CrowdStrike/travel-laptop CrowdStrike/travel-laptop

  • Stars
    star
    225
  • Rank 177,187 (Top 4 %)
  • Language
    C++
  • Created about 9 years ago
  • Updated over 8 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
CrowdStrike/travel-laptop
github

CrowdStrike

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Auxiliary documentation and scripts around "A Reasonably Safe Travel Burner Laptop"

A Reasonably Secure Travel Laptop Setup

This repository contains auxiliary scripts and configurations around building a reasonably secure travel laptop using coreboot with a GRUB2 payload. The scripts and configurations have been tested with an ArchLinux setup but should be adaptable to other distributions easily.

A reasonably secure travel laptop following the approach laid out here will boot only a signed kernel and initrd and assure user-space integrity with a dm-verity protected root filesystem. If you require confidentiality, it is additionally recommended encrypted the entire filesystem or use a separate, encrypted /home partition.

Building coreboot and GRUB2 for your target laptop and flashing the appropriate image is out of the scope of this repository's contents and documentation. You can find more information on the coreboot Wiki. You can find a preliminary coreboot review branch that measures platform state into TPM PCRs in gerrit changeset #14038 (click the Download drop-down to get a URL usable in git checkout).

Involved Components

The resources contained in this repository are used in the boot chain as follows:

  • A GRUB2 configuration file is embedded into a GRUB2 memdisk on the SPI Flash itself. It serves as the root of the chain of trust and loads the signing key from the GRUB2 memdisk, transitions the GRUB2 root to the boot device / partition and hands over to a signed GRUB2 configuration there.
  • The GRUB2 configuration on the boot device/partition loads the Linux kernel and initrd or whatever other payload you want to load. It will provide the dm-verity root hash to the initrd, which in turn assigns it to the dm-verity device. Because this configuration is signed, the dm-verity root hash is signed and transitively the root filesystem is authenticated.
  • Because a dm-verity root filesystem must be read-only and is not supported by most distributions' generic initrd generation scripts, a special set of scripts to support a tmpfs backed overlayfs mounted from the initrd and intializing the dm-verity device with the right root hash is required. This set of scripts will hook into the mkinitcpio script on ArchLinux, it must be adapted for other distributions to generate an initrd compatible with this setup.
  • When built with a measuring coreboot, you can deploy TPM remote attestation as a OpenSSH enforced public key command to deny logging in from an untrusted device. Two simple programs that implement remote attestation and verification againts a trusted set of PCR values can be found in tpm-attest/.

GRUB2 Configuration in SPI Flash

The initial GRUB2 configuration to be loaded from the SPI flash is used to kick off a more accessible but signed configuration from the boot device/partition. An examplary script that loads a signing key from the GRUB2 memdisk is provided in this repository under grub-cfg/memdisk-grub.cfg.

Generally, it is recommended to create a directory representing the additional memory disk contents of GRUB2 and invoking grub-mkstandalone from there:

  • Create an empty directory representing your memdisk somewhere and change to that directory.
  • Copy grub-cfg/memdisk-grub.cfg to boot/grub/grub.cfg relative to the memdisk base directory, adjust it to your needs.
  • Export your signing public key to boot/${keyid}.gpg and fix the path in the grub.cfg
  • Invoke grub-mkstandalone from the memdisk base directory as follows to create a coreboot payload image with the appropriate memdisk contents:
grub-mkstandalone -O i386-coreboot -o ../grub_coreboot_payload.elf --compress=none --themes='' --locales='' boot/grub/grub.cfg boot/${keyid}.gpg

You can now reference ../grub_coreboot_payload.elf as ELF payload in the coreboot Kconfig to be directly built in or alternatively add it manually with cbfstool.

GRUB2 Configuration on boot device/partition

When using a GRUB2 configuration in SPI flash derived from grub-cfg/memdisk-grub.cfg, signature verification of the kernel and initrd will be mandatory already. Your configuration merely has to load the kernel with the correct command line and reference the right initrd.

The initrd scripts in this repository understand the following command line options:

  • overlay_verity_dev: device name for the device containing the dm-verity hash tree, created with veritysetup. If you just want to test a read-only root filesystem with a tmpfs backed overlayfs, set this to anything and do not specify the overlay_verity_root option on the command line.
  • overlay_verity_root: the root hash of the dm-verity hash tree on the device provided in overlay_verity_dev. This will activate actual root filesystem block integrity checking.
  • root: as usual, this is the root filesystem backing device, which will then be read-only and integrity protected.

An exemplary configuration file can be found in grub-cfg/bootdrive-grub.cfg.

mkinitcpio Hook

To generate an initrd/initramfs/initcpio that initializes dm-verity and creates a tmpfs backed overlayfs around it, a hook for mkinitcpio is required. This hook is provided within etc-initcpio/, simply copy the directory contents to your /etc/initcpio directory and add the overlay_verity hook to your /etc/mkinitcpio.conf in the HOOKS array after the filesystems hook. If you have a fsck hook, be sure to remove it as it will tamper with the root filesystem's on-disk header and cause verification failures.

TPM Remote Attestation

When booting with a coreboot build in which measuring of platform components has been enabled, the different stages of the boot process up to and including the RSA key used for signing the GRUB2-loaded components (see above) are hashed. These hashes are then stored in a hash-chain in the TPM chip of the target device and cannot simply be tampered with after booting.

You can then deploy the code from tpm-attest/ to a trusted OpenSSH server to securely verify the platform state after booting. The server will issue a request including a random nonce (see for example tpm-attest/doc/examples/request.json). The client will sign the nonce and it's current PCR state on the TPM chip and provide back an attestation blob for the server (see for example tpm-attest/doc/examples/quote.json. Only if the PCR contents contain the expected values will the shell wrapper spawn a valid shell for the client.

This way, you can travel with zero critical information and only a travel SSH authenticationon key on your travel laptop into your destination country. You can then download any additional information over an encrypted and authendicated connection, however the server will only let you access this data if the device you are connecting from can prove that it is in a known-good boot chain state.

Step-by-step Setup

  1. First, install ArchLinux (or one of its derivatives, such as BlackArch) on your target devices internal drive, ensure to have a separate /boot partition. Make sure that you have all your tools and your root filesystem is ready to be frozen. At this point, you should also have set up any encrypted /home partitions and similar.
  2. Make sure you have installed the mkinitcpio hook from this repository and your initrd/initramfs/initcpio has been updated with mkinitcpio. Double check with lsinitcpio that a module for your root filesystem (for example ext4.ko) is present.
  3. Now it is time to flash the coreboot and GRUB2 image onto your device's SPI flash. Make sure you can disable signature verification for the setup step by using the GRUB2 command line and entering set check_signature=''; this will require posessing the PBKDF2 superuser password, see grub-cfg/memdisk-grub.cfg.
  4. Load your operating system with a read-only root and a fake overlayfs by providing a command line containg overlay_verity_dev=y but no overlay_verity_root option.
  5. You can now populate the dm-verity hash tree on the appropriate device using veritysetup format. Be sure to copy the root hash!
  6. Update your boot device grub.cfg by providing the real overlay_verity_dev you just populated and setting the root hash with overlay_verity_root.
  7. Sign your boot device grub.cfg, the kernel and the initrd/initramfs/initcpio using gpg --detach-sign (optionally specify the right signing key with --local-user).
  8. Optionally deploy tpm-attest/ to an trusted OpenSSH server.

More Repositories

1

CRT

Contact: [email protected]
PowerShell
696
star
2

automactc

AutoMacTC: Automated Mac Forensic Triage Collector
Python
491
star
3

falconpy

The CrowdStrike Falcon SDK for Python
Python
358
star
4

psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
PowerShell
350
star
5

Forensics

Scripts and code referenced in CrowdStrike blog posts
Python
325
star
6

Tortilla

C
281
star
7

ember-timetree

Visualize hierarchical timeline data. Built with Ember.js and D3.js
JavaScript
273
star
8

SuperMem

A python script developed to process Windows memory images based on triage type.
Python
258
star
9

falcon-orchestrator

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
JavaScript
181
star
10

CrowdDetox

The CrowdDetox plugin for Hex-Rays automatically removes junk code and variables from Hex-Rays function decompilations.
C++
157
star
11

cs-bro

Bro scripts written by CrowdStrike Services
Zeek
147
star
12

Cloud-AWS

A collection of projects supporting AWS Integration
Python
146
star
13

logscale-community-content

This repository contains Community and Field contributed content for LogScale
Shell
139
star
14

CrowdFMS

CrowdStrike Feed Management System. CrowdFMS is a framework for automating collection and processing of samples from VirusTotal, by leveraging the Private API system. This framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed.
Python
123
star
15

csproto

CrowdStrike's Protocol Buffers library
Go
122
star
16

falcon-scripts

Scripts to streamline the deployment and use of the CrowdStrike Falcon sensor
PowerShell
117
star
17

Falcon-Toolkit

Unleash the power of the Falcon Platform at the CLI
Python
108
star
18

falcon-query-assets

Welcome to the Falcon Query Assets GitHub page.
Shell
98
star
19

ansible_collection_falcon

Comprehensive toolkit for streamlining your interactions with the CrowdStrike Falcon platform.
Python
88
star
20

xwf-yara-scanner

C
84
star
21

CAST

CrowdStrike Archive Scan Tool
PowerShell
83
star
22

tf2rust

Tensorflow to Rust is a tool to convert trained Tensorflow models to pure Rust code.
Python
83
star
23

VirtualGHOST

VirtualGHOST Detection Tool
PowerShell
83
star
24

falcon-helm

Helm Charts for running CrowdStrike Falcon with Kubernetes
Smarty
71
star
25

gofalcon

Golang-based SDK to CrowdStrike's APIs
Go
57
star
26

pyspresso

The pyspresso package is a Python-based framework for debugging Java.
Python
51
star
27

falcon-operator

Go
49
star
28

ember-browser-services

Services for interacting with browser APIs so that you can have fine-grained control in tests.
TypeScript
46
star
29

MISP-tools

Import CrowdStrike Threat Intelligence into your instance of MISP
Python
39
star
30

detection-container

PHP
38
star
31

perseus

The hero we all need to defeat the kraken that is Go module dependency graphs
Go
37
star
32

gotel

GoTel - Scheduled job monitoring
Go
36
star
33

falcon-windows-host-recovery

Automated Windows host recovery
Rich Text Format
35
star
34

community

CrowdStrike's Open Source Policy & Contribution Guide
HTML
35
star
35

caracara

Developer enhancements (DX) for FalconPy, the CrowdStrike Python SDK
Python
34
star
36

container-image-scan

Code to scan a container with CrowdStrike and return response codes indicating pass/fail status.
Python
33
star
37

Dockerfiles

Automation to help create container images pre-loaded with the CrowdStrike Falcon sensor.
Shell
31
star
38

chopshop

Mitre chopshop network decoder framework
Python
30
star
39

FDR

Falcon Data Replicator
Python
29
star
40

faltest

A different take on WebDriver browser testing
JavaScript
28
star
41

ember-headless-form

Headless forms with a11y and validation support built in
TypeScript
28
star
42

Cloud-Azure

Discover for Cloud and Containers Azure
HCL
27
star
43

embersim-databank

Code for the paper "EMBERSim: A Large-Scale Databank for Boosting Similarity Search in Malware Analysis"
Python
25
star
44

apbf

Go package implementing Age-Partitioned Bloom Filters (APBF)
Go
25
star
45

go-metrics-sliding-window

A sliding window sampling implementation for the rcrowley/go-metrics library.
Go
24
star
46

ember-headless-table

TypeScript
23
star
47

ember-aria-utilities

ARIA utilities for helping create some of the more complex ARIA design patterns. Follows https://www.w3.org/TR/wai-aria-practices/
TypeScript
20
star
48

bpfmon-example

proof-of-concept example of using eBPF to Monitor for eBPF Map tampering
C
20
star
49

falcon-windows-repair

Scripts to aid in diagnosing and repairing unhealthy Windows Falcon Sensor installations
PowerShell
19
star
50

ember-resource-tasks

Resources for async functions in Ember
TypeScript
18
star
51

falcon-integration-gateway

Falcon Integration Gateway (FIG)
Python
18
star
52

cloud-resource-estimator

Cloud deployment size calculation utilities
Python
17
star
53

ember-url-hash-polyfill

Support for in/inter page linking / scrolling with hashes in EmberJS
TypeScript
17
star
54

tf-layers

Tensorflow Layers provides Rust implementations of Tensorflow model layers
Rust
16
star
55

tailwind-toucan-base

Base Tailwind config for the Toucan design system.
JavaScript
15
star
56

aws-ssm-distributor

HCL
15
star
57

omigo-data-analytics

Data Analytics Library for Python
Python
15
star
58

helpful-links

List of helpful publicly available CrowdStrike material.
14
star
59

ivan

Falcon Image Vulnerability Analysis (IVAN) is a command-line image assessment tool.
13
star
60

container-image-scan-action

CrowdStrike Container Image Scan Github Action
Shell
13
star
61

zscaler-FalconX-integration

This is the integration to feed Falcon X IOC data into zscaler's platform
Python
13
star
62

ember-velcro

Ember Velcro sticks one element to another with Floating UI.
TypeScript
13
star
63

kafka-replicator

Kafka replicator is a tool used to mirror and backup Kafka topics across regions
Go
13
star
64

OWASSRF

PowerShell
13
star
65

falconjs

CrowdStrike Falcon API JS library for the browser and Node
TypeScript
12
star
66

rusty-falcon

Rust bindings for CrowdStrike Falcon API
Rust
12
star
67

Identity-Protection

PowerShell
11
star
68

monorepo-next

Detach monorepo packages from normal linking
JavaScript
10
star
69

NotPetyaDecryptor

Python
9
star
70

ember-toucan-core

Toucan Design System
TypeScript
9
star
71

aws-security-lake

Integration guide for CrowdStrike and Amazon Security Lake
Shell
8
star
72

terraform-provider-crowdstrike

https://registry.terraform.io/providers/CrowdStrike/crowdstrike/latest/docs
Go
7
star
73

puppet-falcon

Ruby
7
star
74

terraform-kubectl-falcon

Module to manage CrowdStrike Falcon Sensor and the Kubernetes Protection Agent on a Kubernetes cluster.
HCL
7
star
75

Cloud-GCP

A collection of projects supporting GCP integration
Shell
6
star
76

cloud-tools-image

Command-line tools for remote communication with public and private cloud environments.
Shell
6
star
77

aws-verified-access

Integration details between CrowdStrike Falcon Zero Trust Assessments (ZTA) and AWS Verified Access
6
star
78

foundry-sample-mitre

Triage with MITRE Attack sample Foundry app
CSS
6
star
79

HEC-Log-Shipper

This repository contains examples of code used to send data to Humio instances
Python
5
star
80

image-scan-example

HCL
5
star
81

Container-Security

HCL
5
star
82

cloud-scripts-hide-host

Event driven solution to automatically hide hosts from CrowdStrike upon termination.
Python
5
star
83

foundry-sample-scalable-rtr

Scalable RTR sample Foundry app
TypeScript
5
star
84

foundry-fn-go

Go
4
star
85

crimson-falcon

A Shiny Ruby SDK of our Falcon API
Ruby
4
star
86

ember-toucan-styles

Ember wrapper, CSS, and JS utilities for working with the Toucan design system
JavaScript
4
star
87

ember-three

Ember.js three.js shim
JavaScript
4
star
88

foundry-sample-rapid-response

Rapid Response sample Foundry app
TypeScript
4
star
89

falcon-cli

Go
3
star
90

logscale-azure-event-hub-collector

LogScale Azure Event Hub Collector
Python
3
star
91

cloud-pov

HCL
3
star
92

devdays

Shell
3
star
93

cs.aws_account

Python
3
star
94

chronicle-intel-bridge

CrowdStrike to Chronicle Intel Bridge
Python
3
star
95

kubectl-falcon

Plug-in to kubectl command-line tool that helps with manipulation of Falcon Container.
Go
3
star
96

upb-cloud-workshop

A cloud workshop organised by Crowdstrike in Bucharest, Romania for the students of Universitatea Politehnica Bucharest
Go
3
star
97

opensource.crowdstrike.com

JavaScript
3
star
98

CrowdStrike-Spotlight-Humio-Package-Integration

Python
3
star
99

ember-number-to-words-shim

Ember.js number-to-words shim
JavaScript
3
star
100

template-gitbook-workshop

Code behind https://crowdstrike.gitbook.io/template-gitbook-workshop/
CSS
3
star