How to know if your thinkpad was not tampered with?
- Inicie sesión ou rexístrese para enviar comentarios
I was considering buying an used thinkpad x200/x220/x230, either a normal one or from someone that has Corebooted it and I was wondering, how do you know everything is as it should be? Is there a tutorial to follow to guarantee everything is fine? What do you do after you buy an used laptop?
I am a translator!
It might not be enough, but you could open it to check that there isn't any component that is not in a reference computer (using photos from fixit maybe) and reflash the SPI chip externally.
The reason im buying laptops that are pre-flashed is because I don't know how to do it myself, so I wouldn't know how to do that.
There isn't really a way to check some checksums of the installed bios files or something?
This is the danger I see in all of this. I see people selling those laptops, but since these people are high skilled hackers, who knows if they added something funny and it turns out being less secure than using a regular laptop. I guess people with good reputation wouldn't do that, but sometimes they are so expensive. There's some sellers on ebay for instance that sell them for more reasonable prices than, let's say, vikings and their $600 base price for the x230, but the risk is trusting someone from ebay.
I am a translator!
The reason im buying laptops that are pre-flashed is because I don't know how to do it myself
I bought a second-hand X200 flashed with Libreboot for the same reason. However, I finally trusted myself to flash gnuboot internally on it and it worked fine.
There isn't really a way to check some checksums of the installed bios files or something?
Perhaps a bios could be modified to make so that, when some program wants to read the entire bios, it will get a non-modified part instead of the modified part, so that the checksum will still be correct. You could also try internal flashing, but there could be another trick that keeps the modified part.
I used to be afraid of external flashing but when I look again at https://libreboot.org/docs/install/x200.html and https://libreboot.org/docs/install/spi.html, it seems there is no soldering needed, just connecting things, and in my understanding the raspberry pi pico can run with entirely free software. This makes me think that I could try it and first just read the flash, which would be enough to verify a checksum and avoid the risk of damaging the chip.
Please could someone help me with this?
I think someone may have posted the answer in one of these links but I dont have a reddit account and this subreddit is private now:
https://www.reddit.com/r/libreboot/comments/9dnj7b/how_can_i_verify_that_libreboot_hasnt_been/
https://www.reddit.com/r/libreboot/comments/otd8ze/how_to_know_if_a_libreboot_installation_has_been/
https://www.reddit.com/r/libreboot/comments/k6wswc/help_with_signature_verification/
The only way I would know is if you use heads bios and let me tell you, that is a huge PITA.
Trust me, its infuriatingly confusing at times.
It just ain't worth it.
If I understood the point of Heads properly, then it wouldn't be it since Heads just guarantees the laptop was not tampered with from A to B. But if the person that installed Coreboot for you put a dodgy Coreboot there, you wouldn't know. It would just mean that things were not tampered with. Heads do not guarantee the integrity of your Coreboot, it just means the state of things did not change. So what im asking here is, how do I know if im running a legit Coreboot distribution or something that has "extra features".
Perhaps, but usually you need to sign heads bios with some kind of device like nitrokey.
I have used nitrokey's bios, if you change a system component within the operating system, it will boot red.
When it doesn't boot red, you can boot it without problems.
Otherwise you have to enter a few passwords in order to resign it.
I have gotten so mixed up doing this that I ran out of chances to do so and had to make a new key all over again. I assure you, this was an effing mess.