We are proud to announce that we will be attending and sponsoring the Free Software Foundation’s flagship conference, LibrePlanet, at the MIT this week-end on March 24-25th.
We will also be manning a booth there, where you can try out our Librem laptops and see one of our i.MX 6 phone prototype development boards for the Librem 5. Come and say hi! We’ll be happy to meet old friends and new Free Software enthusiasts, veterans and newcomers, and to answer any questions attendees may have for us.
Ask Todd Anything online
Todd Weaver, founder and CEO of Purism, will be doing a Reddit Ask Me Anything (AMA) session on March 28th at 17h00 UTC (10h00 PDT / 13h00 EDT). You can already see him scheduled in the sidebar on the right of https://reddit.com/r/IAmA/. In true Reddit tradition, he is using the picture below to authenticate into Reddit:
As many of you know, the Librem 5 phone will work with two options for your desktop environment, a GNOME based phone shell and Plasma Mobile. Working closely with the KDE community, we were able to install, run, and even see mobile network provider service on Plasma Mobile! The purpose of this article is to show the progress that has been made with Plasma Mobile on the current Librem 5 development board. Here, the setup steps and overcome challenges are highlighted.
The i.MX 6 board started off running PureOS (which, as you may know, is based on Debian testing) with a running Weston environment. Several KDE and Qt packages were needed for the Plasma Mobile environment and a few packages were not available within PureOS so needed to be built: plasma-phone-components, kpeople-vcard, and plasma-settings. For a complete list of technical steps on how Plasma Mobile was setup on the dev board, see https://developer.puri.sm/PlasmaMobile.html.
Once all of the necessary pieces were in place, running Plasma Mobile was as simple as a single command:
$ kwin_wayland --drm plasma-phone
Overcome Challenge #1: The Evil Display Issue
That is when we discovered that the desktop just wasn’t rendering properly. The prototype phone screen looked like an old TV in-between channels. Also sometimes a KDE wallet pop-up window would appear as well (seen in the picture below).
So troubleshooting hats were donned and gdb dusted off. It was discovered that if the export QT_QPA_PLATFORM=wayland line is commented out of the plasma-phone script, then our display issue went away! But the QT_QPA_PLATFORM variable is needed to set the platform to be Wayland. So then the question became, “why is the graphics driver, etnaviv, not working in Wayland mode?”
It turns out that the missing piece was that the zwp_linux_dmabuf protocol was not yet supported in Plasma. For more information on why zwp_linux_dmabuf is needed for Etnaviv driver, check out this announcement.
There already was an upstream bug report tracking the issue, with patches to kwin and kwayland. Thanks to Fredrik Höglund for his work done on zwp_linux_dmabuf.
We incorporated upstream’s patches into our development build of kwin and kwayland and voilà! We were now able to export the QT_QPA_PLATFORM variable and see a beautiful Plasma display!
Overcome Challenge #2: The Invisible Mouse
It was obvious that the keyboard worked, because it was possible to type the password to log back in from the blue lock screen. The mouse, however, seemed to be nowhere in sight. However, by moving the mouse around (assuming it’s there and just not visible) and clicking, we saw that it was possible to open applications but only by accidentally clicking the right thing.
The issue here is that if the DRM driver doesn’t provide the cursor plane. There is an outstanding bug report on this issue.
In the meantime however, we can work around this by holding Ctrl+Super keys to draw a rotating circle around the mouse cursor position, as you can see in the video below:
This is good enough for our current needs, since ultimately we will receive the missing touch adapter hardware for the dev screen and we would no longer need to use of a traditional mouse pointer.
Overcome Challenge #3: Mobile Network Provider Service
Naturally, the next challenge we attempted was to make a phone call. First, the SIM card needs to be recognized, and the provider information retrieved from the modem. This required additional packages, some of which needed to be built from source. To actually get the Sierra Wireless MC7455 to recognize the SIM card, a PIN needed to be sent, modem brought online, and antennas attached. Then, when Plasma Mobile started, we were able to see the mobile network provider signal strength in the top left corner!
Due to the modem we currently have installed on our i.MX 6 board, phone calls are not supported so we could not fully test that part yet. But don’t worry, the Librem 5 will have a modem capable of actually placing phone calls 😉
One step closer and 9,000 kilometers across
Together with the community, Purism is making progress on the road to supporting Plasma Mobile on the Librem 5. There is still more effort needed and this collaboration with the Plasma community will be working towards the successful deployment of Plasma Mobile on the Librem 5.
From 27th of February to 1st of March, Todd and Nicole visited the Embedded World electronics supplier trade show in Nürnberg (Germany) to meet with potential parts suppliers, especially with representatives from NXP and distributor EBV Elektronik. Furthermore, we had productive meetings with suppliers for WiFi, BlueTooth, and sensors, and also talked to a number of board makers and designers.
This visit and the talks prepared us well for our next trip, this time to Shenzhen, the silicon delta of China. We have made appointments with a number of suppliers that are interested in cooperating with us on the Librem 5 phone project as well as on other hardware projects. We will have an extensive two week meeting marathon in order to narrow down the choice and pinpoint the best suppliers for our project.
Purism’s long-term goal has always been to make computers that are as convenient as they are respectful to the people that use them. The Librem products are an ethical platform and therefore should not be discriminating anyone; instead, they are meant to be inclusive of all human beings. In other words, everyone should find in their Librem a convenient and secure platform for their daily usage, and therefore accessibility should also be an important part of our ethical design roadmap.
We are aware that the road is long and that the Librem 5 is a challenging project, so we need some design foundations that favor convenience as much as it can lighten the development effort to get there.
Apps on existing platforms compete for your attention
With today’s smartphones, you usually get a minimal set of functionalities out of the box and go through installing diverse applications for your different needs. Usually those applications are proprietary and are designed around their own unethical business model; hence they compete against each other for your attention and have their own set of features to be used within the scope of the application only.
This can lead to a lot of redundancy and confusion in terms of functionality. A particularly blatant case is communication applications, where we see each application handling their own contacts logic, their own locked down and isolated protocol, and where a ton of applications will implement the same things for the same purpose (making calls and sending messages), with the focus typically being the flashiest application to attract and retain the most users. Let’s illustrate how ridiculous this is, conceptually:
Envisioning a harmonious app ecosystem
In the real, natural world, sustainable ecosystems are made of biological entities interacting together in harmony or symbiosis. This is what makes life possible over the long term.
The digital world of Free/Libre & open-source software, particularly in operating systems, is highly similar to the natural ecosystem. In this world, there is no such thing as isolating off or protecting a technology if you want to be part of the system. Business models and interests are completely different from the world of proprietary software. Best practices favor reuse and integration, improving user experience, reducing technical debt, increasing software quality and lowering development costs, with a “collaborative” system where different applications from different authors are made to work together.
The Purpose is the Feature
The idea behind the PureOS design guidelines is to replace the concept of standalone, independent and feature-competing applications with a concept of small, single-purpose, cross-integrated applications—that would interact between each other to provide a unified experience across the device (and beyond). Those small applications can be seen as “features” of the system. 1 purpose = 1 feature.
Therefore, the Human Interface Guidelines’ main principles regarding “features” development would be :
Don’t see applications as independent programs but as “features” that have a single purpose and that interact with each other.
One “feature” application is guarantor of the security of the data flow going through it. Only make your “feature” application share data with “trusted” features or networks and in a secure way.
Make a “feature” application focused on one single purpose (an email client is not an address book nor a calendar)
Make your “feature” application rely on existing features (an email client should rely on the existing address book and the existing calendar “features”)
Avoid redundancy. Don’t try to reinvent existing applications. Improve them instead.
Setup your “feature” application by default. Make it work out of the box.
On the user’s side, the features of the device are easy to spot as they are made available through single-purpose applications displaying an obvious name. For example, the “Call” application is made to make calls, no matter the technology used behind that (e.g. Matrix, phone, voip). The “Messaging” application is used to send instant messages, no matter the technology used behind that (e.g. Matrix, SMS, XMPP). The “Contacts” application is used to manipulate and store the contacts information to be used by the “Call” and “Messaging” applications.
On the developer’s side, applications are as simple as they can be, the use cases are limited, all the logic that is not related to the main purpose of the application is delegated to other programs, which makes the application easier to design, implement and maintain.
Data belongs to the user, not the application
In this collaborative application system, where applications can interact with each other in harmony, data is not limited to the application’s logic anymore. Applications are acting as services, or “data providers”, to each other. Data can flow from one application to the other, from one device to another, from one network to another.
This concept implies the separation between data and functionality where the data belongs to the user only. The application that manipulates it is guarantor of its integrity and security.
Please note: these are guidelines, representing an overall vision. Guidelines are there simply as a way to guide application design, and to suggest best practices for application developers in general. Given that a GNU+Linux distribution like PureOS is an open platform where thousands of applications are available independently (as long as they are freedom-respecting!), you are not obligated to conform to these design guidelines to be able to distribute your application through Debian and PureOS. Furthermore, these design plans represent a broad long-term plan, not necessarily a guarantee of what will be happening “immediately” in the first released version of the platform that ships, your mileage may vary, etc.
Heads is cutting edge software and provides a level of security beyond what you would find in a regular computer. Up to this point though, its main user base are expert-level users who are willing to hardware flash their BIOS. The current user interface is also geared more toward those expert users with command-line scripts that make the assumption that you know a fair amount about how Heads works under the hood.
We want all our customers to benefit from the extra security in Heads so we intend to include it by default in all of our laptops in the future. For that to work though, Heads needs to be accessible for people of all experience levels. Most users don’t want to drop to a recovery shell with an odd error message so they can type some commands if they happen to update their BIOS, and they don’t want to be locked out of their system if they forgot to update their file signatures in /boot after a kernel update.
When we announced that we were partnering with Trammell Hudson to use Heads on our laptops, we didn’t just mean “thanks for the Free Software, see you later!” Instead, we are putting our own internal engineering efforts to the task of not just porting Heads to our hardware, but also improving it–and sharing those improvements upstream.
The Delicious GUI Center
The first of our improvements is focused on making the boot screen more accessible. We started by added whiptail (software that lets you display GUI menus in a console) to Heads so that we can display a boot menu that more closely resembles GRUB. We then duplicated the features of the existing Heads boot menu so that instead of this:
you now see this:
If you hit enter, you boot straight into your OS just like with GRUB, only behind the scenes Heads is checking all the files in /boot for tampering. If you hadn’t already configured a default boot option, instead of dumping you back to a main menu with no explanation or existing out to a shell, we decided to provide a GUI so you can decide what to do next:
If you decide to load a menu of boot options from the main menu or from this dialog, we also wrapped a GUI around the Heads boot menu that parses your GRUB config file:
In each of the most common workflows, we’ve replaced the console output with an easier-to-use menu that also provides a bit more explanation on what’s happening if something goes wrong. For the most part the average user will just verify the TOTP code and then hit Enter to boot their system so in that way it’s not much different from a standard GRUB boot screen. These extra menus come in only if the user ever needs to deviate from the default and select a different kernel, generate a new TOTP code, or do other maintenance within Heads.
We now have these GUI menus working well in our internal Heads prototypes and we’ve also pushed our changes upstream, where most of them have already been pulled into the Heads project. That said, having a GUI boot menu is only part of what you need to make tamper-evident boot usable. Now that the boot menu is in a good place, our next focus is on making the overall Heads bootstrap and update process, key management, and signature generation easy (if only we had a GPG expert to help us with smart card integration, that would sure make things easier). Keep an eye out for more updates along all these lines soon.
Koch’s GnuPG and Smartcard encryption innovations popularized by Edward Snowden to be implemented in Purism’s Librem 5 smartphone and Librem laptop devices.
SAN FRANCISCO, California — March 8th, 2018 — Purism, maker of security-focused laptops has announced today that they have joined forces with leading cryptography pioneer, Werner Koch, to integrate hardware encryption into the company’s Librem laptops and forthcoming Librem 5 phone. By manufacturing hardware with its own software and services, Purism will include cryptography by default pushing the industry forward with unprecedented protection for end-user devices. Read more
The Librem 5 is a big project. And like a lot of big projects, as you probably know, it can appear overwhelming, until you can break the parts down into logical steps. Like a large puzzle scattered on a table, our team has been organizing and beginning to assemble all the pieces. This is very exciting to progress through the initial daunting scope, accepting the tasks, start working and then… after some time, solutions emerge and almost magically align.
In our previous blog posts we described what we were starting to work on, and these efforts began to prove themselves out significantly during our week-long hackfest where part of our software phone team gathered last week in Siegen, Germany. Read more
Librem devices add tamper-evident features to further protect users from cybersecurity threats by offering users the full control that no mainstream computer manufacturer ever has before
SAN FRANCISCO, Calif., February 27, 2018 — Purism, maker of security-focused laptops has announced today that they have successfully tested integration of Trammel Hudson’s Heads security firmware into their Trusted Platform Module (TPM)-enabled coreboot-running Librem laptops. This integration allows Librem laptop users to freely inspect the code, build and install it (and customize it) themselves, and own control of the secure boot process as Heads uses the TPM on the system to provide tamper-evidence. Read more
Protecting customer privacy, security and freedom is so fundamental to Purism’s mission that we codified it in our Social Purpose Corporation charter. We believe that these three concepts of privacy, security, and freedom are not just important by themselves but are also dependent on each other. For example, it’s obvious that by improving your security, we help protect your privacy. What might be less obvious is how dependent your privacy is on your freedom. True privacy means your computer and data are under your control, not controlled by unethical big-tech corporations. When your digital life is under your control you have the freedom to share your data only when you want to. So as we consider ways to improve your security, it can’t be at the cost of privacy or freedom.
As part of our goal to improve security we are excited to announce that we have successfully integrated Heads into our TPM-enabled coreboot-running Librem laptops. This integration effort began in April 2017 with the partnership of Purism and Trammell Hudson’s Heads project, which required hardware design changes, coreboot modifications, and operating system updates to reach where we are with this announcement today. We now have a tamper-evident boot process starting with the BIOS all the way through verifying that the kernel, initrd, and boot configuration files haven’t been changed in any way. Soon Heads will be enabled by default on all our laptops and this critical piece combined with the rest of our security features will make Librem laptops the most secure laptop you can buy where you hold the keys.
In this post we will describe why Heads is such an integral part of our security and how it combines with the rest of our features to create a unique combination of security, privacy and freedom that don’t exist in any other laptop you can buy today.
Why Tamper-Evident Software Matters
For your computer to be secure, you need to be able to trust that your software hasn’t been modified to run malicious code instead. This is one of many reasons why it’s so important that you can see the source code for all of the software on your system from your web browser to your hardware drivers to the kernel and up to your BIOS. We’ve gone to great lengths to choose hardware that can run with free software drivers, load our laptops with the FSF-endorsedPureOS, use coreboot as our Free/Libre and Open Source BIOS, and have neutralized and disabled the Intel Management Engine.
Unfortunately being able to see the source code isn’t enough. All of the software you run trusts the kernel, and the kernel trusts the BIOS. Without tamper-evident features that start the moment the computer turns on, an attacker can inject malicious code into your BIOS or kernel with no way to detect it. Once started, that malicious software could capture your encrypted disk or login passwords along with any other secrets or other personal information on your computer. By running tamper-evident software at boot, you get peace of mind that your system can be trusted before you start using it. With Purism’s combined approach the first bit loaded into the CPU is measured and signed by the user to prove nothing has been tampered with.
Heads Above the Rest
There are a number of different technologies we could have chosen to protect the boot process, but unfortunately very few of them are Free/Libre and Open Source and almost all of them work by taking control away from you and putting it into a vendor that owns the keys that determine what software you can run at boot. We have witnessed first-hand unethical laptops that ship with “Secure Boot” enabled (a technology that only allows software signed with pre-approved (e.g. paid-for) corporate controlled keys to run at boot). The very limited BIOS on this machine offered no way to disable Secure Boot so it is impossible to install Debian, PureOS or any other distribution that hadn’t gotten the BIOS vendor and Microsoft’s (paid) approval.
Heads has a lot of advantages over all of the other boot verification technologies that make it perfect for Librem laptops. First, it is Free Software that works with the Open Source coreboot BIOS so you don’t have to take our word for it that it is backdoor-free–anybody is free to inspect the code and build and install it (and customize it) themselves.
Second, the way it uses the TPM on your system to provide tamper-evidence puts the keys under your control, not ours. The fact that you retain control over the keys that secure your system is incredibly important. While we intend to make the secure boot process painless, we also don’t think you should have to trust us for it to work–you can change your keys any time.
Enterprise Level Security, Easily
If you manage a fleet of machines, this means with Purism Librem laptops that include TPM and Heads, you now have the ideal platform that you can tailor for your specific enterprise needs with custom features and your own trusted company keys. You can provide a trusted boot environment that protects your users from persistent malware and detects tampering while they travel, while still integrating with your custom in-house laptop images. And you can do this without having to ask us to sign your software.
The IT Security department’s dream of self-signed, tamper-evident, persistent-malware-detecting, laptop computer is now a reality with Purism Librem laptops.
Part of a Bigger Story
Having a secure boot process is the foundation of security on a modern laptop but it’s only part of the reason why Librem laptops are so secure. Here we will review some of the other security features that when combined with Heads puts Librem laptops in a totally different league.
Snitches get Switches
One of the first security features that set us apart was our hardware kill switches. Unlike a software switch that asks the hardware to turn off politely and hopes it listens, our hardware kill switches sever the circuit at the hardware level. This means you don’t have to worry about Remote Access Trojan malware that can disable your webcam LED to spy on you more easily. When you hit the radio kill switch, your WiFi is completely off, and when you hit the webcam/mic kill switch, the webcam is truly powered off–no webcam stickers needed.
Extra Security with Qubes
Our laptops default to PureOS because we feel it provides the best overall desktop experience for every type of user while still protecting your privacy, security and freedom. For customers who want an even higher level of security, Qubes uses virtualization features to provide extra security through compartmentalization. In 2015, our Librem 13 (version 1) was the first (and currently only) hardware to have received Qubes certification. Our current line of laptops remains compatible, and we recently announced that our current generation of Librem 13 and 15 laptops now fully work with Qubes 4.0.
We are also investigating ways to incorporate some of the compartmentalization features of Qubes into PureOS so you can still have good security but with an easier learning curve. Disposable web browsers and protected USB ports are just some of the features we are considering.
We Won’t Stop There
When you combine tamper-evident secure booting with Heads, an Open Source coreboot BIOS, a neutered and disabled Intel Management Engine, hardware kill switches, and the advanced security features of Qubes, Librem laptops have a security advantage over any other laptop you can buy. Equally important, they have extra security without sacrificing your privacy, freedom, or control. While we are excited to hit this major milestone, and can’t wait to have Heads on by default for all our laptops, we aren’t stopping there.
A secured boot process opens the possibility for even stronger tamper-evidence that extends further into the file system. From there you can move past tamper-evidence into tamper-resistance or even tamper-proofing in some advanced applications. We are also investigating better ways to incorporate hardware tokens with our products to provide more convenient authentication and encryption while still leaving the keys in your hands.
Ultimately, our goal is to provide you with the most secure computer you can buy that protects your privacy while also respecting your freedom. Since these values are inter-dependent, each milestone that improves one ultimately strengthens them all, and we will continue to work to raise the bar on all of them.
Peter has been quite busy thinking about the most ergonomic mobile gestures and came up with a complete UI shell design. While the last design report was describing the design of the lock screen and the home screen, we will discuss here about navigating within the different features of the shell.
The mock-up on the right describes the main navigation principles. It shows the basic gestures that can be used to navigate through the different features of the shell.
From top to bottom:
(N) – Pulls down the full list of notifications.
(S) – Pulls down the full list of system settings.
(Q) – Reveals the most frequently used settings.
(W) – Quick launcher (to quickly access the communication features).
(A) – (3 seconds) Reveals the list of running applications.
(H) – Navigate back to the home screen.
And below are a few more mockups illustrating additional planned features of the Shell:
The multitasking overview screen that is revealed through the gesture (A) shows a carousel of all running apps along with their icons to make them easier to spot and access in a touch.
Swiping up from the bottom of the screen, from gesture (H), brings back the home screen
The “quick launcher” from gesture (W), in this example, is launching a list of (favorite) contacts for a quick access to the communications features.
An experience for people first, not just “app stores”
Now that we have defined the main features and gestures of the shell, it should be time to take care of the applications’ interfaces next.
If the Librem 5 was “Yet Another Android phone,” I would say “Go! Let’s make a bunch of apps!” But the Librem 5 is not just a regular phone, and Purism is very different from Apple and Google in term of philosophy and business model—they have been focusing on having the “biggest” app stores, selling apps, and mining data… and we don’t do that.
Therefore, before hastily moving forward with designing applications interfaces “like the other platforms”, not only must we study the current state of the mobile industry in term of User Experience, we must also try to think on how to improve it with a user-centric paradigm instead of necessarily app-centric. I think that, in some ways, there are many areas where the Librem 5 can bring greater simplicity, making iOS and Android look over-complicated in comparison. It may sound crazy to say that, but bear with me for a moment, we’ll get back to this later on.
By understanding a few concepts, we can try to define some human interface guidelines that will help getting a better user experience by default. This won’t prevent the phone to remain a highly customizable FLOSS platform—it will just help making the Librem 5’s “out of the box” experience more useful for everyone.
Hey everyone, I’m happy to announce the release of an update to our coreboot images for Librem 13 v2 and Librem 15 v3 machines.
All new laptops will come pre-loaded with this new update, and everyone else can update their machines using our existing build script which was updated to build the newest image. Some important remarks:
Please read the instructions below to make sure the image gets built properly and make sure to select the correct machine type in the menu for the build script.
The build script was initially written as a tool for internal use, and therefore isn’t as polished as it could be, so if you want something that just quickly applies updates without building/compiling the whole thing, we hope to provide such a (simpler) script in the future.
This is a follow up from Kyle’s previous blog post, and now that the image has been fully tested, you can all enjoy it and get one of our most requested feature : VT-d support for Qubes 4.0 to work.
The new version is “4.7-Purism-1” and here is the ChangeLog:
Update to coreboot 4.7
Update to FSP 2.0
Add IOMMU support
Enable TPM support
Fixed ATA errors at 6Gbps
While coreboot 4.7 has not been officially released, it was “tagged” on October 31st in coreboot’s git repository, and this release is based on that tag with the IOMMU (VT-d) and TPM support added on top of it.
If your laptop came with the TPM chip installed, you need to update your coreboot image to this version in order to use the TPM hardware.
How to build it?
To build the latest coreboot image :
Download the build script mkdir building-coreboot && cd building-coreboot && wget https://code.puri.sm/kakaroto/coreboot-files/raw/master/build_coreboot.sh
Run the script on your Librem machine: chmod +x build_coreboot.sh && ./build_coreboot.sh
Follow the instructions on the screen, be sure to select your correct Librem laptop revision (Librem 13v2 or Librem 15v3), and give it time to build the image.
Once done, if everything went according to plan, it will ask you if you want to flash the newly built image
Make sure you are not running on low battery and select Yes
Reboot your machine once the flashing process is done.
For matters specifically related to this build script (not related to how to use a TPM per se), you may also want to check out the main forum thread about our coreboot build script, where discussion and testing has been going on over the past few months.
Verifying the presence of a TPM
If you are unsure whether or not you have a TPM installed on your system, install the tpm_tools package and then run sudo tpm_version to confirm that a TPM is detected on your system.