Author: Zlatan Todorić

Director of Technology

Releasing the beta of PureOS 3

After our alpha release in November, we are today releasing the beta for PureOS 3.0, which we intend to release as a final release in time for our upcoming new laptop batch shipment (more news on that soon).

As PureOS uses a rolling release model, software all across the stack continued to receive updates since our first alpha some months ago, even though the core of our work has been to improve and deploy new infrastructure to support efficient development of this operating system and to make the PureOS experience more pleasant for users, too. The PureOS infrastructure is now better at exposing migration/update issues, which means that we iron out broken or missing package dependencies more quickly (with the goal of preventing them from ever being encountered by users, although such occurrences are already rare). Building this infrastructure for PureOS is some very ambitious—and often invisible—work that we are accomplishing as the foundation for all PureOS development.

We are also in the final stages of preparing proper developer documentation, closely modeled on Debian’s contributors documentation and procedures, but pointing to the right bits and pieces when it comes to PureOS.

FSF endorsement is work in progress: we are working with the FSF and addressing any concerns or requests they may have. As per the FSF’s requests:

  • The new PureOS website is now fully separate and works with LibreJS.
  • Iceweasel/Firefox was removed from the archive (its presence there was actually due to a repository synchronization bug) and we modified the add-ons system to avoid the possibility of installing non-free add-ons by mistake. That said, this is one of the reasons why PureBrowser exists, and PureBrowser will continue to be the default. The forced removal of Firefox/Iceweasel caused some trouble with the PureOS package repositories archive but this will be fixed before the final release.
  • TorBrowser is now torbrowser-launcher, a package that downloads and installs the official Tor browser with updates being applied as soon as the Tor project publishes them.

On the security front:

  • A Wayland-based GNOME 3 experience remains what we ship by default.
  • We have started preparing our Linux kernel to be based on the grsecurity kernel. This is available as a package in the beta’s repositories but is not enabled by default, as we consider it requires more testing (you can help!) so we can use it as the default Linux kernel in the future (for PureOS 3.0’s final release, hopefully!)… so feel free to install and try it out (don’t forget to install paxctld as well)! This will be a huge step forward in terms of security. While most regular GNU/Linux distributions are more secure and privacy-respecting than proprietary OSes, having the grsecurity patchset in PureOS’ Linux kernel by default will bring PureOS far above the norm in terms of desktop GNU/Linux security practices.
  • We look forward to integrating flatpak in the future to benefit from its sandboxing capabilities

As you can see, we’re making some nice progress and PureOS has great plans ahead to achieve a great user experience that balances security and usability. This is quite a bit better than running OSes that work against you or that strip you of control over the applications layer!

Bits about PureOS

There are were some questions floating around our community regarding PureOS compared to other distros, and I feel it is time to address them all in one go.

PureOS compared to other distros

Do PureOS and Tails have the same goals?

Yes and no. We both want to make secure, private and anonymous OSes but we approach the problem differently:

  • Tails has longer development cycles.
  • Tails is more focused on pure anonymity, privacy and security, not tailoring towards average end-users (by “average” we mean “average computer user” and not “average GNU/Linux user”). While Tails is not as complicated to use as Qubes, there still is very little attention paid to user experience.
  • Tails is a system that you don’t install onto a hard drive (last time I talked to Tails developers, they said they were writing code that even prevents you from installing it onto the hard drive).

On other hand, PureOS comes preinstalled on Purism’s devices and takes all security/privacy/anonymity aspect tailored towards a broader set of end-users.

  • PureOS will not take security measures that would, for example, make 99% of the web browsing experience almost impossible (Tails also doesn’t do this, but this mention is just an example to reflect our philosophy).
  • PureOS aims to be easy to switch from Windows/Mac as well for any other OS, while increasing security and privacy in great amounts compared to the two most popular desktop OSes.
  • PureOS doesn’t require any account, doesn’t send any feedback/telemetry to Purism (or any other company) and doesn’t spam with add-ons.
  • The combination is therefore meant to be easy to use (and pleasant to the eye) while being a very big step forwards in terms of freedom, privacy, security and anonymity.

SubgraphOS is an example of an OS that is more aligned with PureOS’ ideas.

What are the differences between Debian and PureOS?

Hopefully I don’t need to explain the long standing giant Debian. PureOS will tend to have least possible amount of deltas compared to Debian and it will try to forward upstream (and to Debian) all changes we make that make sense for wider community (Matthias and myself are also Debian Developers and we understand the importance of this). Said that, we have some differences: PureOS hosts only Free software – while Debian is officially only main, it does host and allows an option of having non-free software. PureOS will have more frequent changes and for now it will not have an real stable release in Debian sense (we consider PureOS stable for everyday usage as most of users experience the same with Debian Testing). PureOS already defaults to Wayland as default while Debian will still stay with X for at least one release. For final PureOS 3.0 release, the plan is also to switch from Debian Installer to Calamares and also PureOS will have kernel with grsecurity enabled (and of course our own configuration).

What package formats is PureOS going to use?

PureOS is based on Debian and thus we use the famous deb format for core system packages. Besides that, our plan is to have Flatpak as a convenient and secure complement to deb packages in the future. Flatpak is pretty advanced, is gaining momentum among application makers, and has a lively community.

Where are PureOS sources (to code)?

They are at repo.puri.sm/pureos/pool/main but the easiest way to get any code is to just do:

apt source <packagename>

How to upgrade to the latest stable version?

PureOS is in essence a rolling release and if you keep it up-to-date you’re already at the latest version. We release point releases (like now with the upcoming PureOS 3.0) to have better testing of features as well as having an image for our OEM ISO. There is no need to download every ISO we release if you update frequently, but it helps us with testing.

Why can’t I search apps in GNOME Software and why doesn’t installation work for some packages?

GNOME Software requires Appstream metadata to work properly, and we are in the process of implementing that machine. It will soon be ready, probably by our next “beta” release of PureOS 3.

The installation issue comes out because of migrations issues. Short explanation: our packages get synced from Debian into our archive called “landing”, there from landing they migrate to “green” which is what you have in your sources.list. So we basically have an additional testing step during this migration, but as those parts are new in our archive they sometimes might get broken. We are improving this daily so bear in mind that all can be resolved in your next update.

Why does PureOS default to GNOME?

We consider GNOME the most technically advanced and polished Desktop Environment out there. It also has the best support for Wayland and touchscreen devices, which is important for PureOS’ path. Those who need more features or a different look & feel can either go to extensions.gnome.org or install any other DE they need (you’re always just an “apt install” away from anything you want).

How can I contribute?

Talking about PureOS, sharing to your and wider community, sending bug reports, code, art and coffee to developers, all helps.

Purism Devlog #3

Welcome to new devlog post. Many exciting news here, so lets dive into it step by step.

New infrastructure

In past we had many issues with failing repositories, an outdated archive, expired keys, sources changing too often… this is why we have now moved to new servers, with control from the ground up, and started building the new PureOS infrastructure (the whole Purism infrastructure also moved to new server). We are still improving and tweaking everything on a daily basis, but the foundation is there. New infrastructure is now mandated by DAK (Debian Archive Kit) and Laniakea (which is developed by Matthias Klumpp, aiming to make creating and maintaining Debian derivates easier for all).

Bug tracker

One of the most important aspects of every distribution is its users reporting bugs and submitting ideas. Now you can simply go to https://tracker.puri.sm/maniphest/ and report any issues as well as submit ideas. In the near future we plan to tweak the infra in such way that it becomes publicly visible even without registering an account (we spent our time building everything, so we haven’t been tweaking it yet).

The PureOS bug tracker
Example of what the PureOS bug tracker looks like

Code hosting

While our code is still spread out on GitHub and we’ll be mirroring it to our infrastructure in the beginning, we plan to eventually host all our work on our infrastructure by default. After all, our infrastructure is entirely Free software based (code auditable, anyone can contribute, etc.). The code will be in place at https://tracker.puri.sm/diffusion/ (only a small, non-updated portion lies there at the moment).

Wiki pages

A good OS needs good documentation pages. Good documentation needs a good community. We started building the foundation for that as well, and now need your help. Our wiki effort will be lead by our main support person, Mladen Pejakovic. Either contact him or send mails that you want to contribute to the wiki foundation of PureOS, to feedback@puri.sm or hr@puri.sm. The wiki is located at https://tracker.puri.sm/w/. You can also fire up your favorite IRC client (Polari, Hexchat or some web IRC client), connect to freenode (irc.freenode.net) and join our #purism channel to chat with us. We need our community to pull this all out, as the task we are setting needs combined effort of an entire community that cares.

PureOS 3.0 alpha release — codename “Prometheus”

prometheus-by-heinrich-fueger-cropped

With a new infrastructure comes new tasks, and the first and obvious is to improve our OS. We chose to start from ground zero and progress on it properly. We call this release an “alpha” as it is missing a few things (and we want people to test it) but its overall stability should actually be slightly higher compared to previous releases. Also, a great feature it gained is that now our images are “live”, meaning you can run them without installing on your drive! The download link is located at the usual place.

For those who don’t want try the new installation (although we would appreciate that, even if done in GNOME Boxes or other virtualization tools you use) and just want to update to it, here is what should be done in terminal:

wget http://repo.puri.sm/pureos/pool/main/p/pureos-archive-keyring/pureos-archive-keyring_2016.09_all.deb
sudo dpkg -i pureos-archive-keyring_2016.09_all.deb
sudo > /etc/apt/sources.list
sudo echo "deb http://repo.puri.sm/pureos/ green main" >> /etc/apt/sources.list
sudo apt install pureos-minimal pureos-standard pureos-desktop
sudo apt update && sudo apt dist-upgrade 

And voila, you’re there!

Now lets talk what is in there, what is missing and what can you do.

PureOS 3.0 Prometheus aims to be the best release we ever made, and we want it to be the release with the most community engagement ever (this is why we deployed our awesome now infrastructure foundation above!)

With that in mind, we want to see of course your code and ideas of what do you want to see in the default installation, but we also want artwork! A lot of artwork. We are opening a contest for wallpapers. The rules are simple: create a piece of artwork (it can even be an old photo you took at some point in time) that inspires you, reminds you of freedom and/or has the Prometheus idea floating around, combined with some Free license (GPLv3 for example). Prometheus gave to humans fire (a.k.a. knowledge) which made humans free. We are giving you the OS which we hope will empower you to make your dreams true and form the best community around it. Also, if anyone feels inspired and wants to challenge their skills, please do a plymouth theme (here is inspiration).

GNOME Software is in there but we still need to build our Appstream machine, so it’s currently missing data (the Synaptic package manager is not ported to Wayland yet, so the good old terminal will be your friend for next couple of days—or just pick “GNOME on Xorg” at the login screen 🙂 )

Wayland logo

PureOS 3.0 alpha will be shipping with Wayland by default (you can simply choose your session on login screen by pressing the gear button and choosing which one you want). Wayland is such a huge step forward in many ways, to provide a beautiful tearing-free desktop experience but also to build future security. To get why this is important, watch this video. We are proud to push this last bit forward as we feel comfortable that our hardware will play nicely with GNOME and Wayland. Notice there are some quirks with Wayland (some missing legacy icons, global menu loading 15-30 seconds before it becomes usable, some pointer issues) but most of them we will clear out in the near future while bravely going towards the final release of PureOS 3.0.

Here are some known issues (nothing that affects stability):

  • The default wallpaper is still the old one, and while we have new artwork done, we still didn’t integrate it as we want your wallpapers in as well.
  • You will miss our patched kernel which provides somewhat better touchpad functionality compared to stock kernel, but we will push that in soon: you will be able to find it in a package update; we hope to eventually provide fully automated builds that you can test early.
  • About the touchpad, we plan one more quick snapshot in coming days to fix few things and, after that, allow one developer to focus full-time on making it work better.

FSF distribution endorsement

This is something PureOS is aiming for. What does this endorsement mean? It means that we provide and support only Free software by GNU standards. While PureOS is not meant only for our hardware, we must advise people who will try it on other hardware that you may encounter some issues, for example WiFi might not work if your hardware requires a proprietary firmware. Also, in the future we will optimize the default image towards our hardware (so AMD and nVidia drivers would be missing from default images, as we currently only use Intel ones—unless AMD or nVidia start providing an entirely free/libre and open source stack to run their cards efficiently). To the endorsement and beyond!

Purist services

While we focused most of our energy towards building infrastructure for PureOS, we also gain one notable feature very important for future of Purist services usage: keysafe. Joey created this to make it easy for all our users, as services will use GPG keys in some form—and we all know how hard that can be to use, for many reasons. Not only we built such a feature, Joey also deployed it as the standard for our servers already (check here for requirements and path to our server). We will also move the Purist Services roadmap to the PureOS bug tracker (or make it visible at some place so people can hop in to contribute).

Community

Our systems administrators are volunteers. They believe in what we do and dedicate some portion of their time to our cause. We mentioned this many times, but  we really want the community integrated inside the company, not to become just another commercial entity. We care for our community and we would love you in. Head towards anything you want to help with (you can see how much we trust community that they take care of our critical infrastructure) and please do chat with us. To show appreciation for their entire effort we sent Librems to our sysadmins and one of them even responded with a great tale that made us laugh (sadly we can’t share it here). Yes, we love fun stories (we want even to integrate some humor into all our products so feel free to suggest something “spicy”). We lived entirely of community donations (in form of purchasing our hardware) and although we started searching for some investments to speed up our development, we still trust that the community will stay the biggest backbone of our progress.

Developers

You can jump straight into coding for PureOS. Probably the only missing bit is Developer Guidelines, and we plan that write those soon. Besides technical aspects (how to do proper packaging) we will also make some guidelines about look & feel. For example, it would be awesome to have beautiful GUI app for creating, editing, maintaning GPG keys. It should work just as nicely as Etcher.

That would be all folks, we will try to update blog (not only technical part) more often, especially now that our website has new contents and a new look, improved in many ways thanks to the tireless efforts of our marketing guru Jeff (from the land of maple syrup)!

Purism Devlog #2

Lets start this devlog with some good news, that we believe will make a lot of users happy and that it  will satisfy a few trolls as well. We moved away from Cloudflare. It was creating problems for Tor browser users (which was kind of ironic as we shipped with Tor browser on our machines as default) and the temporary solution was to whitelist all Tor nodes. We are  now finally Cloudflare free. Also our certificates are now from famous and all-loving LetsEncrypt, on all our servers.

With huge efforts to create PureOS infra, we also decided that now is the time for an entire transition. That is why we are moving all our services to a secure facility where we run our own dedicated servers. Fun times! Let us know if we broke  something during our transition! This is all brought to you by ever growing Purism team.

As we are approaching a day when PureOS infrastructure will soon be set up (hopefully in next 2 weeks), we also issue a call for volunteers. There will be wiki (which we need to populate with documentation, tutorials, ideas and magic), PureOS website (anyone eager to try their design and web coding skills?), bugtracker (oh yes, we all need that), code hosting (what would be an Free OS without Freedom code hosting service? 🙂 ) and many more goodies. Also, we issue call for ideas – if you have an idea on  how to improve any of above mentioned things please feel free to share. We want to find out what our users need and we will try to implement that with security and privacy in mind . Our vision and mission is to integrate Freedom, privacy and security. Lets talk how to improve Free software/hardware and society! IRC (#purism on freenode) and feedback@puri.sm are your friends for that.

What would be a devlog without bad news? I don’t have an answer for this but here are the bad news. While regular PureOS 2.1 image installs fine on all hardware (yes, even the NVMe SSDs) the OEM ISO fails. We are investigating this and hopefully we will resolve it this week, stay tuned. I am also very  pleased  regarding bugtracker – while we support people discussing in forums, it is a bit of an overload for our stuff to forward  complaints to us and then we through our support contact them back via forums (or in some cases mails) we must find a way to improve this. After all we are an open community and we must offer transparency in our bug reports, easy searchable by community and our stuff.

What is going on with Purist Services – well, we are issuing a volunteer call for people interested to work and chat with Joey Hess (our lead architect on this). Skills: knowledge about XMPP, OMEMO, IM, voice/audio calls (people that work and use Ring are of high interest to us. At least to our technical lead 😉 ), encrypted mails, UI/UX design (we need somehow to level up GPG usage and without really easy UI we are doomed to fail).

The last but not least – regarding all infrastructure build up, old PureOS infra will be the last to shut down. This means that you will  still have some issues with our archive. although we take all your reports seriously and fix them ASAP and we we are also preparing PureOS 2.2 release with it.

P.S. sneak peak for PureOS 3.0 which will get released with new infra – its codename will be Prometheus! That’s enough juicy details for now!!

Purism Devlog #1

We said there is not going to be another PureOS release with old infrastructure but… there is one more (at least). Making new infrastructure takes time to do it properly (and we want to do it properly for sake of ours and your nerves) so we will have one more point release of PureOS – PureOS 2.2. We are currently still baking it as part of the team is focused on making OEM ISO so we can pass tests for installation on NVMe SSDs (and this is something few people reported as OS missing or not recognizing the disk and the PureOS2.1 regular ISO already passed installation on such hardware but of course we need OEM one for your devices).

Besides new infrastructure, baking ISOs here and there, we are working (until this point more in background but it will be more publicly visible soon) something what we call at this moment Purist Services. What are Purist Services?!

Glad you asked. We will combine best Free software solutions in many fields into what we call purist accounts. It will be unified solution where users will have a choice to create a purist account and get out of the box: Instant Messaging, Voice Call, Video Call, Email and after that we will add one by one more solutions such as Social Account (Diaspora*), Photo/Video sharing (Mediagoblin), file sharing (Filetea/SparkleShare and maybe, just maybe, nextCloud) and other goodies that can and will benefit our users. All will of course be Free software, encrypted and any client that will support protocols and techniques we use will be able to connect to purist users and vice-versa.

With addition to that we have two announcements – first, lead architect of purist services is famous Joey Hess. Second, this is good opportunity of employment if you want to work in Purism. How we do technical interviews – either you have already a good history with Free software or you start contributing to Purism development and in few months (of good work!) you will be called in for an interview. If you are interested in working with Joey or any other part of PureOS, feel free to send your resume to hr@puri.sm with cover letter.

Happy hacking,

Zlatan Todorić

Purism launches its own online store

Purism is happy to announce that we are finally able to host our own store! Yes, you read that correctly, now you can buy directly from Purism. This new store front will improve our workflow and also bring more funds directly to Purism for future development of products and services.

In our store you will have multiple choices of how you would like to pay for you new Librem device: direct bank transfer, Paypal, bitcoin or using your credit card.  As we are continuing to try and improve all aspects of Purism, we have listened to your feedback.  In an effort to aid in communication, our next step is to add a public view of next 10 shipments so that you can see where you are in the queue.  But, don’t worry, we take your privacy very seriously and only order numbers, and nothing else, will be visible.

With continued support we hope to soon be able to ship Librem devices from stock significantly reducing wait times for orders.  With the help and support of our backers, Purism is continuing to grow as we reach towards our goals of having easy to use and reasonably secure computers & services available to the general public. Sincerely, we thank you for your support, patience and questions while asking for your help in spreading the word of our new store front.

Thoughts or comments?  feedback(at)puri.sm

Purism Devlog #0

This is first in series of Purism developer’s blog post. It will be mostly about technical aspects of Purism work but also sometimes mixed with few other fields and information. The only promise is that it will be more – no promise how often, no hardcoded path of releases. In Debian mantra – it will be ready (and published) once it is ready.

We are happy to announce release of PureOS 2.1. Besides fixing bugs (such as overwriting the entire disk during install!) it will boast few new apps (and few removed) on this new ISO image:

  • Kodi
  • VLC
  • Blender
  • Audacity
  • Darktable
  • MyPaint
  • Ardour
  • MPV

Removed apps:

  • Debian bug tracking system (PureOS will have its own, more in next devlog releases)
  • Brasero

As you can see we wanted to bring some creativity with preinstalled applications (athough all applications are easy installable or removed through software center/app store (famously called now Software in GNOME thus PureOS)) and Kodi to just show that Free software is cool and great! In art terms we also integrated new Plymouth theme which we believe you will like (soon we will bring up community wiki so people can share their ideas and write tutorials, documentations about PureOS but again, more info about it in some of the next releases).

Besides that we are again trying to improve driver for touchpads (yes, we agree with you and your pain, but we are in the same awkward pain – we use those devices, we work with our manufacturers but they simply don’t give us any documentation – something we are trying to improve all the time but there is so much time and space for such small team to tackle so many tasks of which some aren’t even in description of our work. Thank you for your support and patience and we are really trying to pull out max of what we get). That said, our involvement with manufactures gives us opportunity to drive how new products will be developed which is something very important for us and our (and your) future. Back to technical parts, ew integrated driver should now have:

  • Tap to click
  • Double tap
  • Two finger scroll (up & down)
  • Three finger swipe
  • Edge scrolling

We hope we improved some of the previous part of driver and also enabled some new things (note this is entirely new driver so bare with us while you test it and report bugs).

PureOS 2.1 now also comes with GNOME as default because it is aligned with goal to have one default environment for all our devices (we are now in process to produce tablets). With future plan to develop to phones that could be switched to KDE’s Plasma but future is exciting and unpredictable.

This release also has sum so people can check against ISO build and new installations instructions that should be much more user friendly – check more at download page.

Also, this release should be the last one built with old (almost non existent) infrastructure. New one will be more professional, more open and feel more native for Free software development. We will write more in next release of devlog.

Keep calm and develop Free software (and hardware!),

– Zlatan

Camera/Microphone Hardware Kill Switch Behavior on Librem Laptops

All Librem laptops come with a Hardware Kill Switch (HKS) which physically severs the circuit to the Camera and Microphone. The Librem laptops are the first to offer this feature and it works quite well. And in some cases, a bit TOO well.

Specifically a Librem laptop Camera and Microphone Hardware Kill Switch will work with any GNU/Linux OS, but only as long as one obeys these simple rules:

  • Rule #1: Always have the Camera/Microphone HKS in the ON position when booting the laptop. This ensures the kernel is aware the device is there. Once the OS starts up you can toggle the Camera/Microphone OFF and ON as you wish, but…
  • Rule #2: Always have the Camera/Microphone HKS in the ON position BEFORE starting a program that uses the Camera, like CHEESE. Once the program starts you can turn the Camera/Microphone OFF, but you will have to close and restart the program, with the HKS in the ON position, to get the Camera to work with that program.

If any of these rules are violated, the Camera may NOT work until a reboot.

camera-microphone-on

camera-microphone-off

The longer term plan is to develop proper kernel loading and unloading or software application polling of the devices, so the user flow becomes irrelevant. Obviously the kernel and software never took into account severing the circuit during operation, therefore we decided to post this to help user flow, and to provide a roadmap to ideal performance.

Hard, NOT Soft, Kill Switches

Here is the HARD truth about Hardware Kill switches on Librem laptops.

The Librem laptops are secure machines that respect and protect your privacy and freedom. To this end, we at Purism are intensely suspicious of several items on a standard laptop that could be used, either maliciously or accidentally, to violate your privacy and security. Specifically, these items are:

  1. The laptop’s built in Webcam and Microphone.
  2. The laptop’s WiFi and Bluetooth radios.

Almost all laptops on the market today have a way to turn off a laptop’s WiFi and Bluetooth radios. However, most do it via software on the computer (example: a special program in the operating system) or a soft switch in the computer’s embedded controller within the bios (example: using the keyboard combination of pressing at the same time the Function Key plus the F2 key). Due to the threats that still remain possible for malicious software to turn on these peripherals, we opt to solve this with hardware.

There is NO other laptop on the market today that has a physical means to turn off a machine’s built in Webcam and Microphone.

Thus, to protect you from the risks of these devices, the Librem laptops come with the ability to physically disable or turn off the Webcam, Microphone, WiFi radio, and Bluetooth radio via a Hardware Kill Switch (HKS).

The HKS is a real physical switch that either:

  1. Cuts the signal or power line to the device, as in the case of the Webcam and Microphone HKS, or,
  2. Disable the chip running them, as is the case of the WiFi and Bluetooth radios HKS.

To give you an idea how this is done, let’s look at the HKSes on a Librem 13.

The HKS themselves

The HKSes are located in the hinge cover of a Librem 13. The HKS themselves are Double Pole, Double Throw (DPDT) switches with a switch function of ON-ON and have six leads on them.

purism-kill-switches-1600px-20150713
Librem 13 HKSes in the Hinge Cover

Different Devices, Different Challenges

For starters, it helps to look at the motherboard on a Librem 13 and see where the various devices connect to it.

Librem 13 Motherboard (with lables)
Librem 13 Motherboard Layout

To physically shut off each of the questionable devices with a physical switch we broke the problem down into three parts:

  1. Kill the Webcam
  2. Kill the Microphone, and,
  3. Kill the WiFi and Bluetooth radios

The reason for this is because each of the above devices has a different interface and thus requires a different solution to ensure it is really OFF.

Kill the Webcam

Librem 13 Webcam Connector (1)
Wire on connector EDPCON1 sent to the HKS for the Webcam

The webcam on a Librem 13 is located above the laptop’s screen and connects to the motherboard via connector EDPCON1, a x30 pin connector that also contains all the wiring for the laptop’s display. The webcam itself uses a USB 2.0 interface, meaning there are four wires on EDPCON1 that are just for the camera. Two of the four wires are for data, one is for a +3.3 volt DC signal to power the camera, and the last wire it the ground.

To kill the Webcam with a HKS, we insert a HKS and circuit during assembly, wiring the +3.3 volt DC power wire for the USB connection directly into the HKS.

With the HKS in the OFF position, no power gets to the Webcam, and thus making it impossible for the webcam to be used (in fact it is not detected by the kernel nor operating system when off).

Kill the Microphone

Librem 13 Mic Cable (1)
Wire on connector MIC_COM1 wired to the HKS for the Microphone

The microphone on a Librem 13 is located right next to the Webcam above the laptop’s screen and connects to the laptop’s motherboard via connector MIC_COM1. But unlike the Webcam, the microphone has only two leads: One for the microphone’s signal and the other for the microphone’s ground.

To kill the microphone with a HKS, we wire the microphone’s signal wire directly to the HKS.

With the HKS in the OFF position, no signal from the microphone gets to the motherboard, thus making it impossible for the microphone to send any signals to the laptop.

One Switch for Two

Both the Webcam and the Microphone are wired to the same HKS, so both devices are OFF at the same time.

HKS Wiring (1)
HKS for the Webcam and the Microphone. Wire on top are to the Webcam. Wires on the bottom are to the Microphone.

The WiFi and Bluetooth radios are wired to a second HKS.

Kill the WiFi and Bluetooth Radios

Librem 13 WiFi HKS
Layout of the solder points for the WiFi/Bluetooth, NGFF M.2 pins 54 and 56.

To fully understand how to disable the WiFi and Bluetooth radios, it is necessary to gain some insight into the PCISIG M.2 NGFF standard and how it is used to turn OFF the devices. The PCISIG M.2 NGFF connector has 75 positions with up to 67 pins, each with a specific function. Some are used for data, some are used for power and ground, and still others are used for control signals. But for the HKSes, the two PCISIG M.2 NGFF pins of interest are pins 56 and 54, which control PCISIG M.2 NGFF functions called W_DISABLE#1 and W_DISABLE#2 (respectfully).

The WiFi/Bluetooth Hardware Kill Switch works by applying to pins 56 and 54 an input of one of two DC signals:

  1. To turn the radios ON: Apply a Ground (GND) or +0 V signal.
  2. To turn the radios OFF: Apply a +3.3 V signal.

Note that this standard is a bit counter intuitive with Voltage high (+3.3 Volt) = OFF and Voltage low (0 Volts or GND) = ON.

In a Librem 13, the M.2 NGFF connector pins 54 and 56 cannot be accessed directly on the NGFF connector, for it is much too small for any solder connections. Instead the pins are accessed via two 0402 Surface Mount Device (SMD) pads on the motherboard itself (pads R609 and R629).

So for the WiFi/Bluetooth HKS, wires are soldered from the SMD pads to the HKS. Then one side of the HKS is wired to a +3.3 volt signal with the other side wired to ground. The end result looks like this:

HKS Wiring
Wiring Diagram for WiFi/Bluetooth HKS.

With the HKS in the +3.3 Volt position, pins 54 and 56 in the M.2 NGFF connector will receive a HIGH voltage, and the radios on the WiFi card will be turned OFF. With the HKS in the Ground (GND) position, pins 54 and 56 will receive a LOW voltage, and the radios will be turned ON.

Our Hard Work to Protect Your Privacy

As you can see, it is not a trivial matter to manufacture these HKSes. A lot of research and hard work went into the effort.

Purism believes in your rights to privacy, security, and freedom, and will continue to work hard for users’ rights.