ThinkPad T500

Debian Linux SSH fileserver with Disk Encryption, running a fully open-source BIOS firmware

Reasoning behind the hardware

The quad-core CPU upgrade

By default, the T500 came with a dual-core CPU. Back in 2008 this was considered a top shelf business computer, and dual-core was sufficient for most (portable) needs. The GM45 chipset however technically could handle a quad-core CPU with some serious hardware and software hacks. The Intel Core 2 Quad QX9300 seen below was chosen for this. It is essentially 2 dual-core CPU die's in one package.

The hardware mod

The software mod

After the hardware mods, the computer will not POST (power-on self-test) with the default BIOS from Lenovo. Coreboot (the open-source BIOS) must be compiled for the GM45 chipset, with a hardcoded maxcpu=4 flag. The custom BIOS must then be flashed onto the CMOS chip (either externally via hardware or internally via software). Internal flashing can be done if the computer is already running a custom BIOS, and Linux has been booted with the iomem=relaxed kernel parameter giving the kernel read/write access to the CMOS chip on the motherboard.

iomem=relaxed kernel parameter

Internally flashing Libreboot onto the CMOS chip using the "flashrom" Linux utility

Libreboot

Libreboot is a distribution of Coreboot made specifically for computers that are able to run a 100% open-source BIOS firmware. Coreboot supports even bleeding-edge platforms, however they usually have some sort of proprietary firmware blob which cannot be audited or managed, whereas Libreboot only supports computers that can run on100% open-source firmware. This gives these computers a massive security advantage due to the fact that the firmware code can be audited and modified if needed.



Payloads

Libreboot (being a Coreboot distribution) also allows freely selecting and changing "payloads". A Coreboot payload is the program that runs immediately after hardware initialization.
By default, Libreboot comes with 3 payloads:

GRUB bootloader

SeaBIOS

Memtest86+


GRUB

It's great having GRUB built into the BIOS. Normally, an operating system has to install its own bootloader onto the Master Boot Record, or leave .efi files in a FAT filesystem for the BIOS/UEFI to boot. In this case, an operating system can be installed even without a bootloader. GRUB on Libreboot has an automatic script which will search for an OS to boot.

GRUB also comes with GRUB Rescue, a command prompt that is an absolute lifesaver for an unbootable system. GRUB Rescue be used to boot any kernel installed on the computer, boot in different runlevels, specify kernel parameters, and can work with many filesystems (including encrypted filesystems such as LUKS and LUKS2). 


SeaBIOS

This is a BIOS implementation (also used in virtualization software such as qemu). Unix-based systems such as Linux, BSD, MacOS can be booted directly via GRUB, however Windows cannot boot this way. SeaBIOS emulates normal BIOS system calls, which is necessary for Windows.
Normally with Coreboot + Linux, the firmware will pass a devicetree of hardware, and the kernel can directly communicate with the hardware. Windows, on the other hand, communicates with hardware using the ACPI interface and by issuing BIOS calls. It is therefore necessary to emulate a traditional BIOS via SeaBIOS when booting Windows on a computer with Coreboot/Libreboot.

The Libreboot main screen running GRUB

SeaBIOS menu

The aforementioned GRUB Rescue prompt

As a bonus, Libreboot also comes with Memtest86+ by default. It is convenient having this baked into the firmware and stored on the motherboard, rather than having to install it onto storage or booting from a flash drive.


Debian GNU/Linux

Finally, lets talk about the OS. Debian is arguably the most stable and secure Linux distribution, making it an excellent choice for servers. This instance of Debian 12 is installed with an encrypted /home partition containing the files. Luckily, Libreboot can unlock LUKS2 partitions, so it is possible to have a truly 100% fully-encrypted disk, although for the purposes of manipulating partitions without having to use LVM (Logical Volume Management)  I chose to only encrypt the files in /home

The kernel during bootup asking for a password to unlock the encrypted partition immediately after hardware initialization

After entering the password, the kernel executes systemd (the system daemon used by Debian) as normal

The system boots into a TTY console after systemd launches all necessary background processes. Logging-in is not necessary for the fileserver to launch because systemd started the SSH daemon which is used for hosting files.

If a desktop environment is necessary, a systemd command can be issued to launch the default desktop environment:
sudo systemctl isolate graphical.target

Hosting files via SSH (with End-to-End Encryption)

The SSH protocol is (in my opinion) the most secure way for computers to communicate over the internet. I use it for regular remote administration, but also for file transfers, live audio transfer, and even as a HTTP SOCKS proxy. SSH uses locally generated public & private keys to establish an initial connection. After this, it will determine the best symmetric encryption method that both computers support, and generate a key single use key for that session.

For file transfer, a program called SSHFS can be used. which will mount a remote filesystem locally. It is launched using the following command

sshfs $IPHOME:/home/nick ~/SSHFS -p $PORT $@

where

Debian using only 184 MB of RAM in total  to run the fileserver