If you really want to make sure that nobody spies on you, first you have to ensure that each subsystem of your computing device is controlled by you. If there is a possible weakness in even one subsystem, such as the Intel Management Engine, which allows to completely undermine any userland/kernel security mechanism, your complete chain of trust is broken. You need security on all layers:
- The applications running on your operating systems
- Your operating system and device drivers
- Device firmware such a processor microcode control software
- Your devices, the logical design of the circuits in all the chips
Beginning from the ground:
You are pretty much dependent on the goodwill of Intel/AMD/IBM/ARM if you want to operate a computing device which is able to run demanding applications. It is very much possible for a chip manufacturer to hide backdoors in a chip's design, for example by storing all the data associated with hardwired cryptographic operations and transmitting them via the network interface to a web service. Even if there is no intended weakness in the design of a chip, The Intel Management Engine is very much exploitable as recently proven;
Manufacturing microchips is expensive, you cannot do it by yourself without spending large amounts of money for photo-lithographic tools or contract a provider to assemble your chips. This option is most likely out of question. If you lower you expectations in terms of computational power you could however build a 16 bit computer on your own using XOR, AND, OR, NAND, NOR, ADD,... gates (In theory, you only need NAND). You would have to think about everything essential on your own: Memory management, Pipelining, Cache, Instruction Set, ... It is a enormous task but very much possible https://www.youtube.com/watch?v=0jRgpTp8pR8
to even compile Minix on top of it. You would know every component of your device and could be certain, that there is no hidden mechanics in the hardware. To run it properly, you would however need an operating system. You can either develop it from scratch or more conveniently, adapt a compiler (for example small ones like TCC or LCC) to generate code for your
computers instruction set and compile your operating system.
Still, there a a bit more convenient options to build your own chip. You could also utilize the flexibility of an FPGA. You would also design your own architecture (or use a prebuild one from https://opencores.org/
) but you don't have to braze all those circuits and wires together. You would describe the chips functionality on a regular computer using either schematics or more conveniently a hardware descriptor language such as VHDL. You could use the ZET x86 implementation and try to compile tinylinux or minux for it.
Let's say you trust in the hardware's integrity, but not in the firmware. Then you have the option to use free firmware implementations such as Libreboot or the Talos (No, not the Elder Scrolls God) IBM PowerPC Computer. You would know the firmware running on your device and could compile your operating system to run on it. Indeed, it would not make much sense to go through all the hassle of getting open hardware
just to run a closed source operating systems on it. It's like tuning your car motor to only drive using the first gear. If your hardware is completely under your control and you can trust its integrity only to run Windows on it, you would gain nothing in return. The huge majority of exploits is hidden above firmware level. Thus you really would want to use a free operating system such as Linux.
Once you have ensured, that you can trust your device, firmware and operating system are to be trusted, you can actually go ahead and build up your userspace.
So an optimal setup would be something like:
- Your own chip implementation
- Your own operating system (with publicy proven cryptographic methods like AES in its API)
- Your own applications
Requiering a good part of your lifetime to construct.
A reasonable setup would be something like:
- A Intel/AMD chip running open source firmware
- An open source operating system such as Linux
- An bunch of open source applications with OpenVPN, SELINUX, Chromium or Firefox, ... and of course OpenMW
And all of this does not guarantee that nobody could break into your system, only that your system has no integrated weaknesses (Assuming you trust the Linux kernel if you use it). Although knowing all of this, I am the worst kind of security adviser, running a closed up operating system, with closed up drivers and firmware and an design wise convoluted x64 processor with Intel Management Inside.