Flash it! Improving the security of our setup with the Skulls coreboot.

Eliminating doors

If you are one of those people paranoid about the security of your bitcoin, you probably have a computer that you use exclusively for making the most sensitive moves. It's important to separate in our setups the equipment we use on a daily basis from the one we use to move our sats to avoid security breaches.

In the bitcoiner community, Lenovo Thinkpads are highly recommended for this purpose because of their power, durability and for being extremely cheap and secure computers and we are going to focus on them, specifically on the thinkpad x230. A computer that has a powerful processor for the use we want to give it, capable of moving with ease the most common Linux distributions and that with a couple of improvements becomes a beast.

But what if I told you that the first security flaw occurs as soon as you turn it on?

Well, that's the way it is. As soon as we turn on the computer we start up one of the biggest security holes that exist in all computers since 2005 at the hardware and firmware level, the Intel management engine (IME hereafter).

And now you may be wondering what this is or what it does? Well the IME is a microcontroller integrated into some Intel chipsets for their microprocessor motherboards and is able to have absolute control over your computer since it has power until it is completely off and we disconnect any power source, even when we have it in "sleep" mode or off but with the battery connected. (In AMD since 2013 have also done so, named as AMD PSP, do not go to believe that if you have a computer from that manufacturer are already free).

And how did they do this? So basically IME is a complete subsystem, with its own independent processor and its own operating system (MINIX), and they have installed in a partition of the BIOS chip via EFFS (Embedded Flash File System) the firmware, which takes control of absolutely everything in the computer for "security" and offers improvements for the system administrators, being able to do everything they propose, being able to monitor all activities at the lowest level.

And what can we do if we don't want to have that spy in there?

Easy...Flash it! But the what? This comes next:

What is coreboot?

‌‌Coreboot (LinuxBIOS) is a project supported by the Free Software Foundation that started in 1999 and released its first stable version in 2006, aimed at replacing the non-free firmware of proprietary BIOS and aims to perform the minimum number of tasks to load an operating system.

Coreboot, as you can see, fulfills part of what we are looking for but... What about IME?

Don't worry, there is also a project that almost completely neutralizes it called ME Cleaner that modifies its firmware to a point where it is active only during the boot process, effectively disabling it during normal operation.

Once we know what the IME is and what options we have to neutralize it as much as possible, let's tinker with the x230 a bit. Thanks to the Skulls project, this process has been made a lot easier and we are going to take advantage of it.

What materials we need:

‌‌A Raspberry pi 3b+ / 4 (Flasher)

MicroSD 16gb to flash Raspbian OS

A SOIC8 clip of acceptable quality (Pomona 5250 is the best)

6 dupont cables to connect the raspberry to the clip

Small screwdriver for the laptop

Update the bios of your pc before anything else.

To start this process the first thing to do is to update the bios of your computer to the latest version available. We will do it following this tutorial if we have linux:

https://www.cyberciti.biz/faq/update-lenovo-bios-from-linux-usb-stick-pen

If you have windows, just download the updater from the official lenovo website and run it.

Once updated we will continue with the process.

We prepare the raspberry:

‌‌We will download from the official website the Raspberry pi OS operating system,

Verify the download and using the cml, Balena etcher or any flashing software, burn it to the micro sd.

Once the flash is complete, it will indicate that everything has been correct. At that moment we open the micro sd from the file explorer and we will add a text file to which we will call ssh, and later we will give it to change name and we eliminate its extension .txt, leaving it as a white sheet. This will allow us the access by SSH once we change user and password inside the operating system of the raspberry and will allow us to work more comfortable than glued to the machine in question.

We connect the rasp to a screen, connect a keyboard, a network cable and turn it on. After a little wait maybe it has updates and after making them it restarts or if there are no updates we can pass to the following point. It will ask us to enter a username and password for access to the system in question (be creative) in my case I put user: pi password: pi because I did not feel like typing a long password every time we install something ... But if your preference is to go more secure, with alphanumeric characters and symbols is fine.

Once we have configured the user and password in the raspberry, we look for the IP that has been assigned from our router.

If we had it for example in 192.168.1.200 we could connect to it in two ways, either from command line or from PUTTY:

From linux, we open terminal and type :

ssh user@yourRaspIP

Example: ssh pi@192.168.1.200

We will be asked for the password that we have put in the previous step, and we will already be inside the CML.

From putty the way to proceed would be to put in hostname the IP of the raspberry and we give to open. Here it will ask us first the user that we have put, and then the password.

Once inside the command line of the machine we will begin to prepare the flashing.

We will edit the config.txt to add these lines at the end. Type in terminal:

sudo nano /boot/config.txt

And once the document opens, add the lines at the end:

enable_uart=1

dtparam=spi=on

Once added, Control+o (save) enter, then control+x to exit.

Now we will proceed to modify another file by typing in terminal:

sudo nano /etc/modules

And add the lines:

spi_bcm2835

spidev

Once added, Control+o (save) enter, then control+x to exit.

We will install flashroom with:

sudo apt-get install -y flashrom

We will put ourselves in SuperUser mode and will download skulls. We can check which version from here. Here we will use the latest version at the current date which is 1.0.4.

sudo su

wget https://github.com/merge/skulls/releases/download/1.0.4/skulls-1.0.4.tar.xz

Unzip the downloaded file with:

tar -xvf skulls-1.0.4.tar.xz

And then we will turn off the raspberry with:

sudo shutdown -h now

Now we prepare the thinkpad:

‌‌We will move on to open the thinkpad to have access to the two chips we are interested in.

We will turn it upside down, remove the battery and the 7 screws indicated in the image:

We will turn it over, open the screen cover and carefully remove the cover where the touchpad is, there we will find a black film that we will have to peel off the bottom left side to access the chips (red round):

Connecting the cables.‌‌

We will connect the cables to the raspberry very carefully.

We will mark the clip if we do not want to mess with left and right side (in the two chips is placed in the same way).

The connection of the cables is as follows:

On the chip, the top part is where the screen would be, and the bottom part closer to us (touchpad):

On the raspberry:

*Images extracted from skulls coreboot documentation.

Now with images:

The purple & orange wires on the clip are disabled

‌‌Now it only remains to sweat cold...

‌‌Once we have the wires properly connected, we will connect the clip to the chip below, so that the right side (R in the pictures) is the right side of the chip if we have the computer open in front of us as if we were going to use it.

We have to be very cautious, and connect the clip in a correct way to make good contact with the pins of the chips if we don't want to fry them.

This is the part where all the preparations culminate in two easy commands, but make us break out in a cold sweat.

Once everything is properly connected, we turn on the rasp again and connect via ssh as in the first steps.

Once we are connected from the command line we will type:

cd skulls-1.0.4

sudo ./external_install_bottom.sh -m -k bottom.bak

(bottom.bak will be the name of the backup file, although we can give it another name if we want to)

This will launch the flasher and make a backup of our bottom chip.

On the screen we will see:

Please select the hardware you use:

Raspberry Pi

CH341A

Exit

Please select the hardware flasher: 1 (we choose 1 because we do it with raspberry and hit enter)

At the end it will give the message that the flashing is ok.

Now we turn off the raspberry again, connect to the chip above the clamp, turn it on again, log in via ssh and continue with:

cd skulls-1.0.4

sudo ./external_install_top.sh -b x230 -k top.bak

(The name of the backup file will be top.bak)

This will launch the flasher and make a backup of our top chip.

On the screen we will see:

./x230_coreboot_seabios_free_74d2218cc7_top.rom

./x230_coreboot_seabios_74d2218cc7_top.rom

Quit

Please select a file to flash or start with the -i option to use a different one: choose the one you want (the 2 has some proprietary firmware and the 1 is all free)

Please select the hardware you use:

Raspberry Pi

CH341A

Quit

Please select the hardware flasher:1

If everything was correct, you will get this message:

Reading old flash chip contents... done.

Erasing and writing flash chip... Erase/write done.

Verifying flash... VERIFIED.

DONE

Now we can turn off the raspberry, disconnect the clamp and reassemble the computer. The job is done.

With this we would be all done, and we would only have to turn it on again, now with the Skulls coreboot done and the IME neutralized for the most part (you will need to enter the payload and select to disable it).

You can see that the speed increases both on and off the computer, and that when it turns on it shows the skulls logo 😉

Save your backups

After completing the processes, we have generated the bottom.bak and top.bak files which are the backup copies of the original content of the two chips in our laptop. We should save these files in case we ever want to revert the process described in the tutorial.

Post translated by @Elchavo from the original post written in spanish in estudiobitcoin.com under CC-BY license.