Author: Todd Weaver

Founder and CEO
PGP Fingerprint: B8CA ACEA D949 30F1 23C4 642C 23CF 2E3D 2545 14F7

GNOME and KDE in PureOS: diversity across devices

PureOS, a Free Software Foundation endorsed GNU distribution, is what Purism pre-installs on all Librem laptops (in addition to it being freely available for the public to run on their own compatible hardware or virtual machines). It comes with a GNOME desktop environment by default, and of course, since we love free ethical software, users can use KDE that is also available within PureOS. This is the future we will continue to advance across all our devices: a PureOS GNOME-first strategy, with other Desktop Environments (DEs), such as KDE, available and supported by Purism.

At Purism we want a unified default desktop environment, and considering that we have chosen GNOME to be the default on laptops, we hope to extend GNOME to also be the default on phones. The ability for users to switch is also very powerful, and having a strong, usable, and supported alternative—that is, KDE/Plasma—for the Librem 5 offers the best of the “unified default” world and the “usable user choice” worlds.

Symbiotic GNOME and KDE partnerships

Purism has partnered with both GNOME and KDE for the Librem 5; what this means simply is that users running PureOS on their Librem 5 will get the choice of a GNOME environment or a KDE/Plasma environment, and the user could always switch between the two, like what is already the case on computers running PureOS. Will there be other partnerships in the future? We imagine so, since we will be happy to support any and all ethical OSes, GNU distributions, and want to make sure that the future is bright for a non-Android-non-iOS world.

While the initial GNOME and KDE partnerships mean uplifting diversity at the top level (and greater choice for users), each have a slightly different developmental and support roadmap. The reason for this is pragmatic, since KDE is very far along with their “Plasma” mobile desktop environment, while GNOME is farther behind currently. Investing time and efforts to advance the status of mobile GNOME/GTK+, aligns with our longer-term goals of a unified default desktop environment for PureOS, offering a convenient default for users. Diversity is why we are supporting and developing both GNOME/GTK+ and KDE/Plasma.

Therefore:

  • KDE: Purism is investing in hardware design, development kits, and supporting the KDE/Plasma community, and will be sharing all early documentation, hardware designs, and kernel development progress with the core KDE/Plasma developers and community.
  • GNOME: Purism is investing the same in hardware design, development kits, and supporting the GNOME/GTK+ community as we are with the KDE/Plasma community. In addition, Purism is needing to lead some of the development within the GNOME community, since there is not a large community around an upstream-first GNOME/GTK+ for mobile yet.

Choice is good, redundancy is good, but those are ideal when there is minimal additional investment required to accomplish technological parity. Since Purism uses GNOME as the default desktop environment within PureOS on our laptops, we figured we are going to invest some direct development efforts in GNOME/GTK+ for mobile to stay consistent across our default platforms. Adding KDE as a second desktop environment is directly aligned with our beliefs, and we are very excited to support KDE/Plasma on our Librem 5 phone as well as within PureOS for all our hardware. We will support additional efforts, if they align with our strict beliefs.

Why not just use KDE/Plasma and call it a day?

If we were doing short-term planning it would be easy to “just use Plasma” for the Librem 5, but that would undermine our long-term vision of having a consistent look/feel across all our devices, where GNOME/GTK+ is already the default and what we’ve invested in. Supporting both communities, while advancing GNOME/GTK+ on mobile to allow it to catch up, aligns perfectly with our short-term goals (offering Plasma on our Librem 5 hardware for early adopters who prefer this option), while meeting our long-term vision (offering a unified GNOME stack as our primary technological stack across all our hardware). It is also a good way to give back to a project that needs our help.

Why not just push GNOME and GTK+ and forward?

Because having an amazingly built Plasma offering available early to test and ship to users is a superb plan in many ways—not just for redundancy, but also because KDE/Plasma also aligns so well with our beliefs. The product readiness across these two desktop environments are so different it is not easy to compare side-by-side.

Empowering both communities is possible

Overall, Purism is investing the same amount across hardware, boot loader, kernel, drivers and UI/UX. These are shared resources. The deviation boils down to:

  • GTK+ and the GNOME “shell” development, that Purism is planning to be directly invested in, in close collaboration with upstream
  • Community support: by being involved in both communities, we are effectively doubling our efforts on supporting those communities, but that is a small cost for the greater benefit of users.

Supporting both KDE/Plasma and GNOME means we will continue to build, support, and release software that works well for users across Purism hardware and within PureOS. Purism fully acknowledges that each platform is in different release states, and will be working with each community in the areas required—be that software development, hardware development kits donated, community outreach, conference sponsorship, speaking engagements, and offering product for key personnel.

Update/P.S.: for the GNOME side of things, we are in close collaboration with upstream GNOME, and have followed GNOME Shell maintainers’ recommendations to have a simpler, Wayland-only shell (“phosh”) developed. You can learn more about it in our 2018 March 3rd technical report, in the “Compositor and Shell” section. So rest assured, those decisions have been taken with the “blessing” of upstream, based on purely technical grounds.

Meltdown, Spectre and the Future of Secure Hardware

Meltdown and Spectre are two different—but equally nasty—exploits in hardware. They are local, read-only exploits not known to corrupt, delete, nor modify data. For local single user laptops, such as Librem laptops, this is not as large of a threat as on shared servers—where a user on one virtual machine could access another user’s data on a separate virtual machine.

As we have stated numerous times, security is a game of depth. To exploit any given layer, you go to a lower layer and you have access to everything higher in the stack.

Meltdown and Spectre are not just hardware exploits, they are the processor and microprocessor exploits. Meltdown is an exploit against the CPU which has a patch in progress, while Spectre is an exploit against the design of microprocessors which has a “possibility to patch upon each exploit as it is identified” in a never ending game of cat-and-mouse.

Protecting from Meltdown and Spectre with PureOS

  • Purism’s PureOS, a Free Software Foundation endorsed distribution, is releasing a patch to stop the Meltdown attack, with thanks to the quick and effective actions of the upstream Linux kernel development team.
  • Like the patch for Meltdown, PureOS will continue to release patches against any Spectre exploits as they are found and fixed, which highlights the importance of keeping up-to-date on software updates.

Countermeasures in Purism Librem hardware

Purism continues to advance security in hardware through a combination of techniques, including the inclusion of TPM in Librem laptops, where we are progressing towards a turn-key TPM+Heads solution. This will allow us to provide Librem users with a strong defensive stance making future exploits less scary.

While these countermeasures are not direct solutions for Meltdown and Spectre, they help work towards a larger scope of measurement and indication of “known good” states. In this case, this would mean only running a Linux kernel version which has good patches applied for Meltdown and Spectre exploits. Flagging or stopping any modifications that could be exploits adds another layer of security to protect users’ devices and sensitive information.

The Future of Secure Hardware

Intel, AMD, and ARM seem to suffer from the same issues that proprietary software suffers from: a lack of transparency that results in an unethical design which shifts us further away from an ethical society. RISC-V is something we are closely following in the hopes that it can create a future where processor hardware can be as ethical as Free Software—meaning that the user is in control of their own hardware and software, not the developer.

Purism, as a Social Purposes Corporation, will continue to advance along the best paths possible to offer high-end hardware that is as secure as possible, in alignment with our strict philosophy of ethical computing.

Happy New Year! Purism Goals for 2018

Purism has set out to change the future of computing for the better. We care about your freedom and security and we prove that by working hard to offer you convenient ethical products and services. In our relatively short existence since forming, we have achieved the following milestones:

    1. Released 3 revisions of the Librem 15 laptop.
    2. Released 2 revisions of the Librem 13 laptop.
    3. Persevered in our efforts and upheld our promise to port coreboot to all our devices.
    4. We have been the first manufacturer to disable the Intel Management Engine (and we are currently still the only vendor of brand new devices doing this with devices shipping out today…).
    5. Received FSF endorsement for PureOS.
    6. Exceeded our funding goal by almost 50% for our Librem 5 phone campaign.
    7. Partnered with Matrix, Nextcloud, Monero, GNOME and KDE

Purism has some lofty goals that seem more attainable with each advancement that we make. Our pace for these achievements is already impressive, and we plan on maintaining and exceeding that pace in 2018. This coming year, we plan to:

  • Release the development board for the Librem 5 phone.
  • Produce great documentation for developers to write applications into PureOS (or any GNU/Linux based OS) for the Librem 5 phone.
  • Attend significantly more conferences and events; this lets us meet long-standing collaborators, improves our own knowledge, and also lets us raise awareness about our ideals and approaches to solving long-standing challenges in the industry.
  • Release our Purist Ethical Services offering (more news on this later).
  • Advance the Librem 15 and Librem 13 laptops into a version 4 model.
  • Release the much-awaited Librem tablet.
  • Release TPM + Heads as a “turn-key” product on our devices.

Things are off to a great start in 2018 and we hope you are as excited as we are to push forward the causes of freedom, security and privacy—principles that we hold as dearly as you do.

Happy New Year from your friends at Purism SPC!

The Librem 5 Development Roadmap and Progress Towards i.MX 8

The Librem 5 crowdfunding campaign is still cranking along nicely, while it is going on we wanted to provide a progress report on the hardware selection as well as the advancements with our existing development boards.

TL;DR:

  • The base hardware with i.MX 6 is demonstrably working.
  • i.MX 8M, Etnaviv, full HD, are the likely hardware combination candidates for the Librem 5 phone.

Development Hardware Proving Positive

Showing photos of low-level progress is always a challenge, however showing Wayland and applications running on development hardware by definition means that the lower level parts are working! Booting from microSD into a Debian GNU/Linux unstable with most of the UI installed…

Purism Librem 5 phone (early development boards) for testing CPU/GPU and GNU/Linux
Purism Librem 5 (early development boards) booting the Linux kernel, Wayland, and a terminal in early August 2017.
Purism Librem 5 (early development boards) booting Debian GNU/Linux unstable, Wayland, and GNOME Settings in September 2017
Purism Librem 5 (early development boards) screenshot of a photo rendered

What led us to choose i.MX 6/i.MX 8

We have tested nearly every combination of CPU (and GPU, see further below), Purism’s goals of creating hardware that is ethical, runs free software, can separate baseband from main CPU, and the ability to run GNU/Linux (not Android), quickly narrowed our scope to i.MX 6 as one of the only viable options.

We have been testing and working with i.MX 6 and are pleased to report healthy progress with that hardware, as you can see from the photos, we have the Linux kernel booting, Wayland running, and in these photos GNOME/GTK and even Gnome Settings showing.

Purism Librem 5 (early development boards) running Debian GNU/Linux unstable, wayland, and GNOME Settings screenshot

Heading towards i.MX 8

We have been making some progress that makes us confident to say we will likely be able to use i.MX 8 for the Librem 5 phone hardware, primarily because:

  1. We will be able to evaluate a i.MX 8M pre-production board November 2017
  2. Our extended community can evaluate a handful of i.MX 8M sample chips in November 2017
  3. More evaluation boards should be available before year-end 2017
  4. In Q1 of 2018 we can get i.MX 8M into production. This is well ahead of our required hardware selection date of April 2018, so we will very likely be using the i.MX 8M in the Librem 5.
i.MX 8M (early evaluation boards)

State of the GPUs… or “Why we chose i.MX 6/8 + Vivante”

GPU drivers have been a big issue for a long time in the free software world. Manufacturers would typically not release any specification or documentation but only binary-only drivers. For PC hardware this problem has somewhat been resolved, which is why Purism uses Intel GPUs on our Librem products, since Intel has free drivers merged in mainline Linux kernel. But for ARM SOCs, the situation is not ideal.

  • MALI: One of the biggest players in the ARM field is MALI. The MALI core was originally developed by Falanx Microsystems until ARM bought their patents and copyrights and is now licensing the MALI core for ARM designs. ARM is not releasing any specs about the MALI GPU cores and does not provide any free software drivers for them. (The MALI400 is e.g. also used in the Allwinner A64 chip which again is used on Pine64 and in the Pinebook). There is an effort to develop a free driver by reverse engineering existing code, which is called LIMA, but its functionality and support is still limited.
  • Adreno: another big one is the Adreno GPU core, found in many Qualcomm Snapdragon SOCs. For this one also, no documentation exists although a reverse engineering project produced a pretty well working driver, called freedreno, which is also supported by current Mesa versions.
  • PowerVR: the PowerVR GPU cores are found mostly in embedded PowerPCs and Texas Instruments “OMAP” CPUs. As of today, we are not aware of any free development for these, only some binary-only drivers are available. There is an effort started by the Free Software Foundation but it seems that the project has stalled for some time now.
  • Tegra: the first generation nVIDIA “Tegra” SOCs has Linux kernel mainline support since 2012. The latest Tegra SOCs use the same GPU building blocks as the desktop PC graphics cards and can be used with the Nouveau GPU driver.
  • i.MX 6 Vivante: since Linux kernel 4.8, a new set of DRM/GPU drivers has been incorporated into the mainline Linux kernel, the so-called Etnaviv. Etnaviv support is also included in Mesa, starting with Mesa 17. We have successfully been operating a prototype for our phone using a mainline Linux kernel 4.12.4 with Etnaviv support. From microSD we booted into a Debian GNU/Linux unstable with most of the UI stuff installed. It works! We can safely say that upstream OpenGL hardware GPU support for i.MX 6 has landed in major Linux distributions, which is great news since hardware GUI acceleration is badly needed for any type of modern mobile GUI.

With the Librem 5, we are very excited to be advancing the mobile phone space to be ethical, respect digital rights, run GNU/Linux, be secure, and create a future that we are proud to be part of. We will be posting regular development updates as we progress with the hardware, software, and partners.

Purism Warrant Canary Updated July 1st 2017

Before (or on) the first day of each quarter, Purism, following the general rules of warrant canaries, will update its own Warrant Canary page if none of the listed items occurs.

warrant-canary-64x70px

Warrant Canary, July 1st 2017

  1. We have not placed any backdoors into our software or hardware, and we have not complied with any requests to do so.
  2. We have not received, nor complied with any National Security Letters or FISA court orders.
  3. We have not been subject to any gag order by a FISA court.

The next statement will be published on the first day of each quarter (January 1st, April 1st, July 1st, October 1st). Please refer to the Warrant Canary page for details and digital signatures.

How Purism Avoids Critical Intel Security Exploit

Intel dropped a fairly large bombshell on the world May 1st, 2017, when they published a security advisory that explains how nearly every single Intel chip since 2008 is now vulnerable to a remote exploit through AMT, even when powered off.

Purism, which uses Intel chips, happens to be immune to this very nasty threat. Purism happens to also be the only manufacturer where all products are designed specifically to be immune to this very substantial threat. Purism is able to accomplish this thanks to its strict belief in digital rights for users and adherence to its social purpose; it is this philosophy that brings Purism to systematically remove exploitable firmware from the computers it makes, and users are all the better for it.

We already published a lengthy article on the potential of this type of threat, which you can find at How Purism Avoids Intel AMT, but in case you wanted the shorter version:

  1. We choose Intel CPUs that do not have the hardware enabled to be exploitable (no vPro/AMT)
  2. We avoid Intel networking, to remove this exact threat (no Intel networking, no remote exploit from exploitable firmware)
  3. We neutralize the exploitable firmware

The larger message rings true; if you can’t control the computer, the computer controls you. This turn of events highlights that fact clearly; this exploitable Intel firmware is a binary at the lowest level of the CPU, outside the view of the user, allowing for anybody to use it to gain full control of the computer, even when the device is powered off. This represents the worst of all possible security vulnerabilities, and we are very proud to have a philosophy that makes our products the only high-end current hardware offering that can safely avoid this Intel security exploit.

How Purism avoids Vault 7 leaked threats “Dark Matter”

Recently, WikiLeaks unloaded another lot of Vault 7 documents, under the “Dark Matter” codename. In there, other tools and techniques used by the CIA to gain persistent remote exploits on Apple devices (including Macs and iPhones) are revealed.

Most of these attacks target Apple’s EFI/UEFI firmware, therefore such infections persist even if the operating system is re-installed. This collection of threats, including Sonic Screwdriver, Triton, Der Starke, and Dark Sea Skies, all utilize the same general principle: to attack a device at the BIOS level depth, in order to seize control of all shallower levels including the operating system, applications, networking, and web access.

In addition to the EFI/UEFI exploits mentioned, there are targeted exploits such as Night Skies focusing on iPhones, or the Sea Pea rootkit focusing on Apple’s Mac OS X kernel specifically.

Night Skies is a tool that operates in the background and does not exhibit user-alerting behavior, providing upload, download and execution capability on the device. NightSkies will attempt to use any available Internet connection to beacon. Once user activity is detected, it will monitor specific directories on the phone such as the browser history file, YouTube video cache, map files cache, or mail files metadata. Night Skies can then:

  • retrieve files from the iPhone including the address book, SMSes, call logs, etc.;
  • send files and binaries to the iPhone (such as additional hacking tools);
  • execute arbitrary commands on the iPhone;
  • grant full remote command and control;
  • masquerade as the standard HTTP protocol for communications;
  • use XXTEA block encryption to provide secure communications;
  • provide self-upgrade capability.

Sea Pea, on the other hand, is a rootkit designed for Mac OS X’s kernel, that will remain on the system unless one of the following conditions are met: the hard drive is reformatted, an upgrade is made to the next major version of OS X (i.e. 10.6), or an error is encountered (at which point SeaPea may remove itself).

What these threats continue to showcase is that EFI/UEFI is an ideal low-level backdoor to control a user’s device without their knowledge, and the leaked documents shows how widespread these threats are against any user running a EFI/UEFI BIOS.

Purism is working hard to make its products immune against these threats by designing its devices to be able to run coreboot instead EFI/UEFI. Purism also utilizes PureOS (a GNU/Linux based distribution that does not contain any mystery binaries), so the entire source code stack can be audited.

These documents continue to reinforce the fact that security is a game of depth, and the deeper you go with releasing free software where the source code can be audited, the better.

Purism has future plans of including hardware encryption tools to verify the entire boot chain, putting the entire system under a user’s control, rather than that of a bad corporation, government, spying agency, criminals, or ISPs.

Yet Another EFI/UEFI Exploit, this one Utilizing NVRAM and Persistent Storage

Continuing on our previous post on this topic, another EFI/UEFI BIOS exploit theoretically known–and even proven to work by Trammel hudson some years ago–that resurfaced through the Vault 7 documents, is the EFI/UEFI exploit that can write to NVRAM or persistent storage. This means that this exploit cannot be detected from hard drive inspection, and can survive through a complete OS reinstall if you’re using EFI/UEFI (which is not a problem for Purism users running coreboot).

The CIA documents describe it best:

“These variables present interesting opportunities for our tools since they will survive a OS reinstall and are invisible to a forensic image of the hard drive. What’s also interesting is that there is no way to enumerate NVRAM variables from the OS… you have to know the exact GUID and name of the variable to even determine that it exists.” — the CIA, as leaked through the Vault 7 Persistent Storage Document

This line also summarizes intent for the exploit:

“This might be a good place to put either implants or encryption keys. If every implant deployment used a different GUID/name pair, it would make the variables a bit more difficult to discover.” — the CIA, from the Vault 7 Persistent Storage Document

This continues to reinforce that our philosophy and beliefs are the only way to have long-term products that respects users’ digital rights.

Proving the Known, EFI/UEFI Exploited for BIOS Level Attacks

We’re continuing with a second report (many more coming!) on the “Vault 7” Documents we started digesting recently. There is an extensive section dedicated to EFI/UEFI exploitations. While this threat has been known from a theoretical standpoint from the moment the non-free BIOS replacement–EFI/UEFI–came into existence, the Vault 7 documents published recently now confirm that these threats are real and these weaknesses are actively being exploited.

One interesting read we’re focusing on today is the EFI/UEFI “ExitBootServices Hooking” exploit and sample copy-and-paste code to inject a hook into the last execute state of the EFI/UEFI process (the “ExitBootServices”).

Copy-and-paste code was included in the leaks which allow for the exploitation of UEFI-based boot systems by altering the operating system’s kernel which is loaded into memory before exiting the UEFI boot sequence. The copy-and-paste code allows for an attacker to insert a custom hook which can be used to arbitrarily alter the operating system’s kernel in memory immediately before execution control is handed to the kernel. — Wikipedia’s summary.

It is trivial to utilize this exploit:

Because the ExitBootServices service can be found by getting its pointer from the global EFI_BOOT_SERVICES table, hooking the ExitBootServices call is trivial. […] When you’re running in UEFI, that EFI_BOOT_SERVICES table isn’t protected by anything, so you can just write directly to it. — Vault 7 ExitBootServices Hooking

The result is that the entire system is compromised. As the page highlights, “At this point, you can do whatever you want.”

This type of exploit once-again highlights that security is a game of depth. This exploit is one level below the kernel, which means it has complete control of every level above it, such as the kernel, the entire operating system, any and all applications, network traffic, web application usage, and all user interaction.

The good news is, Purism recently completed the port of coreboot to the Librem 13 v1 (with more ports to come for the rest of our devices), providing a free/libre and open source replacement for EFI/UEFI which avoids all of the exploits mentioned within the documents.

The only long-term approach to protect oneself is to have complete control of the device. Control is the key word, and there is no other way to have complete control than to have as much of the software released under free software licenses where the source code is available to confirm it operates in your best interest and not that of criminals, spies, bad hackers, nations, or thieves.

Confirming that EFI/UEFI has a known and trivial exploit that is built into the standard also confirms that there is no depth too deep to exploit, and the only defense against unwanted stripping of a users’ digital rights is to use hardware and software that you control. Purism does just that by releasing all software under a free software license where the source code is available to be audited, reviewed, and scrutinized making a user control their device not the device controlling the user.

What the US Senate Vote Barring the FCC from Protecting the Privacy of Customers Means

On March 23rd, 2017 the US Congress disapproved the rule submitted by the Federal Communications Commission relating to “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services”, and so that rule shall have no force or effect.

This means the FCC does not have the legal authority to protect the privacy of customers from ISPs gobbling up all the data they want to. The ISPs own the connection from your router to the Internet at large. ISPs have access to everything that passes over the connection including any non-encrypted content such as, every webpage you visit, every email you send, every photo you share, every document you deliver, and any social media post you make. Utilizing SSL helps guard against this threat of ISPs selling your head-end usage data, which is why Purism integrates EFF‘s HTTPS Everywhere in PureOS by default. In the future Purism will also be including SSL tunneling by default to help users stop ISPs from the privacy invading fire-hose of everything you do online.