Securing a Laptop from a Foreign Intelligence Agency

I am assuming that there is some reason you can't use a dozen different laptops in multiple countries or jurisdictions doing the same activities to provide extremely high redundancy (as pointed out in a comment on the question). If any of the laptops have results that differ, at least one of them can be assumed compromised and incident response can kick in. The number of independent computations could be scaled to match your requirements. This of course assumes that the activity done on the laptop is deterministic and that there is only one "right answer", allowing any honest and uncompromised party to come up with the exact same results.

Assuming you need to maximize integrity for a single laptop, your plans seem solid. I would however make a few changes and additions to your proposal:

1. Switch to Linux so vulnerabilities are not given to nation states before being patched.

2. Require that those who handle the laptop provide a comprehensive chain of custody.

3. Don't just disable unused peripherals, cover them with anti-tamper epoxy resin.

4. Disallow using any untrusted peripherals. Even VGA/HDMI can be vulnerable!

5. Do not use custom software to hash binaries. Secure software already exists.

6. Require smartcards to identify to the device. Shamir's Secret Sharing is useful.

7. Mind EMSEC by working in a secure area or using shielded devices.

---

Mutual authentication

It's important that the users of the computer are able to authenticate to it. Normally, it is the user who authenticates themselves to the computer, but in high-risk environments, it may be necessary for the computer to authenticate itself to the user as well. This can be done using various experimental mutual authentication technologies like MARK, which uses an active USB device.

Each person who uses the laptop should be using a smartcard as part of the authentication process. This card should be kept physically secured. Depending on your threat model, it may even need to be hidden while on the person. It is possible to use secret sharing algorithms to ensure that a threshold of authorized individuals are required to fully authenticate themselves to the system. This could be set up such that, say, five people have keys, and at least three of them must use their keys at the same time to authenticate. This will protect from up to two people going rogue while still allowing authentication even if up to two people lose access. The exact parameters, including the weight each person holds, can be tweaked at will to match your threat model.

Firmware and software integrity

Assuming that the TPM is used for SRTM, it will be able to detect any modifications to the bootloader and related software, as well as certain firmware and even the BIOS itself, assuming the BIOS contains a read-only boot block (the CRTM). If encryption is also used, this provides a greater level of tamper resistance. Unfortunately, most block modes are malleable (plaintext can be intelligently modified even without knowing the key), so it is necessary to have the OS verify all components of the system even after boot, for example by using IMA, the Integrity Measurement Architecture, available on Linux.^* IMA may reduce I/O performance by breaking demand paging.

Often, the NIC or USB controller will still be active even if the operating system is ignoring them. A vulnerable BIOS could be compromised through such interfaces. Most systems' BIOS are horribly insecure and allow both local attackers (malicious processes running on the machine) and physical attackers to gain higher privileges. You can do some limited analysis of BIOS security by using the CHIPSEC framework. This framework is designed to verify certain security attributes for a platform's firmware. Important information is available on their wiki. This framework is designed primarily for BIOS vendors and OEMs who wish to look for vulnerabilities that allow the firmware to be overwritten at runtime despite standard software write locks put in place.

_{* I have little experience with Windows, but I believe it is possible to support such integrity with that operating system. However, it is important to remember that nation states often get prior notice to vulnerabilities in Windows before they are disclosed publicly or even patched. For this reason, Windows is likely not the best platform to be using.}

Physical attacks

If someone gains unrestricted physical access to a laptop, it is not your laptop anymore. There are a number of different physical attacks that one can carry out. Some of them can be mitigated, whereas others would require you physically modify your laptop to mitigate:

• DMA attacks - Many peripherals support direct memory access, both internal and external. External GPUs, Thunderbolt, Firewire, and internal PCI and PCIe ports all support DMA. This support allows anyone who connects a device to these interfaces to perform reads and writes to arbitrary memory locations. The mitigation requires your laptop have a proper DMAR table and a modern IOMMU (VT-d2 for Intel). You must also boot with the IOMMU enabled, e.g. by passing intel_iommu=on to the boot command line on Linux.

• Cold boot attacks - Passive retrieval of memory is possible by removing the memory modules and placing them in a different device to read. This allows them to read sensitive data, but does not allow tampering, as it is a highly invasive procedure that necessarily requires the target machine to be shut down. Full memory encryption mitigates this, and the use of ECC memory can also complicate the attack (ECC typically requires the memory modules be reset to a known state during initialization).

  Cold boot attacks only compromise confidentiality of data in memory, not integrity. If integrity is all you need, then cold boot attacks are not relevant to your threat model.

• JTAG - JTAG is a debug protocol and interface on the motherboard for many devices from ones as simple as CPLDs to ones as complicated as enterprise x86 processors. Plugging a JTAG probe into the interface allows complete, absolute control of the chipset, allowing them to halt the machine, read and write registers and memory, and interact with peripherals. If an attacker manages to connect to the target using JTAG, all bets are off. You need to ensure the device either does not have a JTAG header, or that the header has been destroyed or coated with epoxy.

Additionally, physical attacks may involve connecting to a vulnerable peripheral. Nearly everything can be vulnerable, even VGA and HDMI can be exploited by abusing things like EDID. USB devices may support DCI, and a few fail to disable it in their BIOS. These systems can see USB abused to pass JTAG commands without opening the machine and connecting a probe to the motherboard. Networking interfaces can be vulnerable, and vulnerabilities have been found. Sometimes it is not enough to simply disable the ports in software, as various DCI vulnerabilities have shown. You may need to physically block the ports using a strong epoxy resin.

Physical tamper evidence

There are several ways to detect physical tampering with a device. All of these methods require you take a high-resolution photograph of the machine at multiple angles so that you can compare them against your actual machine at any time that you suspect it may have been modified. Any solution for detecting physical tampering will be visible as a discrepancy between the photo and the actual device. The general idea is to place something in sensitive areas of the device which will be visibly broken or moved if that area is intruded upon. A few examples:

• Security tape - The standard way is to use tamper-evident security tape. These are stickers or strips of tape that leave unique marks on the surface if they are removed, and which are designed to be resistant to steam or other techniques used to gently pull them off. These can get quite expensive, supporting features such as holographic labels and unique marks.

• Epoxy resin - Epoxy is a strong glue-like substance that sets in and cannot be easily removed without destroying anything that it coats. There are many types of epoxy of differing strengths and properties. You would want one which is designed to resist tampering (e.g. designed not to easily be removed with solvents or fine drills), as well as non-conductive and non-thermally insulating, to prevent shorts and overheating. When used correctly, epoxy resin can both resist physical attacks (tamper-resistance), and make successful attacks visible (tamper-evidence).

• Nail polish - Nail polish that has a lot of glitters is actually very, very useful as a form of a ghetto security seal. When placed around the joints of a system, it becomes extremely difficult to open it without moving the glitter. Once the glitter is disturbed, it becomes nearly impossible to place it back exactly as it was, leaving valuable evidence behind for the defender.

Emission security (EMSEC)

When you have nation states as an adversary, covert monitoring of electromagnetic signals is a very real possibility. These signals can be used to read keystrokes from 20 meters away or more. It can be used to perform Van Eck Phreaking to view computer displays through walls. It can be used to break encryption by listening to the processor as it works on cryptographic material. Mitigating this requires a large, secure perimeter (several hundred meters), or using a TEMPEST-certified device. These certifications do come from the government (e.g. NATO SDIP-27 and USA NSTISSAM), but they allow devices to be certified as immune dangerous to EMI/RFI leakage.

Unless you are in a secure, shielded room or have a large and secure perimeter, you must make sure your devices are shielded while they are being used for sensitive operations. While not strictly related to electromagnetism, it is also important to use the device in a room with no windows, just as high-security government facilities do. This prevents audio (both from conversations, and from the keyboard) from being recovered using laser microphones. If your budget or circumstances make any of this impossible, you must rely on standard OPSEC to prevent your adversary from getting close enough at the critical time to record sensitive emissions.