Thinking about Secure Computing
What do you think about when you hear "secure computing"?
You could think about access controls (username/password, two factor authentication, etc), encryption (of data at rest, data in transit), air-gapped networks, physical security of the device (desktop or laptop cabled or bolted to desk/wall/floor), and along these lines. And you are correct. Most of the focus is on the software. Do you ever think about the hardware? The hardware just runs firmware (special software for the purpose), so how can you be sure the software running in the hardware is secure?
Someone asked me about the ORWL Secure Desktop, because they are worried about someone tampering with their computer when they were away from it. I don't know if it's still for sale. And without realizing it, I sort of channeled Joanna Rutkowska in my response. Physical security relying on unknown firmware for tamper resistance. I'm not saying it's bad, as it's likely better than the standard desktop or laptop. What's the more positive answer? How to solve their dilemma?
Could they use a remote desktop in the cloud? Could they use an inspectable computer? Could they fill the computer with some heavy material (like lucite, concrete, etc)? Could they swath the computer in glue? Put it under 7x24 surveillance from different systems?
Channeling Joanna once again, the cloud is just someone else's computer. And yes, I understand the counter to that statement. Sidestepping the free software/open source debates, the ability to inspect or have the source code inspected does go a long way towards mitigating the risks. If you're a large corporation or government agency, this is plausible to ask of any vendor. If you're an individual, even a very wealthy one, your choices are limited to open source solutions.
Possible solutions are:
- Purism, https://puri.sm/,
- Find something at Open Source Hardware,
- System76, https://system76.com/,
- Something on the Qubes Certified Hardware list, or
- think laterally.
All of these solutions still have the issues of firmware in the hardware. Intel-based systems can have exploitable flaws through co-processors. AMD has one too. They are distinct co-processors built into the main cpu to do "secure" computing. Turns out, they aren't so secure, and as attacks become more sophisticated over time, old decisions and flaws are discovered and exploited. But now we're wandering into time travel and security risks of the future.
Let's get back to the original question, "what can I buy today to have a tamper-resistant computer?"
Turns out Purism is a pretty good answer. However, it still has the Intel/AMD risks. In taking everything to the extreme, how does one mitigate that risk?
I did more research and found Open Power computing based on the Power instruction set architecture (ISA). It's a niche consumer market, but pretty popular amongst governments and global enterprises. There are a few vendors of systems based on POWER cpus. IBM dominates this market. In further research, I found Raptor Systems. They sell desktops, components, and even a cloud solution based on the POWER cpus. Part of what makes them stand out is that their definition of security is similar to mine above--secure down through the firmware and cpu microcode. They release all their code to run the mainboard, cpus, and other chipsets via their code repository--thankfully on their own git server and they have not succumbed to the silliness of centralizing a decentralized protocol like git run by a for profit corporation...personal rant over. My recommendation was to buy a Purism machine for the most immediate need and then experiment with the Raptor system as a longer term solution. They have their own cloud based on POWER9 cpus, so we'll start there. It also turns out that the POWER9 is a beast against modern Intel and AMD cpus.
Why not a Raspberry Pi 4?
It's sold as a desktop replacement. It's probably easier to detect physical tampering with a small form factor computer, such as the RPI4. One could seal something smaller into a safe with just protrusions for the cables for keyboard, mouse, and monitor. So physically, a Raspberry Pi 4 is probably sufficient. Getting into the firmware though, RPI4 is based on ARM-chips produced by Broadcom with proprietary blobs of code running within. The schematics of the board and such are available, but that's not the same as the firmware source code. You can know where and how everything is placed and connected, but not what is running within and between chipsets. This is a similar challenge to the Purism computers.
Rather than stopping at no, continuing to solve the problem, what's the Open Power equivalent of a Raspberry Pi? As far as I can tell, it is RISC-V. There are some boards available, but I couldn't find something of equivalent computing power to the current RPI4. SiFive has the "Freedom Unleashed" board, which might do it, if you can find somewhere to purchase one. Maybe the PolarFire Icicle, based on the same SiFive chipset as in the Freedom Unleashed board. Both of those are really more development boards, and cost 4-5x the RPI4. I think for now, there is not a RISC-V equivalent for the RPI4. There's rumors of a "developer computer" based on SiFive RISC-V cpu, but we'll see what is produced.
In the meanwhile, the path forward is to await the Raptor Blackbird to come back in stock.