How to maximize compatibility when buying a notebook for Linux

Mainly I am trying to mitigate a DMA attack where the attached device has full access to the host's memory, if the PCIe protocol is present on the Thunderbolt port, which I assume is probably rather common or at least not guaranteed to not be present.

The checklist only mentions that it is usually possible to disable it but I might not be lucky and have a UEFI that doesn't allow that. In any case it's better to not have a port in the first place if I am not going to use it anyways.

I am already reading up on that. My concern isn't as much that a state actor can read my RAM, but I like to reduce the attack surface as much as possible for anyone else. I might even go that far and disable USB 3.0 to avoid even the binary blobs mentioned in the linked post.

I wasn't able to find much about that online. Are you talking about the Intel Management Engine? If so and there is something outside of AMT, then considering recent events, it might be worth waiting for a Ryzen notebook then.

I do remember that. Assuming that the hardware they ship is fine, this shouldn't be a problem, if you wipe the disk and install your own OS. Then again, you can't be sure they aren't trying something new.

Based in Europe
https://slimbook.es/en/
https://www.entroware.com/store/laptops

Not looked at specifications in depth, way beyond my budget atm

Doesn't sound too bad, but it doesn't scream quality to me either

At least for the price I would expect a little bit more. I think I will rather go for a model that ships with Windows and has "more compatible" hardware for Linux.

Is this a real concern for you?

Will you be leaving your laptop unsecurely unattended for any length of time? If so, what is the probablilty of an attack occuring? (probablitly of attack occuring and probablilty that it will occur when your laptop is unattended)

What will the concesquences be if an attack occurs?

This is your basic risk analysis asesment; how bad will it be if the worst happens and how likely is that to happen. You can only do your best to mitigate any risk. You can never really remove aa risk entirely. So working all of this out, what is the risk worth to you?

TBH if you are this worried about your security, budget should not be a concern (basically paying €1500 for something like the new System76 laptop should not be an issue). If you can't afford that, I would argue that the concequences of your security is not a major concern. If you have certain legal obligations for this level of security, doing a risk analysis will help towrds those legal obligations.

There is also Tuxedo Computers, based in Germany. I haven't tried or researched much on their products, but they have a quite broad line up. Don't know who the hardware manufacturer is either.

I'm having trouble identifying who the threat actor would be on this scenario if not the state or high end organised crime that youd have to be involved in in the first place. In both cases thunderbolt isn't the only issue and no laptop under 1500 is going to cut it as you'll need special hardware.

And your correct, by the time to get to that level of risk, money isn't an issue. So I don't believe there is any requirement for it here.

@comfreak yes intel management engine. The AMT bug is just one known vulnerability. Without knowing what threat actor your trying to protect from its hard to tell what your actual risk level is. My point is that if you cannot have thunderbolt because of the threat your trying to protect from then you cannot have usb and need to consider the attack vectors from firmware based attacks on things like the ime.

Basically if your trying to protect your self from a threat that plans to use thunderbolt against you, almost all consumer laptops are out of the question, as thunderbolt is the least of your problems.

Something else you could do is buy a used Lenovo Thinkpad. You wouldn't be directly supporting them, but you kind of sort of would still be, if you're not concerned about something like Superfish happening again.

You are right that if the consequences are severe, security is a big concern. But I can't agree the other way around. Just because the absolute consequences aren't as big doesn't mean that the relative consequences for the individual aren't worth thinking about. In other words, losing a few thousands might be peanuts for a company but a severe hit for an individual.

Getting readily available tools isn't a big problem even for an individual with the necessary motives. I can easily imagine that you can get yourself a small pen-test toolkit for Thunderbolt DMA attacks for example. Using that as a dedicated individual isn't a big deal, but I think finding bugs in the firmware isn't something you can just google.

Even though it would be nice, I am not trying to build a Fort Knox, but I am trying to reduce the attack surface for simple attacks that you can easily perform with the mentioned tools. The thing is that Thunderbolt isn't something I need and just opens up a new attack surface.
While I do realize that there are certain zero-day exploits that make my planned setup vulnerable, I am mainly trying to protect against "easy" exploits that you can easily research.

Apart from that, I found that I can put certain DMA-capable controllers in a IOMMU and avoid a lot through that, so I will look into that. If I can manage a viable solution using that, USB should also be not a big issue.

Well I am not concerned about something like Superfish really, since that only really affected people using the out-of-the-box Windows installation. If you install your own OS on the machine, you wouldn't be affected.

The location is ideal, I will look into that. Thanks!

Maybe I phrased that badly? Maybe saying "if you aren't willing to spend the effort" as opposed to "can't afford". And by effort I mean time put into achieving the security you want (whether that is research into a more suitable product or time spend working to afford it).

Either way, I am not saying you should or shouldn't be concerned. I'm just saying to look at the problem from an analytical point of view and determine the best course of action for you. If you feel the threat risk is quite high then by all means, do what you can to mitigate it.

At the same time, do look at alternatives solutions to your problem. If a threat does occur, is there anything you can do to mitigate the resulting consequence? So for example, say the threat is losing data due to hacker; you may not be able to stop hacker but having backups would mitigate the threat if it does occur.

The reason I say all this is because from my prospective, you are taking a very contrained approach to this problem. Now only you know your problem so only you can determine if that constrained approach is necessary or not (but you should determine this based on a risk analysis). Although learning can offset that effort also if that is also a motivator for you.

Either way. Good luck with your problem! And report back with your findings if you do find a really nice solution.

Saves me doing the work later!

I would say:

Anything from Dell or System76, and if using a GPU have it either be AMD or Intel (iGPU).

P much anything should be okay.

@mickeyslippyfingers One reason why I would want to protect against DMA attacks is so an attacker wouldn't be able to dump the RAM which might contain sensitive things like an FDE encryption key. Of course other data in the RAM would also be something I wouldn't want someone to get a hold of.

Another way to protect the RAM would be to do a suspend to disk instead of a standard standby. Or setting the system up to suspend to disk after a short while (1-2 minutes maybe) where I could probably afford to leave it in a standard standby.

But I will still look into setting up an IOMMU, since that would narrow down the attack surface even further.

System76 isn't really an option for me, since I am living in Europe and shipping plus taxes is probably going to be a deal breaker. However, @Zumps mentioned Tuxedo Computers which is based in Germany. They seem to have similar offerings.

Since I am fine with a simple iGPU from Intel I will go with that to avoid any possible issues with a dedicated GPU.

Another advantage of doing business with someone in germany is that you can get your qwertz keyboard, something I don't think system76 offers, if memory serves me right. Btw tuxedo have a youtube channel with a few videos of demos and stuff. Others have also made videos from conferences and such where they showcase and talk about their line up.

Edit: Regarding all your requirements anf such, if I were you I'd write them and ask about who the hardware manufacturer is, and if they've reviewed the bios firmware and such. With a small and upcoming comoany like theirs + the linux selling point, i think you can expect proper nerds who are keen to have good customer service.

It isn't a question of if someone can attack your system (thunderbolt like i said is the least of your issues) what we are trying to get from you is who is this mystery threat to you? So far you haven't said.

You're suggesting there's an in person real threat to your data.. who? The attack vector this threat is planning to take against you seems so specific that you're missing anything else they might do, it just seems strange, and I don't think any of us have figured out what exactly might be a viable threat to you that meets these requirements.

Whats stopping you just turning off thunderbolt when you don't need it? or USB, or Ethernet, or wireless, etc. that you also would need to consider for this type of possible threat.

From the posts it seems like your artificially restricting yourself because of a made up highly specific threat actor.

sorry if it sounds like im having a go, but its familiar. Guy in charge of a paper shop (for example) says to install a high security bomb proof door to protect against terrorist bomb attacks.. but doesnt secure the back door that's using a simple lock. Not only does the threat not exist for the paper shop and the remediation overkill, even if it did exist, the remediation doesnt work.

Does it really matter who is breaking into my "paper shop"? Anyone who is spending the effort of researching a DMA attack on Thunderbolt for the reason of breaking into my notebook is probably someone I wouldn't want in there. Of course there are other vulnerabilities that you might be able to research after hours of searching the web, but I am weighing the effort for anyone doing that because of me, against my efforts of protecting against it.

Of course I am not just considering the "front door" but also other parts of my "paper shop". This is just one step in a list of things that make the system more secure. At the beginning you have a simple system right from the shop that has no FDE and not even a password on the user account for example.

So you start by setting a password so not even the most basic "attack" of simply clicking login works. Next thing you might setup up FDE and after that you consider other things. Now, somewhere on that list is also Thunderbolt's DMA-vulnerability. Of course I am not forgetting about the rest before it but buying a notebook without a Thunderbolt port is a simple way to put a on that entry in the list.

My first goal is to secure the simple attacks, that – like I mentioned – can be easily performed by using Google for five minutes. A lot of people consider setting a login password to be safe enough, until you show them "ophcrack". A level higher, people think that Thunderbolt is fine and then you show them the previously mentioned tool that is readily available from GitHub.

Of course if I won't ever use the port, I could just fill it with glue (or disable if possible) but then I just spent money on hardware that I won't use. If I had bought a notebook without the port I might have saved some money or got another port instead.

Assuming that my BIOS/UEFI does support that option (which it might not), there is still a chance that disabling it might brick the system.

It does matter. And that's the whole point. You still can't identify anyone who'd do this to you. The risk is so incredibly low your crippling yourself for no reason, and we never even really discussed the full range of mitigation for attackers targeting DMA. Physical, bios level control, kernel level control, iimou control, etc. And we haven't even touched when there suposed to carry out this attack?

Big business and governments are more worried about web cams than this (any tape will do but you need to do it). But no one's going to change your mind.

Just remember, you can Google attacks in 5 minutes for all types of DMA devices, make sure your laptop has no DMA devices. No usb either as that's incredibly vulnerable, WiFi is also a no go, these two are far simpler attack vectors. WiFi you don't even need physical access.

And don't forget about the wrench attack. (I am absolutely serious, someone going to the length and risk of what your afrade off will just use this method instead.)

That's true, but if I don't need the port, then I can just get a notebook without it and forget about its vulnerabilities and focus on other ones.

I wasn't really able to find much in five minutes regarding USB, except for USB 3.1 which has DMA but that seems to be much more difficult to exploit than Thunderbolt.

By WiFi, do you mean possibly reading data that I am sending over the air or giving attackers that are on the same network an opportunity to perform MITM-style attacks or attempt accessing my system over the network?

But the difference is that one is hidden while the other definitely isn't (smashing the window vs. picking the lock).

How are either hidden? Both require access to your device, where are you going to leave it unattended? And if thunderbolt is a threat to you why would you ever leave it unattended? When would this attacker have an opportunity to attack? When your sleeping and they break into your house? why would your laptop be suspended and not fully shutdown if you need this level of protection?

(for USB, you have badusb for one.)

It just seems to disproportionate. You're limiting your options based on false assumptions and non existent attackers who are only going to attack you from one vector?

I completely understand the need for security, I even understand the need to protect against thunderbolt attacks (among many other things), but you have to first identify what your threat is before you can actually decide what you need to protect against (I've done this before, it was my job), otherwise you end up protecting against the wrong threat because you have an incomplete assessment.

Just based on your no thunderbolt requirement because of an attacker who is targeting you and can get physical access to your hardware without your knowledge would suggest an extremely high capability. Your requirements then would be far more extreme than your currently looking for, and in fact your probably looking at custom hardware to get what you actually need if the threat your describe is real.

If that threat doesnt exist and really your just worried about opportunists regardless of the risk (very low on its own), then it doesnt matter if the machine had thunderbolt of not as your would already mitigate any risk with either combination of: not leaving your laptop unattended, thunderbolt disabled via UEFI, thunderbolt restricted via VT-d/AMD-vi, kernel level dma restriction to disable DMA.

The fact that the attack in the first place is extremely unlikely to occur and that you have multiple levels of protection against it makes the likely hood of an attack occurring and succeeding so small to be virtually non-existent.

That's the point i'm trying to get across, you have so many other legitimate threats that are far more likely, focusing on this as a limiting option for new hardware is well.. a bit silly.

In saying that, if the threat really is there, and your just not saying, then there a bunch of other things you need to consider because an actual high level threat who'd go to lengths to undertake that type of attack on a specific target is basically one thing, the state. If its the state your trying to protect your self from, you have to look at a number of other things as well.

Damn might be time to change title...

First some clarification:

What I meant by that was that the "wrench attack" is quite obvious when it happens but someone dumping my RAM while I go on a quick coffee break isn't.

So you're saying that I should always suspend to disk for a quick "toilet break"? I am just thinking that nobody really leaves their computer unattended at all time.

I am aware of that and I would solve that by disabling new USB devices while the device is locked.

I thought about all of this again and I guess you're right. I am probably better off following @mickeyslippyfingers's advice of limiting the effects an attack like this has, by suspending to disk for example. And it's probably easier to make sure the device is physically secure than to make the hardware and software secure, at least for my (humble) standards.

I haven't known a laptop to use an AMD GPU in a long time.

You're going to kill your hard drive real fast that way. Just make sure you factor in spare drives into your budget then.

I bet OP implements these sophisticated security measures he wants and then gets duped by social engineering. You wouldn't believe how many attacks are social engineering-based (and how effective and devastating they are). Sorry for the listicle.