|
@@ -5,13 +5,12 @@ This is not an easy: mistakes can lead to data loss or bricking of the laptop. O
|
|
|
# Qubes+Coreboot on Thinkpad X220
|
|
|
## Prerequisites
|
|
|
* Thinkpad x220 (other models supported by coreboot may apply)
|
|
|
- * Stock proprietary bios
|
|
|
* Pomona 5250 + RaspberryPI/BeagleBone black for hardware flashing
|
|
|
|
|
|
## Advantages:
|
|
|
* Encrypted /boot
|
|
|
* Less proprietary components in bios
|
|
|
- * Neutralized management engine
|
|
|
+ * Neutralized Intel ME
|
|
|
* Evil Maid Attacks requires hardware flashing/partial disassembly
|
|
|
|
|
|
## Disadvantages:
|
|
@@ -491,7 +490,7 @@ sudo flashrom -p internal:laptop=force_I_want_a_brick -w coreboot.rom
|
|
|
|
|
|
## Encrypt /boot
|
|
|
From now on keep in mind that any error may cause data loss. Even not doing any error may cause data loss. Please make a full backup bedofre going on.
|
|
|
-Boot a live archlinux or any other live distro which has cryptsetup, lvm and dd installed. In this part it is assumed the device with Qubes is `/dev/sda`.
|
|
|
+Boot a live archlinux or any other live distro which has `cryptsetup`, `lvm` and `dd` installed. In this part it is assumed the device with Qubes is `/dev/sda`.
|
|
|
|
|
|
```
|
|
|
fdisk -l /dev/sda
|
|
@@ -540,4 +539,5 @@ Reboot. You should now be prompted two times for your LUKS passphrase: this is b
|
|
|
# TODO
|
|
|
* Flash coreboot read-only to prevent tampering
|
|
|
* Add a script which symlink the latest kernel and the previous one in a predictable path in /boot
|
|
|
- * Find a way to disable ExpressCard/Camera/Other components from coreboot
|
|
|
+ * Find a way to disable ExpressCard/Camera/Other components from coreboot
|
|
|
+ * Test microcode updates for meltdown/spectre
|