Announcing the PureBoot Bundle: Tamper-evident Firmware from the Factory

• About
• Latest Posts

Kyle Rankin

PGP ID: 0xB9EF770D6EFE360F
Fingerprint: 0DFE 2A03 7FEF B6BF C56F73C5 B9EF 770D 6EFE 360F
Librem Social

Latest posts by Kyle Rankin (see all)

• Bootstrapping Trust with Anti-Interdiction - March 22, 2023
• Where is My Librem 5? Part 3 - March 8, 2023
• My Top 10 Lapdock Kit Tips - February 27, 2023

We have been promoting the benefits of our PureBoot tamper-evident firmware with a Librem Key for some time, but until now our laptops have shipped with standard coreboot firmware, that didn’t include tamper-evident features. To get tamper-evident features, you had to reflash your Librem laptop with PureBoot firmware after the fact, using our standard firmware update process. One of the biggest challenges for most people using PureBoot was the initial setup process–but many people might  find installing an OS challenging too.

The best way to solve this challenge is for us to do the setup for you–and that’s what we are happy to announce today.

While we will still default to our standard coreboot firmware, starting today, if you order a Librem laptop and select the “PureBoot Bundle” option for the firmware, you can choose to have PureBoot installed and configured at the factory. The PureBoot Bundle includes a Librem Key, as well as a “Vault” USB drive that will contain the GPG public key we generated at the factory. You can use the Vault drive later to store backups of GPG keys you generate and store them in a safe place.

With the PureBoot Bundle, you will be able to detect firmware tampering and rootkits out of the box! Just unbox the laptop, plug in the Librem Key and turn it on–if the Librem Key blinks green, your laptop is safe; if it blinks red, it was tampered with in transit. Also, now that our Librem Keys are made in the USA next to our fulfillment center, we have even tighter control over the supply chain for the most critical trusted component in this equation.

If you pick a PureBoot Bundle, we will perform the following additional steps on top of the standard PureOS install process

• Reflash the firmware with PureBoot
• Factory-reset the Librem Key and set default user and admin PINs
• Generate a new, unique GPG key on the Librem Key
• Copy the corresponding GPG public key to a USB flash drive shipped with the laptop
• Sign all of the files in /boot with this GPG key
• Add the GPG public key to the firmware’s GPG keyring and reflash the firmware
• Reset the TPM and set a default admin PIN
• Store the known-good firmware measurements in the TPM
• Share a secret in the TPM and Librem Key to detect later tampering

When you get your PureBoot Bundle, you can immediately test whether the firmware was tampered with during shipment. For an additional charge, you can contact us about our anti-interdiction services which, among other measures, ships the Librem laptop and Librem Key separately.

We believe you should have full control over your keys

Once you have verified the integrity of the firmware, you can set new passwords and secrets on the Librem Key and TPM, generate new GPG keys (or copy over GPG keys you already have), and re-sign all of the files, all with keys under your control, at any time.

We hope that, by setting it up for you at the factory, we can get this next-generation tamper-detection technology into more customers’ hands. Everyone–not just hardcore geeks–deserves the peace of mind of knowing that their systems are safe from tampering; and unlike with other secure boot systems, PureBoot gives you tamper-evident firmware without vendor lock-in–you control all of the keys.

To get the PureBoot Bundle, order a Librem 13 or Librem 15 and on the configuration page in the shop, select “PureBoot Bundle” under the firmware option.