-----BEGIN PGP SIGNED MESSAGE-----
I am building a laptop with physical isolation and hardware kill switches
Hi everyone, I am building a laptop with physical isolation (via a dedicated single-board computer (SBC) ) and hardware kill switches, I just finished the first prototype and it’s usable!
Now I want to share my ideas with you and possibly get some feedback from the Whonix community.
This thing is based on a Asus C201PA (Gentoo Wiki, Debian Wiki) , which is a Rockchip RK3288-C (Wikipedia, Rockchip Wiki) based Chromebook. It’s Libreboot compatible and does not require any non-free blob to operate.
Kernel / Drivers
Most of it’s features, including LCD and HDMI video framebuffer, eMMC, microSD, battery, and USB is available in mainline linux since v4.8-rc2.
It’s Mali T764 GPU comes with non-free driver, but
xserver-xorg-video-fbdev works just fine.
It also has a soldered on M.2 Type 1216 WLAN + BT card that requires non-free blob to operate, but we don’t need it and can be (easily) removed by using a SMT rework station.
The SBC I use to perform physical isolation is a PocketBeagle, it’s small enough to be put inside C201’s case, and can be powered directly by C201’s motherboard.
The PocketBeagle is a open source SBC based around a OSD335x-SM System-in-Package (SiP) (Specs, PDF Datasheet), according to eLinux Wiki, it’s mainlined as well, although I haven’t confirm it yet.
-------- | | |-----|--[ * SBC ]------------------------[ USB hub ] | C201 |----| USB | | | | | | hub | | | |------| |-----|--[ * USB to serial adapter ]-----------| | [ * USB Port ]----------------| [ * WLAN Adapter ]------------| - - The parts labeled with * can be controlled individually by kill switches - - Once the power of the serial adapter is turned of, it should be impossible to reveal user's real IP address even when the C201's OS is fully compromised
Wired: [ Internet ] ---- [ Ethernet Adapter ] ---- [ SBC ] ---- [ C201 ] Wireless: [ Internet ] ---- [ Wireless Adapter ] ---- [ SBC ] ---- [ C201 ]
- Physical isolation via dedicated SBC
- Multiple hardwired kill switches with LED indicators for controlling SBC, serial adapter, WLAN and SBC’s USB port
- Open firmware, zero non-free blob required
- C201 itself can be stateless by booting from a microSD Card, which can be easily physically destoryed within 5 sec.
- Low overall power consumption
- Lightweight, about 1.03kg after mod
- Low cost, should be under 200$ (C201: 100$ + SBC: 40$ + Serial: 5$ + Hub: 5$ x 2 + Switches/LEDs: 5$)
- Port TBB (Should be possible, someone has done that on C201 before)
- Port Alpine Linux and use it as the base system?
- Make some kind of sandbox / container layer (Maybe LXC?) for risky applications (e.g. Firefox)
- Port as many Whonix security feature to it as possible ← Maybe just ports Whonix itself to it?
Please let me know what do you think about this! All feedback are welcomed!
This is posted from my prototype system, with Tor running on SBC
P.S.: Sorry for the long inline signature, I can’t get a secure email address when using Tor, so I have to use a temp. address to register. The following key should be online on pgp.mit.edu soon.
pub rsa3072 2020-04-07 [SC] [expires: 2022-04-07]
uid [ultimate] Yoshidako firstname.lastname@example.org
sub rsa3072 2020-04-07 [E] [expires: 2022-04-07]
- RAM: 512MB DDR3
- CPU: 1-GHz ARM Cortex-A8 (armhf)
- Based on Octavo Systems OSD3358-SM 21mm x 21mm system-in-package
- ARM Cortex-M3 + 3D accelerator (Not sure what Cortex-M3 is, the CPU is Cortex A8)
- 2 x 2-bit 200-MHz programmable real-time units (PRUs)
- Power / battery management
- EEPROM (Not sure what is it for…)
- 72 expansion pin headers
- 8 analog inputs
- 44 digital I/Os
- High-speed microUSB host/client and microSD connectors
- System Reference Manual
- OSD335x-SM Detailed Block Diagram
- SoC: Rockchip RK3288-C
- CPU: 4 x ARM Cortax-A17 @ 1.8 GHz (armhf)
- RAM: 2 or 4 GB DDR3
- GPU: Mali T764
- Audio processor: Rockchip I2S
- Screen size: 11.6"
- Resolution: 1366x768
- Touchpad: Elan I2C
- Board: Veyron-Speedy
- Battery: 7.6V 38Wh
Installing Gentoo: Asus Chromebook C201/Installing Gentoo - Gentoo Wiki
Installing Debian: InstallingDebianOn/Asus/C201 - Debian Wiki
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----