You are not logged in.
- Topics: Active | Unanswered
#26 Re: Off-topic » Please suggest a completely open source ARM board with Cortex A53/A7 » 2019-07-18 11:13:51
OpenRISC, RISC-V, old ARM versions implementation, different MIPS cores, etc. You can check some of them at opencores.org
RISC-V is promising project because large organizations decided to support it.
I would be glad to try RISC-V, but where to get an affordable board?
What do you mean under old ARM version? Is Cortex A7 old enough to be secure enough?
I was looking for a board with open source boot loader when it would be difficult to inject an invisible and undetectable virtualization trojan on the factory or by a third party blobbed software which could reflash firmwares silently.
#27 Re: Off-topic » Please suggest a completely open source ARM board with Cortex A53/A7 » 2019-07-18 06:06:56
I would recommend to search for NXP i.MX based boards. However, in general ARM is just a pain.
Please suggest why are they good in terms of being more open source?
Please let me know, what do you think about a new very affordable Freescale board:
https://web.archive.org/web/20190716053 … 6605s.html
AliExpress:
https://web.archive.org/web/20190716054 … 81658.htmlTaoBao (two times cheaper):
https://web.archive.org/save/https://it … 6322544984May it have less backdoors and miss CPU God mode for rooting?
It seems to be Freescale/NXP M*Core, is not it?
#28 Re: Off-topic » Please suggest a completely open source ARM board with Cortex A53/A7 » 2019-07-18 04:49:06
raspberry pi hobby boards.
Btw, Raspberry PI is not a good example of open source board at least because its boot loader is proprietary and even includes initialization for video output to prevent booting another way.
I think better examples of open source single boards would be Olinuxino, Beagleboard Black and OrangePI, at least they run open source UBoot and main line Linux kernels, some of them can run even OpenBSD !
#29 Re: Off-topic » Please suggest a completely open source ARM board with Cortex A53/A7 » 2019-07-18 03:39:28
I would recommend to search for NXP i.MX based boards. However, in general ARM is just a pain. x86 based boards are much more "open source" than any ARM based board.
Please explain how X86 is more open source than ARM?
ARM is almost a pure hardware RISC processor executing supplied instructions directly on its hardware at once.
But X86 is a virtual machine like a Bochs X86 VM generally run on a very high performance hardware RISC processor for which we do not have any documentation at all, look at VIA C3 as an example,
Intel and AMD are the same idea but significantly more optimized for high performance.
Even modern Intel and AMD processors are "RISC" under the hood - they decompose CISC x86 instructions into RISC micro-ops, this isn't a VIA phenomenon
Everything is TOP secret about X86 CPUs actual hardware internals, its hardware implementation, its native RISC like assembly instructions, implementation of X86 virtual machine and backdoors injected into this VM yet on the factory and even BIOS initialization procedure at the very beginning of the boot time has so little documentation that only a few boards have unofficial Libreboot firmware for them from hackers who somehow reversed BIOS fragments and/or schematics and initialization sequences.
A few more boards have been made compatible with Coreboot and the most of them are too old and most likely some docs just leaked from laboratories to help coreboot developers to reverse engineer the boards boot process (initialization of RAM modules, etc.).
And ARM initialization process is almost completely open source for some boards, though a few code is still unknown too which is executed before uboot just after getting a reset signal. Can it include some trojan running in a TrustZone isolated and undetectable from OS, may be, who knows.
Uboot needs to be customized for each board, but a few boards have it open source even officially.
For a few boards like AllWinner A20 we have all software parts open source: Uboot unlike proprietary BIOS or UEFI for X86 and even mainline Linux kernel like for X86, even open source 3D driver is being under development and already works.
X86 looks very versatile, has outstanding performance, compatibility with huge amount of add on parts, with fully open source OSes like Linux and BSD supported forever, tens of years after hardware release, it still can run the most recent modern up to date OSes like BSD. For example the most up to date BSD 2019 at least in text mode still runs fine on 20 years old Pentium 1/2 1997 and even X works well enough if the board has enough RAM like 200-300 Mbytes.
X86 completely hides its initialization code and most likely virtualization spying invisible trojans in negative and/or zero rings of CPU booted before any OS code and fully undetectable from OS level.
#31 Re: Installation » Customizing Heads as a secure persistent guest for boards and VMs. » 2019-07-16 06:26:53
https://en.wikipedia.org/wiki/ARM_architecture
Hopefully the future of open source computing.
Are there any affordable RISC-V boards running Linux and/or BSD on the public market?
Not micro controller boards with some specific non universal OS.
#32 Re: Off-topic » Please suggest a completely open source ARM board with Cortex A53/A7 » 2019-07-16 05:47:05
Please let me know, what do you think about a new very affordable Freescale board:
https://web.archive.org/web/20190716053 … 6605s.html
AliExpress:
https://web.archive.org/web/20190716054 … 81658.html
TaoBao (two times cheaper):
https://web.archive.org/save/https://it … 6322544984
May it have less backdoors and miss CPU God mode for rooting?
#33 Re: Off-topic » Boom Times or financial apocalypse » 2019-07-16 01:19:49
I would not blindly trust neither Russia Today nor any big and significant western mass media.
All of them on the very top are controlled by ZOG and used to manipulate people for a profit of ZOG. They artificially pump up a difference of potentials (like a voltage) in people minds to make more people's debts as a goal to extract more labor from people. ZOG issue (electronically "print") as much money by themselves as they need, but they do not have unlimited labor force, that is why they need a people debt and also for a control.
In Russia this information is actively banned and deleted almost instantly on most forums.
Therefore I conclude they are even afraid of people know about their lie. When I wrote about this on different russian forums they artificially and remotely (I guess by some type of a radio channel may be from satellite, GSM or WIFI) produced a pain in bone marrow of my mother and she called me to get some analgesic for her, I have all (several) calls recordings corresponding by their time to posting on russian forums threads saved to web archive (now deleted from forums).
Also russian people often experience from suffering their human rights (augmented by attackers lie, criminal pressure even from government institutions may be occupied by ZOG agents too) , Russia is not a good place to get truthful official information from, their official big news channels are targeted to get gains and profits only for their government and oligarchs without usual respect to the rest of general people. Mass media generally produce a mixture of truth and false hardly to distinguish from each other just for a manipulation of audience minds, all of them finally lie for ZOG profit.
#34 Re: Installation » Customizing Heads as a secure persistent guest for boards and VMs. » 2019-07-15 03:32:48
At first I rsynced the OS to a virtual drive booted from a LiveCD in a virtual machine.
Then manually dpkg -i *.deb taken from the most recent debootstraped Beowulf.
Now able to boot my persistent (on guest ext3 over host zvol passed as a raw device) Heads in a KVM virtual machine from a host zvol but with another stock kernel.
Going to rewrite Heads initrd script to boot its grsec kernel from a virtual drive instead of a CD-ROM.
It will be a good start to distribute all my services over several (5-10 pieces) hardware motherboards like Via C3 ($5/board for used piece), Atom N270 ($10/board for used piece) and VPSes to avoid Spectre like attacks and CPU God mode activated from blobbed software like Skype or Chrome too. I am afraid such popular blobbed software may reflash controllers' firmwares to the most recent "trojaned editions".
Some boards will run this persistent Heads and a few of others will run OpenBSD.
Nothing helps today to prevent escalation to a root and escaping from a virtual machine when a single hardware machine is used for all programs and I guess there are still a lot of unknown surprises in the CPUs and other hardware.
So the only feasible solution to get a few better protection is to distribute all used services over several dedicated motherboards per service.
I am sure we will see many many new security flaws in new "fixed" CPUs just after 5-10 years passes since their release date, manufacturers will artificially make some researchers incidentally finding new exploits. It will stimulate to purchase even more newer CPUs even with a more intellectual backdoors and probes inside them.
And it is obvious all x86 CPUs have God mode like VIA C3.
Intel and AMD just made better work to hide root escalation backdoor from masses.
What to you think about ARM A7/A53 like Allwinner chips?
Do they have God mode too for root escalation?
Is it correct that all X86 CPUs are emulated like Bochs on a pure hardware processors with a RISC like architecture? Trasmeta, VIA and Elbrus at least stated is openly while Intel and AMD just do not mention it?
ARM A7/A53 are pure hardware chips, right? Do they have hardware backdoors except Trust World for a bootloaded trojan?
Btw, is there any method to easy verify Devuan public binaries are actually built from Devuan public sources? Is using Gentoo more secure in terms of avoiding unnoticed trojan injection into public Devuan binaries which we get over apt install?
If a deb is signed with Devuan PGP does it warrant a maintainer did not inject a trojan? I guess it does not warrant if maintainers does this intentionally. And what if their computers are infected by a trojan which injects trojan blob to compiled binaries when a maintainer does not do a harm by intention?
Is it a good idea to prefer Gentoo for small security specific hosts over Devuan (when OpenBSD is not suitable because of a different feature set compared to Linux or my unfamiliarity with OBSD)?
And then run Devuan only as rich application guests inside virtual machines inside a vm host like ascetic Gentoo (with a few of packages) and/or an ascetic OpenBSD (default packages)?
#35 Re: Installation » Customizing Heads as a secure persistent guest for boards and VMs. » 2019-07-14 03:45:07
It is a Heads distro installation.
Fixed by manually (dpkg -i *deb) upgrading to versions from a newly bootstrapped directory.
#36 Installation » Customizing Heads as a secure persistent guest for boards and VMs. » 2019-07-14 01:47:54
- alupoj
- Replies: 11
root@workstation:/etc/apt# apt update
Get:1 http://pkgmaster.devuan.org/merged beowulf InRelease [25.6 kB]
Get:2 http://pkgmaster.devuan.org/merged beowulf-updates InRelease [25.6 kB]
Get:3 http://pkgmaster.devuan.org/merged beowulf-security InRelease [25.6 kB]
Get:4 http://pkgmaster.devuan.org/devuan experimental InRelease [169 kB]
0% [1 InRelease gpgv 25.6 kB]gpgv: Signature made Sun Jul 7 01:30:05 2019 UTC
gpgv: using RSA key E032601B7CA10BC3EA53FA81BB23C00C61FC752C
gpgv: Good signature from "Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>"
/usr/bin/apt-key: 624: /usr/bin/apt-key: cannot create /dev/null: Permission denied
E: Repository 'http://pkgmaster.devuan.org/merged beowulf InRelease' changed its 'Origin' value from '' to 'Devuan'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.
Do you want to accept these changes and continue updating from this repository? [y/N] y
terminate called after throwing an instance of 'std::runtime_error'
what(): random_device::random_device(const std::string&)
Aborted
Ran above in a chroot.
Further apt update executions do not show any messages anymore.
Now:
apt update
hangs forever until ^C.
Main system above chroot works fine with apt.
Tried to reproduce, the same thing after pressing Y as described above.
How can this be fixed?
#37 Re: Installation » KVM guest - kernel panic when running from P9 share root » 2019-07-09 16:30:36
Well, I have installed Devuan Ascii from scratch into KVM VM and was able to run it with external kernel supplied as a qemu parameter.
Though I did not try 9P root anymore because 9P host FS sharing seems to be insecure in terms of possibility of escaping to host FS when using passthrough security model even with a FS proxy. I think it is more secure to use a passthrough of a host block device into guest, so I did this using host ZFS zvol + ext3 and it works fine, I can mount it from both host (when needed for maintenance or fast fixes) and from guest.
Now going to customize Heads Linux as a secure guest for surfing and chatting in the Internet.
Where can I get grsec kernel with patches to Spectre issue?
It seems such kernel sources have been removed from public though earlier they were available for public.
#38 Re: Installation » The most secure hardened kernel » 2019-07-08 16:38:08
Well this thread is about secure kernels so USB connections are not at all within that brief.
One of the problems with security IMHO is that hardware shall be secure too to avoid intrusions even into a very secure kernel. And I need USB to passthrough Nitrokey used for security purposes.
#39 Re: Installation » The most secure hardened kernel » 2019-07-08 16:01:24
@OP: your questions about OpenBSD are off-topic for these boards, perhaps open a thread over at daemonforums.org instead.
I am not sure if it is offtopic or not, I wonder how to securely attach USB devices to an ancient Notebook without USB support.
Linux has an USBIP service to passthrough physical USB devices via TCP/IP network.
http://usbip.sourceforge.net/
How can I link OpenBSD client to Linux USB device server via TCP/IP?
For example I can run Devuan on a single board like OrangePI or Olinuxino with Ethernet and USB interfaces and connect Nitrokey Pro 2 to it directly by USB. Then I would like to teleport USB Nitrokey to OpenBSD ancient notebook which has only an old 16bit PCMCIA ethernet card. Though such slot is NOT compatible with CardBus specification required for USB cards, I see it as a security advantage because old PCMCIA does not support DMA (sometimes hijacked by malicious USB devices).
PCMCIA Standard Releases 2.0-2.1 (1991-1994)
A series of updates to the standard the provided specifications for I/O, dual-voltage memory cards, improvements in CIS and software interface (Card Services Specification).PC Card Standard (February 1995)
Added information to improve compatibility, support for 3.3 volt operation, DMA support and 32-bit CardBus
So I conclude that old 16bit PCMCIA ethernet cards like this have not DMA access to computer RAM and cannot readout crypto keys by their blobed firmware unlike all modern cards.
Actually TCP/IP network can be built even on top of RS232 channel which may be even more secure than blobed ethernet card firmware. May be a short cable (like a few centimeters) for connection between notebook and single board can make it more secure?
Though I guess such method is not good enough from security point of view in terms of all Ethernet traffic can leak over side channels like radio emission. But at least if token does private key operations by itself without private key extraction outside the token then only temporary SSH session keys can be leaked via radio channel produced by Ethernet "antenna".
#40 Re: Installation » The most secure hardened kernel » 2019-07-08 03:18:52
I wouldn't use Linux for anything important, OpenBSD is my preferred choice for serious stuff.
What do you think about possibility to run a modern OpenBSD or other BSD like hardenedBSD on a very old notebook like based on Intel Pentium 1 MMX (production year about 1997). There are some models with up to 40-80 MEGAbytes of RAM. I guess their BIOSes are too small to inject trojans into such machines and CPUs themselves are too old having too obsolete backdoors hardly suitable for modern intrusion methods.
According to:
https://web.archive.org/save/https://ww … uirements/
It shall be possible.
I need just a secure textual console for SSH to my own servers to avoid at least third parties to stole my private keys from my textual workstation ( I know there are a lot of other attack vectors including hardware backdoors in the servers them selves).
Does OpenBSD have any support for cryptographic tokens like NitroKey Pro 2 or FST-01 except via Linux compatibility layer which is currently disabled in modern OpenBSD releases?
Even modern Linux can run even on previous generation of hardware like Intel 486:
https://web.archive.org/web/20180617174 … too-on-486
And I know BSD kernels are famous for ability to run on very low memory machines compared to Linux.
May be BSD kernel shall be recompiled to disable not needed spare kernel parts/modules to avoid them consuming deficit RAM?
Saved this message:
https://web.archive.org/web/20190708064 … d=2818&p=2
#41 Re: Installation » KVM guest - kernel panic when running from P9 share root » 2019-07-05 19:46:17
For a guest p9 root FS I used a catalog on the host with a debootstrapped Devuan into it, it worked fine in chroot, but I have never tried it as a full virtual machine with its own boot, kernel and init.
May be, I shall try to just install Devuan into KVM guest from a setup CD at first or at least to try guest Devuan work in Virtualbox by placing the kernel inside the guest, then try to reproduce this on KVM?
#42 Installation » KVM guest - kernel panic when running from P9 share root » 2019-07-05 18:41:08
- alupoj
- Replies: 5
Hello,
I am trying to boot a Linux guest on the KVM host and guest root file system is outside of guest on the host and passed through into the guest via P9 share as described at:
https://serverfault.com/questions/67364 … t-and-qemu
QEMU Arguments in AQEMU:
/usr/bin/qemu-system-x86_64 \
-monitor stdio \
-k en-us \
-machine accel=kvm \
-m 1024 \
-cdrom /download/sysresccd-5.2.0_zfs_0.7.9.iso \
-virtfs local,id=shared_folder_dev_0,path=/mnt/ascii64,security_model=none,mount_tag=shared0 \
-boot once=d,menu=off \
-net nic,vlan=0,model=e1000 \
-net user,vlan=0 \
-kernel /boot/vmlinuz-4.9.0-9-amd64 \
-initrd /boot/initrd.img-4.9.0-9-amd64 \
-append root=root9p rw rootfstype=9p rootflags=trans=virtio vga=0x31b \
-rtc base=utc \
-name "Brave" \
-fsdev local,id=root9p,path=/mnt/ascii64,security_model=mapped \
-device virtio-9p-pci,fsdev=root9p,mount_tag=root9pScreenshot:
https://ibin.co/4mbruKyIIoAl.jpg
I tried to change guest kernels, but it does not help.
Please suggest, what shall be tried for a fix?
#43 Re: Installation » The most secure hardened kernel » 2019-06-15 04:32:31
I am not sure whom to trust, since some OpenBSD people tell GNU things are partially sponsored by NSA people and GNU open sources are full of invisible backdoors (may be just hardly noticeable interfaces to hardware blobed backdoors). They suggest for security reasons to avoid GNU completely including Linux and Libreboot too. On the other hand they instantly ban from their chat if talking there about hardware backdoors. So I conclude though OpenBSD is more secure by its correct config, correct and high quality program sources, its purpose is not to provide true full security for masses, it is rather to test OpenBSD on masses with backdoored hardware and then use tested OpenBSD software on some actually backdoor free hardware for a very specific VIP persons who sponsors OpenBSD. And such actually secure hardware is not available for public purchase.
On the other hand many people proponent GNU Libreboot can help to avoid some BIOS backdoors.
Is OpenBSD any better in terms of security than modern grsecurity+linux libre kernel like v5.x ? if only a few needed services are enabled and each set of services on a different hardware librebooted motherboard to avoid different security problems of a backdoor escaping chroot/vm/docker/container, etc. Unused kernel modules would be disabled. I guess the less services, module and other software is enabled the less backdoors there are on the host.
I have found OpenBSD nice as a concept but not convenient for an earlier Linux user because of less tools, for example because it misses tools like lsblk to list all partitions.
Say someone will have a dedicated librebooted motherboard for mail server, dedicated for web, dedicated for db, etc. These motherboards will not have any devices attached to PCI/USB/SATA bus except an ethernet card preferably open source if such exists. They will use NFS/iSCSI/NBD/usbip, etc. for accessing disks and other hardware devices on a dedicated host for device sharing. Sure disks and other traffic will be encrypted on hosts free of external blobed hardware devices.
Also a hardware cryptotoken will be used to keep private keys. Which one would you suggest? Nitrokey Pro 2 or FST-01 ?
#44 Re: Installation » The most secure hardened kernel » 2019-06-14 03:38:58
A good example of a hardware backdoor which can lead to a complete data loss unless ZFS is used for storage.
https://github.com/zfsonlinux/zfs/issues/8845
I guess most of modern hardware from China is trojaned, though old hardware from China like:
http://aliexpress.com/item/32446608352.html
PCI 4 Port SATA add on Card with Sil 3114 chip
presumably was not trojaned by modern backdoors at least if purchased a few years ago, but unfortunately it is too slow by modern criteria, it has only about 50-80Mb/s per disk bandwidth multiplied by amount of disks, tested only with a pair of disks.
#45 Re: Installation » The most secure hardened kernel » 2019-05-13 03:22:22
Trojans and backdoors including hardware ones can run under root privileges and therefore can change file attributes.
Also they can change contents of file even without help of kernel through drive firmware unless it is a FS like ZFS with checksums, still able to do changes at vfs level.
#46 Re: Installation » The most secure hardened kernel » 2019-05-12 17:27:02
If you need to ask questions like that the three safest options are:
1: Keep it all in your head. And only discuss it face to face when safe from listening devices.
2: Only use pencil and paper etc, not computers.
3: Only use computers that are never connected to the internet at all. And be very careful if you need to copy data from the internet onto them, eg burn it to CD/DVD on an internet connected system, read it on the safe system, then destroy the disk to ensure data can't ever get out.
And think carefully about the threat model if you need to resort to any of the above options.
Chris
Unfortunately according to:
https://forums.gentoo.org/viewtopic-t-1 … rt-25.html
Your suggestions most likely would not help.
I just need to protect information from undesirable modifications.
Most likely it is not possible to protect it from reading today and actually never was possible.
#47 Re: Installation » The most secure hardened kernel » 2019-05-12 08:29:35
Can firmwares of SATA and USB devices access host RAM via DMA? For example to read encryption keys.
Will having a workstation (host) free of devices on any buses except open source Ethernet make it more secure?
Workstation ZFS+Luks -> iSCSI -> a computer used as different buses host, for example as iSCSI target to its local SATA devices.
Can in such case SATA firmwares still access Workstation RAM via iSCSI randomly?
#48 Re: Installation » The most secure hardened kernel » 2019-05-11 15:29:06
OpenPower9 CPUs still may have secret backdoors and/or trojans injected on the factory though missing in open documentation. Without a Libre Silicon tech process it is hard to discover a backdoor, is it correct? I guess the same applies to any CPU designed say by national militarists but with production outsourced for example to South Korea or to any other factory, may be even a factory on their own territory can be hacked to produce backdoored chips.
To have more confidence of lack of backdoors there shall be a method for verification which is available for example when Libre Silicon is used. You know there are so many strange incidents with different aircraft recently.Are any Libre Silicon CPUs going to be released and supported on some motherboards any soon?
An article about adding backdoors to the chips at production phase:
https://www.eecs.umich.edu/cse/awards/p … P_2016.pdf
#49 Re: Installation » The most secure hardened kernel » 2019-05-10 07:31:39
Please let me know, is there on the list:
https://www.openbsd.org/plat.html
a hardware platform open enough to provide a verifiable method to be sure there are no trojans and may be even no backdoors in the hardware and closed firmwares?
What do you think about possibility of backdoors in:
https://www.openbsd.org/armv7.html
?
Some ARM boards are advertised as fully open source working and booting without BLOBs.
For example Olinuxino if I understand it correctly at least without 3D Video.
As another example if I understand correctly Raspberry PI is NOT open source, it requires some closed BLOBs to boot?
Can Olinuxino like board (or may be another brand) work with fully open source software OS like OpenBSD without firmware BLOBs and without closed source drivers?
May be Beaglebone Black is such board?
What about Orange PI? They look very budget.
http://www.orangepi.org/orangepiplus2/
It has a relatively old (which is IMHO good) 4 core Cortex A7 32 bit CPU WITHOUT speculative execution.
What board is secure enough to run OpenBSD just for a terminal console?
Is it secure to use USB ports on such a board to plug crypto tokens like Nitrokey?
Will OpenBSD work with Nitrokey via opensc from OBSD ports?
Will GPG and SSH work on OBSD with Nitrokey encryption?
May be with a mechanical switch to disconnect keys just after being used to establish a session like SSH?
Is it a good idea to use ZX Spectrum Next (VGA, PC Keyboard) as a serial virtual text terminal to Beaglebone Black running OpenBSD? I guess there shall be less backdoors in resource deficit computer like ZX ?
ZX spectrum or like it -> RS232 -> Beaglebone Black running OBSD with FST-01 attached -> SSH -> managed hosts with hardware tokens like FST-01 attached for keeping private keys
#50 Re: Intergalactic Communities » Does NASA use Devuan? » 2019-05-09 16:43:09
Not Devuan but the International Space Station did move to Debian some years ago.
Smart move, from Windows to systemD :b
Board footer
