Hacker News new | ask | show | jobs
by qb45 3241 days ago
Nearly every how-to and blog post I've found on "Chromebooks for developers" essentially starts with either: "Boot into Developer Mode" or "Install Debian/Ubuntu as the main OS". I'll just say it: This is bad advice. It would be akin to recommending that friends jailbreak their shiny new iPhone. You're obviously free to do as you wish with your own gear, but recognize that at Step 1, you'll have lost most of the core security features of Chromebook

Well, it's possible to temporarily unlock firmware write protection and replace Google key with your own and run self-signed kernels and arbitrary distribution securely. But indeed, I haven't heard of anyone actually going through the effort to do so.
1 comments
sliken 3241 days ago
Just install linux, select full disk encryption, done.

What threat does the chromebook protect against that isn't fixed by FDE?

link
qb45 3241 days ago
FDE isn't really "full disk" because it still leaves the kernel image unencrypted so that it is accessible to the bootloader. This image can then be maliciously edited by an "evil maid" attacker.

Chromebooks use kernel signing to prevent this. The problem is, Google doesn't give you keys to your hardware so you have to replace them yourself or use devmode which disables kernel verification.

Another possible solution is to keep the kernel on an external, physically secured pendrive and never forget to press CTRL-U during boot (to stop a hypothetical attack involving a malicious kernel installed to the internal flash which exfiltrates your FDE passphrase or something like that).

link