We have been promoting the benefits of our PureBoot tamper-evident firmware with a Librem Key for some time, but until now our laptops have shipped with standard coreboot firmware, that didn’t include tamper-evident features. To get tamper-evident features, you had to reflash your Librem laptop with PureBoot firmware after the fact, using our standard firmware update process. One of the biggest challenges for most people using PureBoot was the initial setup process–but many people might find installing an OS challenging too.
The best way to solve this challenge is for us to do the setup for you–and that’s what we are happy to announce today.
While we will still default to our standard coreboot firmware, starting today, if you order a Librem laptop and select the “PureBoot Bundle” option for the firmware, you can choose to have PureBoot installed and configured at the factory. The PureBoot Bundle includes a Librem Key, as well as a “Vault” USB drive that will contain the GPG public key we generated at the factory. You can use the Vault drive later to store backups of GPG keys you generate and store them in a safe place.
With the PureBoot Bundle, you will be able to detect firmware tampering and rootkits out of the box! Just unbox the laptop, plug in the Librem Key and turn it on–if the Librem Key blinks green, your laptop is safe; if it blinks red, it was tampered with in transit. Also, now that our Librem Keys are made in the USA next to our fulfillment center, we have even tighter control over the supply chain for the most critical trusted component in this equation.
When you get your PureBoot Bundle, you can immediately test whether the firmware was tampered with during shipment. For an additional charge, you can contact us about our anti-interdiction services which, among other measures, ships the Librem laptop and Librem Key separately.
Once you have verified the integrity of the firmware, you can set new passwords and secrets on the Librem Key and TPM, generate new GPG keys (or copy over GPG keys you already have), and re-sign all of the files, all with keys under your control, at any time.
We hope that, by setting it up for you at the factory, we can get this next-generation tamper-detection technology into more customers’ hands. Everyone–not just hardcore geeks–deserves the peace of mind of knowing that their systems are safe from tampering; and unlike with other secure boot systems, PureBoot gives you tamper-evident firmware without vendor lock-in–you control all of the keys.