capabilities of the manufacturer. All of these devices are roughly in the same price range ($1,170-$1,500), our choice immediately fell on Dell. Since our experience in using it for more than 5 years leads only to positive impressions. Namely the model: Dell Latitude 5531

Specifications:

• CPU: 12th Gen Intel® Core™ i7-12800H × 20
• RAM: 2x16GB (DDR5, 4600MHz, dual-channel)
• SSD: 1Tb (NVMe M.2)
• Screen: 15.6'', 3840 x 2160, 60 Hz, anti-glare, non-touch, 100% sRGB, 400 nits, wide-viewing angle, WLED, narrow bent, super low power, low blue light
• GPU: Dedicated, NVIDIA® GeForce® MX550, 2 GB GDDR6

Here we have support for all the features we need, thanks to Dell SafeBIOS.

BIOS setup

At computer startup, press F2 to enter BIOS setup. Then:

• Boot Configuration
• • Enable Secure Boot - On; Launch only signed OS
• • Secure Boot Mode - Deployed Mode; Full Security Mode
• Integrated Devices
• • Camera - by your choice, by default we disable camera
• • Audio - by your choice, by default we disable Microphone
• • Miscellaneous Devices
• • • Fingerprint Reader Device - Disable; anyway it's not working with lifprint
• Connection
• • WWAN/GPS - Disable; they support changing the IMEI, but it's not legal in many countries
• • Bluetooth - Disable; so many threats
• • Enable UEFI Network Stack -> Disable
• • HTTP(s) Boot - Disable
• Security
• • TMP 2.0 Security - On
• • Attestation Enable - On
• • SHA-256 - On
• • Multi-Key total Memory Encryption - On; Memory Encryption with up to 16 different keys
• • Chassis Intrusion - Enabled; If the bottom cover of the notebook has been removed you will see a notification on startup
• • Block Boot Until Cleared - On; Makes it impossible to start the PC if there is a notification that the cover has been removed. Can be cleared after entering to BIOS.
• • SMM Security Migration - On
• • Absolute - Permanently Disable Absolute; Online service with full access, never!
• • Firmware Device Tamper Detection - Enabled;
• Passwords
• • Admin Password - set password for entering to BIOS
• • Password Bypass - Disable
• Update,Recovery
• • Enable UEFI Capsule Firmware Updates - On
• • Allow BIOS Downgrade - Disable
• • BIOSConnect - Disable
• • SupportAssist OS Recovery - Disable
• • Dell Auto OS Recovery Threshold - Off
• System Management
• • Wake On LAN - Disabled
• • OS Agent Requests - Off
• • Power-on-Self-Test Automatic Recovery - Off
• Pre-boot Behavior
• • Fastboot - Thorough; Fully initialize hardware
• Virtualization Support
• • Intel VT - On
• • Intel Vt for Direct I/O - On
• • Intel Trusted Execution Technology (TXT) - On
• • Pre-Boot DMA Support - On
• • OS Kernel DMA Support - On

Exit & Save Changes.

OS Choice

We won't even consider Ubuntu, Mint or their counterparts. For maximum anonymity we recommend Qubes-OS, but for everyday and office work it will be difficult. Our choice is Fedora Silverblue.

• [x] Apps isolation (via flatpak)
• [x] Atomic updates
• [x] Immutable System
• [x] Big community
• [x] Privacy-friendly
• [x] Wide Device Support
• [x] Modern Features (Wayland, PipeWire, etc)

OS Installation

During installation, you only need to select full-disk encryption (Encrypt disk)

Post OS Installation

Apps Managing

• Flatseal - the program allows you to manage access for other programs, such as: access to the Internet, access to devices (webcam, others), access to files and others.

Browser

• Tor Browser - open source, uses the Gecko rendering, have strong fingerprint protection, with many security features and Onion Routing. Defend yourself against tracking and surveillance. Circumvent censorship. But lack of per site isolation.
• Mullvad Browser - open source, uses the Gecko rendering, have strong fingerprint protection but lack of per site isolation. Collaboration of Mullvad VPN and Tor Browser.
• Brave - Chromium based browser with a lot of anti-tracking features .

Office

• LibreOffice - A fully open source office suite with Wayland support.

Torrent

• Fragments - Fragments uses the Transmission BitTorrent project under the hood.

Code & Text Editor

• Lapce - is an open source code editor written in Rust. By utilising native GUI and GPU rendering, and with the performance Rust provides.
• eCode - lightweight multi-platform code editor designed for modern hardware with a focus on responsiveness and performance.
• VSCodium - is the telemetry-less version of Visual Studio Code.

Image Edition

• Pinta - edit images and paint digitally.
• GIMP - classic, GNU Image Manipulation Program.

Passwords

• Secrets - is a password manager which makes use of the KeePass v4 format.
• KeePassXC - Community-driven port of the Windows application “KeePass Password Safe”.
• Master Key - a password manager application.

Communication

• Signal - private & secure messenger.
• SimpleX - a private & encrypted open-source messenger without any user IDs (not even random)!

Email Providers

• Proton Mail - is a Swiss end-to-end encrypted email service. Perfect alternative for Google (including Google: Docs, Photos, Calendar)

Remote Control

• RustDesk - another remote desktop software, written in Rust, available for flatpak.

VPN Providers

• Mullvad - no logs, open source, audited VPN provider based in Sweden.
• iVPN - no logs, open source, audited VPN provider based in Gibraltar.

Misc

• Linux Hardening - prefect collections of security "tweaks".
• DNS Config - try with DNSSEC.
• A lot of great software can be found on Flathub. Try to use software only with Verified mark.
• .rpm packages can be installed with rmp-ostree install package.rpm

What we got at the end

• [x] Fully encrypted file system
• [x] Protection against hardware modification
• [x] Open Source software with out prop-blobs
• [x] Enhanced privacy & security
• [x] Stable operating system with continuous updates and support for secure BIOS updates