A more simple version is also possible with some coreboot/libreboot/chromebooks laptops:
1) You create some seals: To do that you can use nail polish with glider to create random patterns. You can, for instance, put the seals on the screws that you have to remove to open the laptop. Then you take pictures of the patterns. That seals are used to make sure your computer was not reflashed externally. You'd have to manually inspect the seals to be sure.
That can work well with gpg keys: if you only check from time to time, and that at some point the seals is broken => you revoke your key.
2) Then you use you "boot fimrware"(Coreboot+grub for instance) to safely boot your system. You could either: -> Boot on a fully encrypted disk. You type your passphrase from grub (And then the initramfs can have the rootfs key, since it's in an encrypted filesystem) -> Make it verify the detached signatures of your kernel and initramfs from a clear text filesystem(You'd have to hook the initramfs creation process to sign it though).
3) To prevent someone from booting arbitrary code and reflashing the laptop, you can put a password in grub, preventing any use of the laptop without the password. There are also many ways of making the flash chip read-only (trough software and hardware).
Notes: a) Even if the computer verifies what you boot, I'm not sure it also protects against malicious hdd/ssd firmwares: Would the LUKS default (aes-xts-plain64) still hold in that case?
b) The point I'm not sure of is if the commonly used ciffers (For instance aes-xts-plain64 which is LUKS's default) used in disk encryption can prevent any arbitrary code execution by modifying the ciffertext.
c) There are also ways to have a verified filesystem, but the only ways I know are read-only, like DM-verity (https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity).
d) As for choosing the laptop, you'd have to do your homework. Some pointers: * Some have and use a management engine (like the intel chromebooks, and some recent lenovos laptops). * Some ARM chromebooks have signed, non-free code run first (The exynos ones).
e) As with the possible boot firmwares: -> Coreboot + grub supports LUKS and the verification of detached gpg signatures. -> uboot supports verified boot (vboot) -> Some other bootloaders might also support some sort of boot verification.
Without a TPM
1) You create some seals: To do that you can use nail polish with glider to create random patterns. You can, for instance, put the seals on the screws that you have to remove to open the laptop. Then you take pictures of the patterns. That seals are used to make sure your computer was not reflashed externally. You'd have to manually inspect the seals to be sure.
That can work well with gpg keys: if you only check from time to time, and that at some point the seals is broken => you revoke your key.
2) Then you use you "boot fimrware"(Coreboot+grub for instance) to safely boot your system. You could either:
-> Boot on a fully encrypted disk. You type your passphrase from grub (And then the initramfs can have the rootfs key, since it's in an encrypted filesystem)
-> Make it verify the detached signatures of your kernel and initramfs from a clear text filesystem(You'd have to hook the initramfs creation process to sign it though).
3) To prevent someone from booting arbitrary code and reflashing the laptop, you can put a password in grub, preventing any use of the laptop without the password. There are also many ways of making the flash chip read-only (trough software and hardware).
Notes:
a) Even if the computer verifies what you boot, I'm not sure it also protects against malicious hdd/ssd firmwares: Would the LUKS default (aes-xts-plain64) still hold in that case?
b) The point I'm not sure of is if the commonly used ciffers (For instance aes-xts-plain64 which is LUKS's default) used in disk encryption can prevent any arbitrary code execution by modifying the ciffertext.
c) There are also ways to have a verified filesystem, but the only ways I know are read-only, like DM-verity (https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity).
d) As for choosing the laptop, you'd have to do your homework. Some pointers:
* Some have and use a management engine (like the intel chromebooks, and some recent lenovos laptops).
* Some ARM chromebooks have signed, non-free code run first (The exynos ones).
e) As with the possible boot firmwares:
-> Coreboot + grub supports LUKS and the verification of detached gpg signatures.
-> uboot supports verified boot (vboot)
-> Some other bootloaders might also support some sort of boot verification.
Denis.