I wrote about our unique set of high security features for the Librem 14 such as anti-interdiction, Qubes, hardware kill switches, and PureBoot. What other security features would you like to see us add to this in the future? #infosec #hardening https://puri.sm/posts/my-recommendations-for-the-most-secure-librem-14-configuration/
- first boot setup: offer user to change the like masterkey for disk encryption
- offer boot medium that allows to evaluate all packages installed on a librem against repositories
- offer option to include as much as possible of /boot into the checksums evaluated by pureboot/heads
@chrichri First, thanks for the recommendations. I have a couple clarifying questions:
For point 2: evaluate packages in which way?
For 3: currently we include all but files that begin with kexec* because they are used *by* PureBoot and some like HOTP counter change each boot, and others like the checksum file itself, have to be excluded.
2: check whether any files have been altered compared to repositories containing the packages containing the files. List files that do not belong to packages.
3: last time I looked into it new files have been ignored. Changes to directory content/structure in general should be monitoried.
