I've been home for some time but hadn't yet figured out my thoughts on the Acer C720 Chromebook that I was using as a less-than-insecure computing device.
31C3 was an absolute blast, but as my first CCC I had no real idea what to expect. In the end, I spent most of my time wandering around the Congress Center with my mouth agape at all the super cool things and absorbing the energy of the space. Didn't go to as many talks as I had thought, as I quickly decided to just watch the streams later at my leisure.
Today I'm writing this post from a fresh install. At some point something got broken with unclean shutdowns and the bootloader was trashed. I reinstalled chromeos and this time made boots a bit faster by setting SeaBIOS as the default bootloader instead of needing to hit ctrl+L
Flipping the security bits
To disable the default chromeos bootloader, I had to flip a few bits inside the chromebook's firmware. First, there is a hardware write-protect screw that needs removed. Pop open your chromebook and look for the screw labeled "7" in this picture:
Next, close it up and you'll be starting from a vanilla OEM chromeos install:
- Turn it on
- Hold Esc+F3 (Refresh), then tap the power button
- Hit Ctrl-D to turn on developer mode at the white boot splash. There is no visible prompt to do so, just hit it.
- After developer mode is turned on, open a crosh tab from within chrome via Ctrl-Alt-T
- Get a bash shell with the shell command, and do a few things:
$ sudo bash # flashrom --wp-disable # set_gbb_flags.sh 0x489 # flashrom --wp-enable
That turns off software write protect, sets the DEFAULT_DEV_BOOT_LEGACY, FORCE_DEV_BOOT_LEGACY, and SCREEN_SHORT_DELAY flags in the firmware, and sets the write protect back on. Afterwards, open up your chromebook again and reinstall the write-protect screw. It should now be impossible to boot into ChromeOS, though one can now easily boot a USB drive and install Fedora.
Minor Polish
Since starting to use it, I noticed a few rough spots with my setup:
- The chromebook wouldn't return from suspend, meaning closing the lid or tapping the power button was Not Very Fun.
- The tor project recommends using their own RPM repos which are often more up to date than the official fedora ones
- I don't have a really easy way to add new ssh keys or revoke old ones on my bastion host
- It was a pain to manually type all those commands in again
- Lots of steps involved to recover from an OEM chromeos install
To solve these problems, I've started working towards an end goal of being able to install a pervasive tor fedora setup through a live USB installer. That is to say, that one should only need to enable developer mode on a chromebook, reboot from a USB drive, and be private on a nearly disposable device.
The first step is this repository, which contains an ansible playbook to configure a running fedora system to have pervasive tor:
It has a reasonably descriptive README that should get you started.
In the meantime, I'm trying to force myself to use my chromebook as an everyday computing device due to its lightness and portability. I'm curious to see if a habit develops out of it or if I'll want to go back to an overpowered thinkpad.