 Hello everyone, I'm Thierry Lorian from Encergo Open Technologies. The presentation of today is actually called for collaboration, but showing you where the status is of ads and where we need some help, actually. Encergo Privacy Bees was a product released and certified by Cubes OS in July 2019. Trying to resolve the problem of being able to distribute Cubes OS pre-installed without reducing the security of the device. The reason why ads is used is because there is two different security that is added directly in the firmware. It gives us the possibility of knowing the state of the firmware by measuring the different parts. I will go through that later on. We use a generated key that is on a secure device and we put the public key inside of the firmware which permits us to verify boot, like the binaries inside of slash boot, which is not encrypted, it is actually verified upon each boot. The reason why the X230 is actually interesting is because we can actually neuter and tell me. Neutering in the activation is like a word that is really mixed up in the world right now because nurturing means that all the parts are supposed to be removed, which is not possible anymore. The status of Sendee Bridge and Ivy Bridge is that you can actually remove all the other modules, but the bring up modules. The parts that are necessary to actually start the main CPUs are still there, which is a result of 98 kilobytes of code that we still don't know what they do, but it's still there. So binary-bub, free. Edds is actually a payload of core boot, and what I did is actually implement a reownership process inside of Edds that permits us to, as an OEM, to actually certify, attest the state of the firmware and the boot status and actually ship a QR code to the customer the USB security key with the laptop so that the user receives it and be able to verify by having already the picture taken that the firmware validation measures are there. And the security key is actually plugged on the laptop. It's a LibreM key developed technology, so basically the laptop communicates with the keys and validates that the measurements are still there by flashing green or red if it's not okay. So basically the process involves reowning all those components when the user receives it so that the OEM is not... there's no trace of the OEM work after the reownership wizard. So for those of you who don't know what Edds is, this is a quick description that I've already come to. Basically the goal of Edds is not to be perfect, it's to actually add more security inside of the firmware like I said earlier by measuring it. So it's not verified boot, it's measured boot. And the goal of it is it was based on a core boot, another version and patch were made to be able to actually modify the RIME stage to be dependent on a TPM library that measures the modules prior of launching them. It permits remote attestation. Remote attestation is a mixed word there, mixed in the sense that you verify the state on your phone with the QR code that you already scanned. So you have a TOTP, a code of six numbers that is regenerated every 30 seconds. And if the codes on your phone and on the laptop are the same, then you know that it was not modified. Libram key, like I said earlier, used the same measurement from the TPM but validates it on the USB key. So if it flashed green, you know it's good. If it flashed red, it means that it was tampered with. The verified boot integrity, the part that the key actually is used, the USB key is used to sign every change boot configuration. So when Edds boots, what it does is generate a digest of all the files that are present and it is signed with your private key inside of your USB key. So when it boots, Edds just checks that the hash is signed by your public key that is inside of the ROM. So if something changed, you will be notified because you're the only one having the private key that matched the public key that is inside of the ROM. Voila for that. This is what Edds does, basically. It takes like measurements in all of those PCRs and those PCRs are used to validate the integrity. So why I implemented an ownership re-ownership? Because we want to have the firmware boot integrity validated. We want the USB security dongle that is shipped to the user to be temporarily owned by the OEM and re-owned by the user upon reception. And the USB key should be provisioned with secrets that are not the default ones. For example, if you buy a liberal key or a natural key, the user pin would be 123456 and the admin would be 12345678. So if for some example, the device, the laptop and the USB key are sent separately, but for some reason someone is able to get the end on the key and the laptop, there is a possibility of being able to modify the boot integrity, for example, and being able to use the key with the admin pin and re-sign the measurements. And there would be no security. So if we are able to provision those with random secrets, even though someone in the path would be able to get those two, they won't be able to measure and verify. So all of those are covered already by the re-ownership. That gives something like that when you boot the laptop at first. What you see here is that the time is supposed to be the same. You see the TOTP code that you can validate on your phone, which is supposed to be the same. The TOTP code there is the result of the key being connected directly in the USB port. And the boot integrity is validated because the public signature that is inside of the ROM validated that the boot content was the same. So if you get those three right, you can continue the re-ownership. You know that the laptop was not modified in terms of... On that level, okay, if you have, like, know as it's pre-installed, how can you verify that it was not tempered with? The simplest solution that was done is actually we create a NoEM image that we clone on each of the laptop. The problem doing that is that the lux encryption key would be the same on all the laptops. We don't want that because I could lend that key to any authority and it would be a massive problem. So we want the initial lux encryption key to be unique. We want the encryption password to be also different. And the last point is the integrity of the operating system needs to be validated. We don't have the last one for the moment. There is work being done on that. I will cover it later on. Mainly, Ed lacks LVM provisioning tools right now so that we have a possibility if we deploy a NoEM image to be able to decrypt the lux container and measure the LVM so that we know that they have the same integrity as when it was shipped with. That's not done right now. It needs a bit more space inside of the ROM and work is being done on that right now. So the result when the user receives the laptop and types the lux encryption key, which is the same that unlocks the SD card content, which is encrypted and which would be used to store the secrets of provisioning, it unlocks the two containers and actually re-encrypt the content of both disks. So the SD card, which is used to store the provision secret at the re-ownership, is also encrypted. And the R drive is being re-encrypted right now. So what you see here is the result of 35, 40 minutes later, all the computer data is being completely re-encrypted. So even if I was able to lend the keys to authorities, those keys don't exist anymore. They were changed completely. So here the slides are being uploaded. If you click on those two links, you have what it would be for NoEM to actually re-own the laptop. And it's the same process that is being used for the user when he receives it. Basically, having one passphrase to type and after that, I won't go through that, but the menu is actually asking you, are you generating like diceware passphrase of different lengths depending on the security needed for all the device generated for you and you will renew them until one flashes your head. I come from the psychology background and the most basic problem for everyone is selecting good passphrase and good passwords. So if you have something that actually flabberglass your mind and you find it funny, you will remember it. And if you try to remember 8, 8, 0, they're kind of security people. So good passphrase are the basic of everything. So the re-ownership takes that into matter and proposes you like randomly words until some picks your mind. So who doesn't know what Qubes OS is? Okay. We decided to ship. Actually, it was an inverse problem. The problem was on what computer we can use Qubes OS securely. And the situation was resolved because Sandy Bridge and Ivy Bridge, there is a debate on that. But Sandy Bridge and Ivy Bridge are the only last X86 platform that are able to be freed. There is no binary responsible for the hardware initialization, reminiscing initialization, graphic initialization. All of those that are normally initialized by Blobs are native on that platform thanks to core boot effort and reversing. So on what hardware you can actually run Qubes OS securely, the X230 was one of the clear answers. So what I decided to do was to actually release a laptop having Qubes OS pre-installed. So what is Qubes OS? Qubes OS is an operating system based on virtualization that permits you to separate in secluded environment what is untrusted on your computer. So basically you would have like the network that is isolated in a virtual machine. All that is USB would be isolated in the machine. And each of your virtual machine that you pop up have routing vulnerabilities possible between the machine. But the rest of it is not connected. The rest of it doesn't have access to files that you or vulnerabilities exposed by a rubber ducky USB key would put on your computer that you don't trust. So basically everything that is untrusted that comes from the external until you do something really stupid it won't affect you. Qubes OS is also really interesting because all attachment that you would open from emails or whatever if you used Thunderbird, if you double click on the attachment it will open up in a disposable VM. A disposable VM is something that will just self-destruct after you saw the content. If you click on a PDF or an XLS document, Word document or whatever you may compromise your virtual machine that you're using but once it's done once you click that you finish the application exam the hypervisor will destroy your virtual machine and there won't be any trace of it. If you don't trust PDF for example you can also just click, right click on it and say convert it and that's it. It's done in a bitmap form of document that you can use to share or whatever. Same thing for device that are coming from the outside you have to explicitly say where you want that device to be attached so there is no stupid corruption that would happen to the super secure machine that you want to use. It won't have networking if you don't want to so you can have a vault that will contain all your passwords and everything. You're actually responsible to define the environments the way that you need them to be. It always comes with a couple of them but that's irrelevant to the stock. The goal of it is to have a good hardware on which you can run a secure operating system. So as of right now there is not a lot of models that are supported under EDS because of security consideration and because EDS is a contributor based project but under development right now because I decided to go the path of grant to be able to support more hardware being able to support remote management inside of Qubes OS because Qubes OS is super nice but most of you if you don't know the operating system you would be challenged by the idea of okay but would I receive help would I be able to deal with that if I come into a problem or whatever. So I receive a grant under NLNet to name accessible security. The goal of it is to we have secure solution but how can we make them accessible to the users that needs it. My main focus is actually journalists, freedom defenders and those kind of people. So in my trainings when I was asked okay but on what hardware do I implement those super solutions that you say and there was no clear answer because if you don't have a trustable hardware a trustable phone or a trustable something then everything can be hacked from the simple vulnerability. So under grant right now is the is this right now TriumDev here under it's supposed to we will know like in the next day but there should not have any problem. There's going to be a talk later on today about FWU UPD. The goal of it is to be able to have like simple firmware upgrades like we install any updates in our operating system. The problem with CubesOS like I said super quickly is that CubesOS is not meant to have network access by default. So if you have a part of your system which is the hypervisor that has access to your hardware it's not supposed to have access to the internet. So having updates for device under domain zero on the hypervisor requires some modifications so that the communication is made to download the updates and make them available. So the goal of that is to have those updates available inside of ed so that the next time you reboot your laptop ed is also updatable. Like I introduced also having remote administration because the people that are the most at risk let's say journalists or anyone being in remote countries and needing help right now they are kind of left alone. The goal of the CubesOS 1x partnership is to be able to have tor-ed-in onion accessible remote administration so that when you need it you can ask for support and copy paste a link with a login and password and being able to have your admin VM or DOM zero being accessible to receive help remotely. The possibility of having safer anonymization forensic resistant defaults because right now CubesOS doesn't come with mac randomization so if you're roaming here with your cell phone right now you're leaving trace everywhere because your mac is known by all those wifi station and everything so if you're a journalist or a freedom defender and your identity is at risk you want those trace to not exist. Same thing for our drive contents and everything. And the main problem that we have here because we try to go international is that there are so many keyboards that exist but ed support only US keyboards so that's a challenge for going international. So the help that we need right now inside of ed is a better reproducibility because ed's motto is being able to produce the same exact image wherever you build it across different OS build systems and everything. We need help of that if here there's people working in continuous integration environment and are able to give a bit of help that would be amazing. This needs a bit more involvement and the main cue that I it's not really related to firmware development right now but we need an alternative to x86 so that we don't have blobs in our hardware. It's really a concept that should be addressed by firmware developers and voila. And the goal of all of this because I'm doing this since six months right now is that every time that we ship a laptop systems and everything so what we need right now is like reprogrammers around the world and are ready to do exactly the same part of job that I'm doing but in different countries so that laptops don't go across borders that are made locally and people that are interested in joining the adventure of making hardware more secure. Here for firmware developers there is PowerPC needed work inside of Corboot so if you are willing to join the adventure of porting Corboot to PowerPC it would be amazing. Those are tasks that I need to do right now because one of the most problems that arrive like in my situation is a client saying okay but I lost my USB key and when you lose your USB security key that is made like to sign the configuration and everything it means that you have to buy another one and re-own the key generate new keys and everything because the keys are inside of the USB device so it's not copy copyable. So the solution around that would be to use ads to generate those key pairs save them inside of a lux encrypted key which I already resolve. It's just like coding stuff that I will resolve in the next couple of weeks. Voila So Ansergo is now incorporated like I said we need reprogrammers. There is direct sourcing that is available to partners around the world that want to join the adventure. Training is provider. My background is security trainer so I would be more than willing like to jump in the adventure and make this go like a brother and this is what I want like to promote is that I've been in this adventure like for a couple of months right now. I did a lot of attempts and funding efforts. This is nice. This is working but it's complicated because of the admin management that is there. So when Ansergo just created this Ansergo initiative at Open Collective and every time that a laptop will be bought from us or any partners that is linked to us 25% of the net profit will be donated inside of Open Collective. Open Collective is what is used by Qubes OS and others. It's actually just an open book saying what comes in and where it goes out. So the goal of this would be to actually be able to pay for development outside of those funds so that if there is an issue that you can actually deal with you can say okay it will take like 30 hours to resolve this. It will need like $5,000 and we can come with like an arrangement of what that needs to be done and when it's going to be paid. That's how funding works. You have to provide work, prove of work and the release on each test that are completed. Voila. Thank you. Yes. I have two quick questions. Once again. When you mentioned PowerPC it's really interesting how I myself was the first one to actually import a Blackbird, Dallas 2 Blackbird in Europe last year. So the problem is that it's not something that Power9 in general will not be mass used. It's price, it's availability distribution but the effort is meaningful. So I just would like to hear how do you think you can enable if someone wants to help you to give him hardware to work with that. That's a challenge. So really quick how can we make like involvement like to make the work. Raptor engineering for PowerPC. The question was how can we make PowerPC development like work if hardware is not available? That's it? Yeah. Basically Raptor engineering is willing to provide hardware for all the developers that would work on that. The contract would be like a code needs to be released and be put upstream to compensate for the hardware enablement that they call. The second one is that the hardware is known to work to receive, respect your freedom certification three months ago. I think two months ago. So basically it's the first platform that respects your freedom since Libreboot mini free X200 200. So basically the hardware is performant. They have a plan of releasing a laptop really soon. So the question is how can we manage to have all the stack available so that both arrive at the same time? I understand your reflex of okay but we need needs, but the need will arise. So the question right now and if you click on the link there, there's a bounty for Cubes OS. And if people here are Xen developers, the bounty is really interesting if you can actually propose code to have Xen support or KVM or... The two blackboards for the same reason to use them as a remote station to verify other machines. So when you make your code for collaboration, I actually would like to say awesome because I'm trying to... Contact me. I'm doing a developer friendly trusted computing platform. I just want to say that tomorrow we'll do a birthday feather station. It's for anyone interesting, especially in remote station of different networks and platforms. And it will be in age 3242 and 230. Give me an email. I'm just saying, because your code for collaboration really makes sense to me. Thank you. Yes. You talked about... The question is what are the challenges to develop a core boot version for power PC? Right now the work is done by NineElement on their grant. The basic problem is just to have V-boot plus measured boot. That's kind of the new standard inside of core boot. The problem was that the support was not made properly for Sandy Bridge and Ivy Bridge. So it needs to be upstream first inside of core boot and after that we will be able to make the merge. But it's supposed to happen in the next month or month and a half. They are working on it right now. In that design, what happens when you need to upgrade the kernel? You need to re-own the... The question is what happens when you upgrade the operating system? What happens actually when you sign your boot configuration you're actually selecting a default boot configuration. What it means is that your grub, Xen, kernel and NITRD will be measured. The digest takes that into consideration. So when you upgrade all of those would change at the same time. So as actually pops up and ask you like if you are the origin of those change. If you are, you sign. If you don't you inspect. One question or no? No? One short. Who is short? Short? Not yet. The question was is there any interception story that happened? Not yet. No. Not that I know. With all the measurements that are there we put glitter under with nail polish under the main screw. We send a picture of that glitter to the customer, the QR code. So to be able to travel here would be better placed than me to answer like what are exactly the use case that would be needed to actually be able to compromise the firmware of the measurements being done like inside that would match the QR code, match the challenge version inside of your USB key and everything. I don't come up with a way but there's possibly a way and if you're a 3 billion targeted user I'm sorry for you.