|
> The setup that I have described has identical behavior, except that I use a removable USB memory That's a huge difference though! With my setup, if someone steals the device, they get a fully useable laptop with no password, locked down and restricted - they can join wifi networks, use the browser, download etc, but can't access the 'real' OS, and the laptop won't boot from anything other than the encrypted HDD it has the keys for. It sounds like your setup leaves out the guest OS aspect, and is just set to boot into an encrypted OS only if a hardware key is present, which is quite a bit different. > In my variant, you do not need to trust anyone but yourself, That's true for my setup as well. Secureboot has an opensource reference implementation that has been in Coreboot for a long time, and it's not necessary to keep or add any vendor keys. |
Even in that case, a laptop with Coreboot will still use closed-source components that cannot be trusted, at least for the auxiliary CPUs of Intel and AMD (ME/PSP) and for the CPU of the TPM, i.e. for the parts that are the most important for security.
If someone steals the device, I cannot see any difference between our 2 setups. In both cases, the thiefs can use the laptop, but without accessing the internal SSD/HDD, unless they format it, which will remove any of the original information stored on it.
Even if you configured a laptop with UEFI/SecureBoot to not display the boot device selection menu without a password and to not boot from the internal SSD without a password, that can stop only someone with momentary access to the device, the same as in my setup, where an intruder would see the error message that no bootable disk has been found. Thiefs will erase the non-volatile UEFI settings, so they will be able to boot your laptop from an external device, regardless of your configuration, but the original internal SSD/HDD will remain inaccessible in any of the 2 setups.
However in the case that relies on the internal firmware and TPM to protect the keys, there are more sophisticated hardware attacks against the motherboard, e.g. using fault injections, logic analyzers, desoldering the relevant chips and replacing them, etc., which may succeed in some cases. Such hardware attacks are impossible when the component that must be attacked is not present, because it is a removable key (which is temporarily inserted only during booting).