Before continue: This is for education & research purpose only. I do not promoting any illegal behavior by following this guide.
You have a old laptop or a personal computer, and you want to setup a private server. You need it to be very, very secured and you want that no one else can access that. So today, I'll guide you through a complete walkthrough, How to setup a "bunker-server" on your own hardware.
This guide will be seperate to 3 parts: Hardware Configure, OS Setup & Post-install. So make sure to follow this guide to setup a perfect "bunker-server" for yourself! Please note that, I DO NOT PROMOTING ANY ILLEGAL BEHAVIOR BY FOLLOWING THIS GUIDE. Only use this for Education & Research purpose.
What you will expected after following this guide
1. OS & Security: Minimalist Linux, full-disk LUKS encryption, self-destruct mechanisim (optional)
2. Network: Tailscale overlay, block all public ingress (Zero public ports).
3. Anonymity: Username/Hostname random, deny all packet forwarding.
4. Delivery: White-box, audit-friendly, no backdoor.
Complete workflow: When the server boots up, it uses Secure Boot to authenticate the UKI to check if it's correct. If it is, it runs the Linux kernel to request the TPM to unlock the drive. If the TPM checks that the hardware has not been modified in any way, it automatically unlocks the LUKS2 encryption to proceed with the work.
Know what type is your hardware
First, before we start to configure the hardware configuration, you need to know first, what type of your hardware is.
For Intel(R) CPUs:
If your hardware are using Intel(R) CPU, you need to know which series is it, so we can configure it for the bunker. Check your CPU name and series, then based on this list below to know which type is your CPU:
- Old Intel(R) CPU Series:
- Intel(R) Core 2 Duo Series and older (945, G31, G41, PM45,...) will use ME 1.x to 5.x
- Intel(R) Series 1 (Nehalem) to 4 (Haswell/Broadwell) will use ME 6.x to 10.x
- Intel(R) Series 5, 6 and 7 (Skylake/Kaby Lake) will use ME 11.x
- New Intel(R) CPU Series:
- Intel(R) Series 8 (Coffee Lake) to Series 11 (Tiger Lake) and further will use ME/CSME 12.x to 16.x
- Intel(R) Apollo Lake, Gemini Lake, Atom will use TXE 3.0
Based on which type is your Intel(R) CPU, you will use different method to turn off ME/CSME. For further information about ME/CSME, read it here.
The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.
For AMD(R) CPUs:
If you are using AMD(R) CPU, you don't need to worry much, because the PSP framework is the same in all series and easy to configure it. For further information about AMD PSP, read it here.
The AMD Platform Security Processor (PSP), officially known as AMD Secure Technology, is a trusted execution environment subsystem incorporated since about 2013 into AMD microprocessors. According to an AMD developer's guide, the subsystem is "responsible for creating, monitoring and maintaining the security environment" and "its functions include managing the boot process, initializing various security related mechanisms, and monitoring the system for any type of activity or events and implementing an appropriate response". Critics worry it can be used as a backdoor and is a security concern. AMD has denied requests to open source the code that runs on the PSP.
Configure your hardware
If you wanna setup a "bunker-server" and you don't want anyone else can connect or manage it, you should turn off the management tool on your CPU, also known as ME/CSME for Intel(R) CPUs and PSP for AMD(R) CPUs. Follow this guide below to completely clean that out of your CPU:
For Intel(R) CPUs:
CAUTION: When you dump your firmware out, remember to save 2-3 copies of your firmware to make sure no error/problem on flash. You can use md5sum or other tools to check if your firmware is workable or not.
Older Series:
For older series of Intel(R) CPUs, you can use a tool called me-cleaner from corna on Github to easily turn off ME for yourself. But it require you to dump your firmware out and modify it, so you need an external SPI programmer. I recommend use CH341A for helping you dump the firmware out. After dump the firmware out, simply follow the guide of the tool, use python me_cleaner.py -S -O modified_image.bin original_dump.bin to modify and clean the ME, then flash it back.
ATTENTION: If your ME version is 11.x, you need to check out if Boot Guard is enabled. If it's enabled, you need to follow the guide below to modify it correctly.
Newer series:
You need to configure it yourself. First, flash it out like I've guide you, then download Flash Image Tools of Intel(R) on this repo. You need to do a reseach to find out which CSME version is your CPU running, then download the correct one. After download, navigate to CSME Tools v.x/Flash Image Tools/WIN32 or LINUX64 (based on your work device)/ open the tool called FIT.exe or fit, flash the image in, navigate to Intel(R) ME Kernel → Intel(R) ME Alt Disable/HAP, change from Disabled to Enabled. Then navigate to Flash Descriptor → Master Region Access Permissions, change the permission for CPU/BIOS can Read/Write so your hardware could know that you want your ME/CSME disabled. After that, build the image (Build → Build Image) and flash it back to your machine.
For AMD(R) CPUs:
It's easier to disable PSP on AMD(R) CPUs, you just need to turn it off in the BIOS Settings. First, open your BIOS, navigate to Advanced Mode, find the option called AMD fTPM configuration, AMD PSP Support, or Advanced \ CPU Configuration (mostly in Boot or Security section), change the value of AMD PSP Support from Enabled to Disabled, save and restart and that's done for AMD(R) CPUs.
Conclusion
After complete configuring your hardware, you're good to continue to next steps, OS Setup. Next one require a very long and complex progress, so you remember to follow me, also leave your comment or opnion below, it'll be a great encouragement for me to write the next part of this guide. If you have any question or want to have a discussion with me, feel free to leave a comment or send a direct message to my Discord, @ssdarealest.
Peace and love!
Alyosha.
Top comments (0)