Add chapter security

README.md

@@ -1,7 +1,7 @@
 # YubiKey Full Disk Encryption
 
-[This repository](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi "YubiKey Full Disk Encryption Repository") 
+[This repository](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi "YubiKey Full Disk Encryption Repository")
-contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA) 
+contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA)
 via [YubiKey](https://yubico.com/products/yubikey-hardware/). It contains:
 
 - YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions
@@ -11,11 +11,16 @@ via [YubiKey](https://yubico.com/products/yubikey-hardware/). It contains:
 
 Currently guides for:
 
-- Arch Linux 
+- Arch Linux
+
+Additional security chapter:
+
+- Disable INTEL AMT
+- Disable AMD PSP
 
 ## Why
 It took me several days to figure out how to set up a fully encrypted machine with 2FA. This guide should help
-others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step 
+others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step
 guide to get the above things done.
 
 > I guess the entire manual will take between 1 - 3 hours.
@@ -25,7 +30,7 @@ You should be familiar with linux and should be able to edit files with `vi` [Vi
 You need an USB stick for the Linux Live environment and a second computer would be useful for look ups and to read this guide while
 preparing your fully encrypted Linux.
 
-And of course you will need at least **two** [YubiKeys](https://www.yubico.com/products/yubikey-hardware/ "Discover YubiKeys").  
+And of course you will need at least **two** [YubiKeys](https://www.yubico.com/products/yubikey-hardware/ "Discover YubiKeys").
 
 **WARNING:** You gonna get a bricked machine if you only have a single Yubikey and it breaks.
 
@@ -38,7 +43,7 @@ And of course you will need at least **two** [YubiKeys](https://www.yubico.com/p
 ## Documentation
 
 For the latest online documentation visit [http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/](http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/ "Latest yubikey-full-disk-encryption-secure-boot-uefi documentation").
-Refer the *Quick Start* section for a detailed explanation. 
+Refer the *Quick Start* section for a detailed explanation.
 
 Documentation is [in the book tree](book/), and can be compiled using [bookdown](http://bookdown.io) or [Docker](https://www.docker.com/)
 

book/arch/07-yubikey-login.md

@@ -50,7 +50,7 @@ The complete file should look something like this.
 #%PAM-1.0
 
 auth      required  pam_unix.so     try_first_pass nullok
-auth      required  pam_yubico.so   mode=challenge-response chalresp_path=/var/yubico 
+auth      required  pam_yubico.so   mode=challenge-response chalresp_path=/var/yubico
 auth      optional  pam_permit.so
 auth      required  pam_env.so
 
@@ -67,11 +67,11 @@ session   optional  pam_permit.so
 ```
 
 ## Test it
-Arch Linux loads the [PAM](https://wiki.archlinux.org/index.php/PAM "Linux Pluggable Authentication Modules (PAM) ") config files on every login. So simply switch to 
+Arch Linux loads the [PAM](https://wiki.archlinux.org/index.php/PAM "Linux Pluggable Authentication Modules (PAM) ") config files on every login. So simply switch to
 another tty and try to login. After you have entered your password, the YubiKey should flash and you have to touch the
 YubiKey button. Good luck!
 
-**Congratulations**! You have hopefully successful finished the YubiKey Full Disk Encryption Guide. You have reached the 
+**Congratulations**! You have hopefully successful finished the YubiKey Full Disk Encryption Guide. You have reached the
 following goals which is really awesome!
 
 - YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions
@@ -80,4 +80,6 @@ following goals which is really awesome!
 - YubiKey authentication for user login
 
 If you have any suggestions don't hesitate to [create an issue](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi/issues "Create a new issue") to improve this guide.
-Also spread the word about this guide so more people can secure their system.
+Also spread the word about this guide so more people can secure their system.
+
+You should now check the *security* chapter to improve security further.

book/security/bookdown.json

@@ -0,0 +1,22 @@
+{
+    "title": "Security",
+    "content": [
+        {"disable-intel-amt": "disable-intel-amt.md"},
+        {"disable-amd-psp": "disable-amd-psp.md"}
+    ],
+    "theme": {
+        "toc": {
+            "collapsibleFromLevel": 1
+        }
+    },
+    "template": "bookdown/themes",
+    "tocDepth": 2,
+    "target": "../html",
+    "numbering": false,
+    "extensions": {
+        "commonmark": [
+            "Webuni\\CommonMark\\TableExtension\\TableExtension",
+            "Webuni\\CommonMark\\AttributesExtension\\AttributesExtension"
+        ]
+    }
+}

book/security/disable-amd-psp.md

@@ -0,0 +1,13 @@
+# Disable AMD PSP
+This page describes how to disable AMD Secure Processor aka AMD Secure Technology.
+Please read the whole page before you begin. The AMD PSP is a
+[security risk](https://www.scmagazineuk.com/security-issue-found-amds-platform-security-processor/article/1473518 "Security issue found in AMD's Platform Security Processor").
+
+> Don't forget to set a secure BIOS supervisor password!
+
+## Disable AMD PSP in BIOS
+> **Attention:** If you don't see any option to disable AMD PSP, check
+if you have installed the latest BIOS version.
+
+Boot into BIOS and search for an entry *BIOS PSP Support* and disable it.
+It should be in menu *Advanced*.

book/security/disable-intel-amt.md

@@ -0,0 +1,35 @@
+# Disable INTEL AMT
+This page describes how to disable INTEL Active Management Technology. Please read the whole page before you begin.
+The INTEL AMT is a [security risk](https://thehackernews.com/2018/01/intel-amt-vulnerability.html "INTEL AMT vulnerabilities").
+
+> Don't forget to set a secure BIOS supervisor password!
+
+## Open INTEL AMT
+To open INTEL AMT press *CTRL + P* on boot. The default password is *admin* and
+you should change it to a secure one. You will be ask to change the password
+on the first login.
+
+## Disable Intel Management Engine State Control
+Next step is to [Disable Intel Management Engine State Control](https://www.dell.com/support/article/de/de/debsdt1/sln295179/disable-intel-amt-intel-management-engine-state-control?lang=en).
+
+1. Choose *Intel ME General Settings* from menu
+1. Choose *Intel ME State Control* from menu
+1. Choose *Disable*
+1. Choose *Previous* from menu
+
+The machine will reboot now. You can still access INTEL AMT but if you
+enable it again it should use your password and not the default one.
+
+## Disable INTEL AMT in BIOS
+> **Attention:** Depending on the used INTEL AMT version you **can not**
+disable the Intel Management Engine State Control because then the password will be reset. If you don't
+see any entry to disable INTEL AMT, check if you have installed the latest BIOS version.
+
+Boot into BIOS and search for the *Intel AMT* entry and enter it.
+For Lenovo notebooks it's under the menu *Config*. Choose *Disable* and save BIOS settings.
+
+## Validate password protection
+Now it's time to check, if the password is reset if you enable it again. Go into BIOS and enable
+INTEL AMT, save changes and open INTEL AMT with *CTRL + P*. Enable it again, the machine will reboot.
+Go into INTEL AMT with *CTRL + P* and now you should not be able to login with password *admin*.
+Now start from scratch and disable it again.

bookdown.json

@@ -3,7 +3,8 @@
     "content": [
         {"intro": "README.md"},
         {"changelog": "CHANGELOG.md"},
-        {"guides": "book/guides/bookdown.json"}
+        {"guides": "book/guides/bookdown.json"},
+        {"security": "book/security/bookdown.json"}
     ],
     "theme": {
         "toc": {

composer.json

@@ -7,7 +7,7 @@
     "authors": [
         {
             "name": "Sandro Keil",
-            "email": "social@sandro-keil.de",
+            "email": "github@sandro-keil.de",
             "homepage": "https://sandro-keil.de"
         }
     ],
@@ -19,7 +19,10 @@
         "uefi",
         "arch-linux",
         "luks",
-        "lvm2"
+        "lvm2",
+        "security",
+        "intel amt",
+        "amd psp"
     ],
     "require": {
         "bookdown/bookdown": "^1.1.0",