Whether you face extreme threats or want some extra peace of mind, you might want to be able to detect if someone tampers with your laptop when it’s out of your possession. Anti-interdiction can be particularly handy when traveling and for the initial delivery.
Following this procedure will allow you to verify your laptop has not been used or modified, even if it’s left unattended for a lengthy time. You’ll need a Librem Key and some glitter nail polish. On the software side, your Librem 14 will need to be running PureBoot. For those that selected the coreboot bootloader at checkout, switching to PureBoot is straightforward.
If you are already running PureBoot with a paired Librem Key, you can skip onto the hardware preparation section. Keep in mind PureBoot requires a separate /boot partition formatted as ext4. If you’re running PureOS, we default to this boot setup, but other distros may need custom partitioning. To verify your boot partition is valid, run:
lsblk -f | grep /boot
You should see an ext4 filesystem.
Make sure your laptop is charging and connected to the internet for the PureBoot upgrade and run the following:
wget https://source.puri.sm/coreboot/utility/raw/master/corebootutil.sh -O corebootutil.sh
sudo bash ./coreboot_util.sh
This will prompt you for your root password, enter it, and select 1 to use a pre-built pureBoot image. It should auto-detect you’re using a Librem 14; Press enter.Select 2 to Install PureBoot. Enter ‘Y’ to continue.You can update the serial number or use the extracted value. Enter ‘Y’ again to start the upgrade process.Flashing will take a few min to complete. Once you see this message, you can attach the Librem Key and reboot.
PureBoot will start up and begin the pairing process of your new Librem Key and BIOS. Press “Enter” to continue.You can enter custom information, Like your email and your name, if you’d like. This also gives you the option to export your newly generated keys to a USB. If you plan to sign emails with these keys, this is a good idea.The pairing will take about 3 min.
After a reboot, you’ll need to generate your new HOTP/TOTP secrets, select the defaults and follow the onscreen setup directions to complete the pairing.
To verify the hardware is unmodified, apply glitter nail polish to at least the 4 outside screws. This will take a few hours to dry. Once completely dry, photograph the unique patterns on each of the screws. These will be used as a reference to compare and validate visually that the chassis is untampered with. Store the photos in a safe place like a password manager.If you’d rather skip the setup, we ship Librem 14s with these same Anti Interdiction services as an option at checkout. In addition, you’ll get tamper-evident tape on the surrounding laptop packaging within the box and separate shipping for the Librem Key and Laptop. On the software side, your Librem Key will come preloaded with a custom PIN. We will also discuss a customized threat model coordinated over encrypted email.
|Librem Mini||In Stock||10 days|
|Librem Server||In Stock||10 days|
|Librem Key||In Stock||10 days|
|Librem 14||In Stock||10 days|
|Librem 5 USA||In Stock||10 days|
|Librem 5||Currently shipping backlogs||20 weeks|