I’d never heard of the glitter nail polish, so I looked it up. It would appear that it is possible to defeat, though extremely difficult and tedious to do so, and was done in 2018. Basically by separating the polish and substrate material using a combo of heat and chemicals, then gluing it back on with clear nail polish in the same orientation.

Again, crazy difficult, but you could also just epoxy the case shut.

I’m kinda familiar with that rabbit hole :P . Though, I didn’t quite consider your 3rd and 4th methods. So kudos to you for that!

While writing up a draft, I actually stumbled upon an (unfinished) article that goes over this subject in way more depth than I could.

Though, the author doesn’t mention NovaCustom that intends to combine Boot Guard, Heads and QubesOS certification on their devices.

Nothing is perfect. Your goal is to make attacks expensive as shit. Like ideally requiring dozens of hours of electron microscope time to pull off.

You can do a lot to that end though.

Use a mostly read only OS if you can, if you’re enterprising, a custom yocto build with most of the rootfs read only, otherwise a statically defined system like nix that can be readily deleted and rebuilt in minutes. There are configs out there for deleting root on every bootup and having the system automatically repopulate the filesystem. Enable secure boot if you can, it’s frankly your best line of defense. Any of these options are sufficiently weird that designing exploits for them would be a suffer fest.

Forget nail polish, fill screw holes with RTV and if you’re enterprising, the USB ports. At that point you can still get into the system but it’ll be obvious that someone scraped the shit out. You can simply swap the ports for fresh ones with a solder job if needed. If you don’t need this, use epoxy, get some all over the case seam. For the charging port, if it’s USB C PD, I’d need to reread the spec but you should be able to cut D-/D+ and the SS lines with an exacto blade right next to the connector and still be able to charge, just don’t hit the VCC, GND, and CC lines.

Finally, make a kwikset key trap and use it as either a lockbox lock for your stuff or the lock to your house. Kwikset should lull people into a false sense of insecurity but if they try to pick it they’ll suddenly be in a situation where they either need to go overt or somehow replace your lock before you get back. Keep things weird, your goal is to get an adversary, even one with infinite resources, to make ridiculous mistakes.

Is this all really a concern for people with lower threat models? It seams like a lot of effort for a pretty low risk. Although i don’t know how common it is to get your devices tampered with.

Just for reference: the nail polish is supposed to create a random, near-impossible to replicate pattern using the metal flakes inside that get randomly distributed during application. You’re supposed to take a picture of the blob after it has dried and keep that at home for comparison - the nail polish is not a miracle replacement for e. g. Loctite that will make it impossible to undo the screws.

But an adversary could easily use a bad usb when they have physical access to the computer and glitter nail polish doesn’t detect that. I guess that this is why nail polish isn’t sufficient on its own and why we need also either trenchboor or Heads.

it would be interesting to know how much does usbguard protect against this. of course you also need to do something to limit booting from usb, but how effective is usbguard in practice?
what is the risk of sticks that tries to compromise the machine through kernel driver vulnerabilities?
is it possible that it compromises some other firmware on the machine (like the EC in laptops)?
or that it takes advantage of some hardware design failure?

Personally I’ve only heard about Heads so far, but I think this is an interesting topic. Could you give us a short explanation about why is SRTM not enough, and what is a better way?