Add chapter security

README.md

@@ -13,6 +13,11 @@ Currently guides for:
 
 - Arch Linux
 
+Additional security chapter:
+
+- Disable INTEL AMT
+- Disable AMD PSP
+
 ## Why
 It took me several days to figure out how to set up a fully encrypted machine with 2FA. This guide should help
 others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step

book/arch/07-yubikey-login.md

@@ -81,3 +81,5 @@ following goals which is really awesome!
 
 If you have any suggestions don't hesitate to [create an issue](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi/issues "Create a new issue") to improve this guide.
 Also spread the word about this guide so more people can secure their system.
+
+You should now check the *security* chapter to improve security further.

book/security/bookdown.json

@@ -0,0 +1,22 @@
+{
+    "title": "Security",
+    "content": [
+        {"disable-intel-amt": "disable-intel-amt.md"},
+        {"disable-amd-psp": "disable-amd-psp.md"}
+    ],
+    "theme": {
+        "toc": {
+            "collapsibleFromLevel": 1
+        }
+    },
+    "template": "bookdown/themes",
+    "tocDepth": 2,
+    "target": "../html",
+    "numbering": false,
+    "extensions": {
+        "commonmark": [
+            "Webuni\\CommonMark\\TableExtension\\TableExtension",
+            "Webuni\\CommonMark\\AttributesExtension\\AttributesExtension"
+        ]
+    }
+}

book/security/disable-amd-psp.md

@@ -0,0 +1,13 @@
+# Disable AMD PSP
+This page describes how to disable AMD Secure Processor aka AMD Secure Technology.
+Please read the whole page before you begin. The AMD PSP is a
+[security risk](https://www.scmagazineuk.com/security-issue-found-amds-platform-security-processor/article/1473518 "Security issue found in AMD's Platform Security Processor").
+
+> Don't forget to set a secure BIOS supervisor password!
+
+## Disable AMD PSP in BIOS
+> **Attention:** If you don't see any option to disable AMD PSP, check
+if you have installed the latest BIOS version.
+
+Boot into BIOS and search for an entry *BIOS PSP Support* and disable it.
+It should be in menu *Advanced*.

book/security/disable-intel-amt.md

@@ -0,0 +1,35 @@
+# Disable INTEL AMT
+This page describes how to disable INTEL Active Management Technology. Please read the whole page before you begin.
+The INTEL AMT is a [security risk](https://thehackernews.com/2018/01/intel-amt-vulnerability.html "INTEL AMT vulnerabilities").
+
+> Don't forget to set a secure BIOS supervisor password!
+
+## Open INTEL AMT
+To open INTEL AMT press *CTRL + P* on boot. The default password is *admin* and
+you should change it to a secure one. You will be ask to change the password
+on the first login.
+
+## Disable Intel Management Engine State Control
+Next step is to [Disable Intel Management Engine State Control](https://www.dell.com/support/article/de/de/debsdt1/sln295179/disable-intel-amt-intel-management-engine-state-control?lang=en).
+
+1. Choose *Intel ME General Settings* from menu
+1. Choose *Intel ME State Control* from menu
+1. Choose *Disable*
+1. Choose *Previous* from menu
+
+The machine will reboot now. You can still access INTEL AMT but if you
+enable it again it should use your password and not the default one.
+
+## Disable INTEL AMT in BIOS
+> **Attention:** Depending on the used INTEL AMT version you **can not**
+disable the Intel Management Engine State Control because then the password will be reset. If you don't
+see any entry to disable INTEL AMT, check if you have installed the latest BIOS version.
+
+Boot into BIOS and search for the *Intel AMT* entry and enter it.
+For Lenovo notebooks it's under the menu *Config*. Choose *Disable* and save BIOS settings.
+
+## Validate password protection
+Now it's time to check, if the password is reset if you enable it again. Go into BIOS and enable
+INTEL AMT, save changes and open INTEL AMT with *CTRL + P*. Enable it again, the machine will reboot.
+Go into INTEL AMT with *CTRL + P* and now you should not be able to login with password *admin*.
+Now start from scratch and disable it again.

bookdown.json

@@ -3,7 +3,8 @@
     "content": [
         {"intro": "README.md"},
         {"changelog": "CHANGELOG.md"},
-        {"guides": "book/guides/bookdown.json"}
+        {"guides": "book/guides/bookdown.json"},
+        {"security": "book/security/bookdown.json"}
     ],
     "theme": {
         "toc": {

composer.json

@@ -7,7 +7,7 @@
     "authors": [
         {
             "name": "Sandro Keil",
-            "email": "social@sandro-keil.de",
+            "email": "github@sandro-keil.de",
             "homepage": "https://sandro-keil.de"
         }
     ],
@@ -19,7 +19,10 @@
         "uefi",
         "arch-linux",
         "luks",
-        "lvm2"
+        "lvm2",
+        "security",
+        "intel amt",
+        "amd psp"
     ],
     "require": {
         "bookdown/bookdown": "^1.1.0",