Can I safely run a made-in-China Single Board Computer as my firewall?

Question

I want to run a single board computer as my firewall (Internet -> Modem -> SBC -> Router). I bought a Nano Pi R4S because its hardware specs seem perfect for this use case. By default it runs on an insecure fork of OpenWRT called FriendlyWRT, but it's possible to run OpenWRT mainline on it, as well as DietPi.Assuming I successfully flash a mainline kernel onto the device, how can I trust it's still not doing something nefarious? Is it possible to "secure boot" without a trusted compute module? Or at the very least, can I verify the running kernel is the one I expect to be running?Some other ideas I had:- Buy a device that isn't made in China. Unfortunately the options are slim, if I want a passively-cooled dual gigabit device with multiple cores and a few GB of RAM. But there are some appealing options, like H3+ from ODroid (South Korea) and STAR64 from Pine64 (which is RISC-V and also out-of-stock). I also considered some rootable Mikrotik devices (Europe), but they don't seem powerful enough to run WireGuard efficiently.- Monitor outgoing traffic from the SBC by adding a switch between it and the modem, with port mirroring to a monitoring device. This wouldn't eliminate risk but it would at least give me some peace of mind.Is anyone running a setup like this? How do you stay secure?It's crazy how hard it is to find a dual nic, passively cooled single board computer that's manufactured in a trustworthy country. There are some options that look appealing at first glance, like Orange Pi, Banana Pi, Visionfive2... but when you look more closely, things are so sketchy; there are three different Orange Pi websites, one at .org, .net and .com... all with different links in their footer! Even Visionfive2 is "open hardware," but the first step is downloading some blob from Baidu drive.

LinuxBender · Accepted Answer

passively cooled single board computer that's manufactured in a trustworthy country.Not cheap but I use Protectli firewalls [1]. They have the option to be reloaded with either the Coreboot or AMI firmware. They have 2 to 6 NIC's depending on the model. They are passively cooled but have fast processors so that people can run VPN's at wire speed. They are basically a mini-PC optimized to be used as Firewalls and Network-to-Network VPN's. The NIC's are Intel.[1] - https://protectli.com/solutions/firewall/

snvzz · Answer

>and STAR64 from Pine64 (which is RISC-V and also out-of-stock).
I wholeheartedly understand your interest in using the industry standard RISC-V rather than a legacy ISA.
But, why not VisionFive2, which uses the same SoC, has been available for longer, and is in stock?
Otherwise, if you are not in a hurry, there's LM4A[0], with a router form factor option.
0. https://sipeed.com/licheepi4a

Throwawayhahzoh · Answer

Maybe something from https://www.pcengines.ch/ in Switzerland? Made in Taiwan for what that's worth, using AMD embedded CPUs.

B5C8ECB24DB47D1 · Answer

You can have a look at Olimex boards, open hardware with upstream kernel support designed in Bulgaria.https://www.olimex.com/

boulanger75 · Answer

Raspberry pi fabriqu&eacute; en GB

aborsy · Answer

Look into models reviewed in project tinymicromini from ServeTheHome on YouTube.Is there credible evidence that products from China are not safe?If anything, they are under scrutiny at this point.

Can I safely run a made-in-China Single Board Computer as my firewall?

Maybe something from https://www.pcengines.ch/ in Switzerland? Made in Taiwan for what that's worth, using AMD embedded CPUs.

You can have a look at Olimex boards, open hardware with upstream kernel support designed in Bulgaria.
https://www.olimex.com/

Raspberry pi fabriqué en GB

Look into models reviewed in project tinymicromini from ServeTheHome on YouTube.
Is there credible evidence that products from China are not safe?
If anything, they are under scrutiny at this point.