Need install List for 1vyrain through Trench Boot for newcomer about 1vyrain HOT 3 OPEN

Hi,

Several years ago I installed 1vyrain successfully on an Lenovo X-230. I have used Qubes, and I am under the impression one can obtain a high security laptop by installing just 1vyrain and Trench Boot. Is this true?

One, is this as good a security solution as using an external Flash of Heads and using a NitroKey? Someone knowledgeable on the Qubes Forum seemed to imply that it would be. Then this would be a great way to proceed for an individual in a challenging physical location and desiring to obtain a high security laptop. (but requires some careful Op-Sec to keep security working.) Leaving Op-Sec out of this discussion.

Is there a good description (sets of web-links) for a non-technical person to use to go through all the steps? 1vyrain. Qubes. TrenchBoot. Yes, I realize that first one must start with a laptop with a BIOS, EC that is low enough to be modified.

And the order to proceed is altered in some ways. Take my case.

I have a refurbished Lenovo T-430. 8GB Ram. Core I5 3320.

Looking at Passwords in BIOS I see several options. It is not well described in the documentation where in BIOS the passwords are, Non-technical people need hand holding. Guessing the first one is the BIOS one, which is now blank. If I understand the problem you describe that in some cases running the program can bring up the older BIOS password. I should proceed to directly insert a new BIOS Password, of say 8 characters of just the letter a. Then Power up at least twice more, entering that 8 characters of the letter a. Then changing the Password back to blanks. And going through the entire power up sequence at least twice more. Why do I power up several times. It just seems right.

Low enough I do not have to rollback BIOS. The BIOS is 2.51. EC is 1.08

I installed Windows 10 on this, and have allowed Windows 10 to do updates.

To which I have to add, I have several computers to use with this project, Linux is used elsewhere. I have another SSD I could install. I have several Flash drives, some with live Linux on them. And a new flash drive to commit for install. I am not sure how many of those who are not technically proficient have alternate devices. I don’t have an “at home” internet connection. But the focus should be on creating a how to for someone to go through all the steps to get to a secure computer set up. Not me. I can work through my own limitations.

Next I should install Updates for EC. Something about this needs to happen before installing 1vyrain. I am not sure where these might be downloaded. Are they on the 1vyrain install flash drive? And what EC Updates are needed for using Trench Boot later?

I do not see a recommendation to run dmidecode and put that text file where it can be used while the target laptop is in use for install. ??

Looks like I need to use Linux to build the 1vyrain. Not a problem for me, but for someone, as one might say, in a technical wasteland without very many extra resources. Anyway. I would likely use Ubuntu to accomplish building the 1vyrain drive, as it is likely to have all the base features working, and a large forum to ask additional questions.

After installing 1vyrain, I would need to install Qubes on the target laptop. Qubes has its own website to help a newcomer get through install issues.

And go to the related website to get Trench Boot.

Sorry, I realize that the understanding of Linux Forums is that an individual should do their own research. However, since a lot of folks who might need a high security laptop also are not highly technically proficient, and don’t want to be. I had felt someone knowledgeable had written a more “Follow these steps,” how to. With internet links.

Thank you for reading through this.

from 1vyrain.

Just got around to seeing this. While I don't have the time to walk you through it, I can give you a rough outline and answer some of your questions. I use heads myself with qubes and a yubikey on a specific privacy-oriented laptop, so I'm familiar with the setup you are going for, but I have never heard of TrenchBoot so cannot provide any information there.

1vyrain is NOT enough on its own, and in fact I don't suggest using it for the proposed setup because 1vyrain cannot modify anything but your BIOS region. If you care about going all the way for your opsec focused devices, I highly recommend compiling heads yourself and externally flashing it (only required the first time - updates can be done through software). The reason is that you'll want to patch the IFD and IME regions of your flash storage, not just your BIOS.

If you decide to go with 1vyrain regardless, you can get most of the important features from heads/coreboot through a pure BIOS flash, but for a device that requires ultimate paranoia, I wouldn't skimp out, especially if this is for a heads setup. Flashing externally once means you can much easier update your BIOS as needed in the future, and not have to worry about messing up your IFD or ME regions down the line, or having to modify existing installers to get it working for just the BIOS regions.

EC updates ship with Lenovo's BIOS updates. It's been a while since I messed with those, but I think some of the newest EC updates to the xx30 lines locks down the EC from being modified (no clue if it's permanent or if you can just downgrade again). I'd recommend checking out https://github.com/hamishcoleman/thinkpad-ec and using that to walk you through flashing your EC. After the EC flash, you should be fine to proceed with the regular 1vyrain steps should you chose to go the software flash route.

from 1vyrain.

Thanks for replying. I see you have done a great deal of work on these issues. Thanks for that as well. I am on Social Security Poverty payments. Soo.

On the Qubes forum, someone said that Trenchboot was only for some towers, not laptops..

While I do not see it mentioned, I think being portable is part of high security. Being able to use more than just my usual ISP is needed to keep from being monitored. Am I wrong?

from 1vyrain.