Well, since you asked nicely ;), below I attach a copy of something I
mentioned a few months ago (with cprise feedback), concerning this subject:
On 08/02/14 13:39, Pedro Martins wrote:
>
> This got me thinking what hardware support would be nice to have,
> which allows one to put security before convenience.
>
> Some wishful thinking follows.
>
>
> ** Minor hardware changes to improve security **
>
>
> 1) some way to lock laptop lid when closed:
>
> even those luggage combination locks might be better than nothing.
>
Maybe like "Kensignton lock, Level-2"... it would at least make some
scenarios messy for the attacker.
Since laptop makers (even Lenovo) have banished the lid latch, it would
be pretty funny to see them do a U-turn and then some.
>
> 2) hardware switches to power on and off ports/devices:
>
> real ones, not software driven - when it's off it remains off until I
> flip it on; for ethernet, wireless stuff, camera, mic, display, usb
> controllers/ports, memory cards, keyboard, internal stuff like sata
> ports (dangerous), etc;
>
> even if vm exploited, without power, no game: would no longer need
> to tape over my camera and mic; could boot computer with as little
> devices powered as possible, enable only as needed; as bonus, could
> disable all ports not needed to save power; added bonus, would end up
> with as many switches as pdp 11 ;-P
Yeah, but the most important IMHO is the battery. Never trust a machine
from which you cannot quickly yank the power source. BTW, how does an
"Airplane mode" switch on a typical business laptop rate? I assumed the
wireless switch on my Lenovo was hardware, but maybe that's wishful
thinking.
>
> 3) an usb controller for each usb port:
>
> would allow to reserve ports according to domain trust level.
> Snooping can still happen but now only within the same domain trust
> level. usbvm used to park usb controllers. Unfortunately it doesn't
> prevent me from inserting untrusted device in trusted port/domain -
> mistakes happen.
>
My T430s appears to have that: One controller per port.
>
> 4) an high-quality random number generator:
>
> as previously discussed on the list; can be bought today as usb
> device; to be used in addition to cpu existing one, if any.
>
>
> ** Not so minor hardware changes to improve security **
>
Well, if you're not willing to trust Intel/AMD's integrated HWRNG, then who?
>
> 5) proper support for TPM, TXT, VT-x, VT-d and upcoming SGX [3][4]:
>
> something is always missing because cost outranks security every
> time. also assuming owner will be in total control.
>
Industry imperatives appear to rank as high as cost, it seems. I recall
one of Joanna's blog posts describing how a feature (can't remember
which) did not live up to its potential to protect the user because it
was primarily intended to address Hollywood's interests.
>
> 6) some sort of usb virtualization support by the usb controller:
>
> each usb device inserted would have own isolated environment,
> virtual port assigned; usbvm could work as a sort of firewallvm/netvm
> to assign virtual usb ports to domains. Unfortunately it still
> doesn't prevent me from assigning untrusted device to trusted domain
> - mistakes happen.
>
> nice to have for usb ports, additional hardware switch to enable or
> disable data pins, allowing safe charge of usb devices - aka 'usb
> condom'.
>
Assuming some Qubes-of-the-future or spiritual successor to Qubes,
perhaps a USB *VIS*ualization to go along with the isolation
capabilities provided by some future hardware platform.
>
> 7) only minimal firmware needed to configure & boot the system and
> no firmware stored on devices/controllers for network, display,
> storage, usb, etc:
>
> coreboot [5] all the way. all drivers from source; unconstrained and
> freely available hardware interfacing specs; this will probably never
> happen, unless hardware OEMs totally committed to support open
> source/free software friendly components in their designs.
>
Don't give up hope. Open source hardware appears to be advancing, even
WRT security features:
http://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
>
> 8) the ability to power on or off cpu/chipset "features", like vPro
> &co; ditto for gpu:
>
> yeah, as if ever! BIOS support only for enabling or disabling some
> of these features, but not all that can be supported by given
> cpu/chipset; something disabled might still be used/usable.
>
I don't think we can live without GPUs on the desktop at this point.
They are not inherently insecure, although current implementations may
be particularly lacking in that area.
>
> 9) virtualization support by/for the gpu(s):
>
> with so many cores available nowadays, makes sense and would allow
> better utilization of resources. even something crude like reserving
> some coarse groups of cores as virtual gpus would be nice to have.
>
GPU virtualization is becoming a reality, even with current hardware.
Intel has a driver that can virtualize a Haswell integrated GPU, for
instance.
>
> 10) generic hardware support for software defined radio [6]:
>
> not ever! legal nightmare expected; licensing & testing requirements
> for each and every country/state regulations.
>
>
> So, that's it. 1) to 5) are not that big deal IMO, could be made
> available on some brand 'professional' line of computers.
>
> Or, we could follow Canonical example and crowd-fund our own
> computer for $32 million [7] ;-) Nice 15" 4K non-glare screen,
> thinkpad-like keyboard, 512 Gib SSD, etc; fully supported by QubesOS
> R3!
>
11) Hardwired status lights for things like microphones and cameras.
This should be even on smartphones.
12) Peripherals that can be given individualized keys by the user, to
authenticate them with the CPU, so that any attempt at replacement would
be noticed and/or rejected. It doesn't matter what type of peripheral:
SATA, USB, SD card, etc. I think this could contribute toward a solution
to #BadUSB.
--
Pedro Martins