Say you were an activist and wanted to ensure a secure boot, secure firmware, and secure everything, or say you were an agent wanting to intercept a delivery and hack the shit out of it because no one is there to tell you not to, what would be the way to identify this?
If you receive all the parts, which would be compromised? How would you undo that hack? Can firmware be re-flashed by the consumer?
If your threat model is that high, you would have to go through some extreme measures to try to feel some sense of security.
With a high enough threat model, you simply can not be secure with modern computers. How about discussing more reasonable threat models? The first step in something like this is creating a real and reasonable threat model for yourself. Honestly assessing how much resources, in money, time and manpower someone would spend on you. What are you really worth to them.
You would treat it like an explosive threat, that your life depends on it. Don’t approach it, ditch it.
You don’t know what you don’t know. And that includes the threat actors’ ability manipulation the object / laptop. It could be beyond your skill to identify the modification, and beyond your ability to remediate it.
Get another unit and modify your supply chain / logistic process.
If someone is willing to monitor and intercept a hardware delivery to compromise you, you have bigger worries than getting a computer delivered. Enthusiast security is a really cool field, but it has to be grounded in a reasonable threat model. Much more immediate is post-boot data aggregation, especially what we do online.
Modern privacy OSes actually do have compartmentalization and hardware trust levels. Qubes for certain would be worthwhile researching if you’re worried about hardware compromise.
Thanks all for the replies. I"ll move my line of questioning to more security focused forums. But it would be cool to know what to look for if a computer was tampered with!
Ie, how to dump and checksum a firmware on arrival, and/or wipe it clean. (I’ll read the docs!). And to compare a board with photos of what it should arrive like. Perhaps Frame.work supplies those photos.
I think everyone should concern themselves with end point security as much as they possibly can. Journalists & activists especially.