Category: Firmware and BIOS

Including anything related to the BIOS

Coreboot and Skylake, part 2: A Beautiful Game!

Hi everyone,

While most of you are probably excited about the possibilities of the recently announced “Librem 5” phone, today I am sharing a technical progress report about our existing laptops, particularly findings about getting coreboot to be “production-ready” on the Skylake-based Librem 13 and 15, where you will see one of the primary reasons we experienced a delay in shipping last month (and how we solved the issue).

TL;DR: Shortly we began shipping from inventory the coreboot port was considered done, but we found some weird SATA issues at the last minute, and those needed to be fixed before shipping those orders.

  • The bug was sometimes preventing booting any operating system, which is why it became a blocker for shipments.
  • I didn’t find the “perfect” fix yet, I simply worked around the problem; the workaround corrects the behavior without any major consequences for users, other than warnings showing up during boot with the Linux kernel, which allowed us to resume shipments.
  • Once I come up with the proper/perfect fix, an update will be made available for users to update their coreboot install post-facto. So, for now, do not worry if you see ATA errors during boot (or in dmesg) in your new Librem laptops shipped this summer: it is normal, harmless, and hopefully will be fixed soon.

Read more

Coreboot on the Librem 13 v2, part 1

Hello everyone! I am very happy to announce that the coreboot port to the Librem 13 v2 as well as the Librem 15 v3 is done! Wow, what an adventure! The entire thing took about 2 weeks of hard work, and an additional week of testing, fixing small issues that kept popping up, and cleaning up the code/commits.

It was truly an adventure, and I would have liked to stop and take the time to write 10 blog posts during that time, one for every major bump in the road or milestone, but I was under a strict deadline because we needed to finish the port before we started shipping the new Librem 13 v2 hardware (from now on referred to as ‘the v2’), so it could be shipping with coreboot pre-installed from day one. Now that the port is finished, I can finally start writing the first chapter in the story.

TL;DR: in the process of porting the Skylake-based Librem 13 v2 to coreboot, I have implemented a new debugging method (“flashconsole”) and added it to coreboot. It has been reviewed and merged upstream. Read more

A fleet of coreboot laptops assembles

Following up on our status update where we revealed the imminent shipping date and general availability of our laptops this June, we’re happy to let you know today that we’ve recently had a breakthrough in our work to port the new laptops to coreboot, thanks to the fruitful collaboration between our coreboot developer Youness “KaKaRoTo” Alaoui and Matt “Mr. Chromebox” DeVillier (to whom we sent a prototype unit). Our coreboot port is now working for both the Librem 13 v2 and the Librem 15 v3, with all the test cases passing.

We are now pretty confident that we should be able to have coreboot firmware ready in time for factory preloading of the new inventory we’ll be shipping from in June. As we receive the first “production” units, we will ship some of those across the border, so that Youness can re-test and finalize the port on those machines (the results should be the same, but we want to make sure everything is top-notch). I will also seize the opportunity to take good reference images in our photo studio.

In the meantime, Youness is currently busy preparing his code contributions to be upstreamed officially to the coreboot project, after which he will be attending the 2017 edition of the coreboot conference in Denver. You will also soon be able to read his latest technical findings as part of the current round of coreboot ports.

The only model that will remain to be ported to coreboot afterwards will be the Librem 15 v2 (it turns out that the “v1” was an early demonstration unit that was sent out to some reviewers but never made it into large-scale production, so it does not actually need to be ported), thus reaching a milestone and honouring a promise that many of you have been eagerly looking forward to. That remaining port should be fairly straightforward to do, now that Youness has gained a lot of experience with other models. Then, depending on how the timing plays out this summer, our reverse engineering work is expected to resume from where we left off.

How Purism Avoids Critical Intel Security Exploit

Intel dropped a fairly large bombshell on the world May 1st, 2017, when they published a security advisory that explains how nearly every single Intel chip since 2008 is now vulnerable to a remote exploit through AMT, even when powered off.

Purism, which uses Intel chips, happens to be immune to this very nasty threat. Purism happens to also be the only manufacturer where all products are designed specifically to be immune to this very substantial threat. Purism is able to accomplish this thanks to its strict belief in digital rights for users and adherence to its social purpose; it is this philosophy that brings Purism to systematically remove exploitable firmware from the computers it makes, and users are all the better for it.

We already published a lengthy article on the potential of this type of threat, which you can find at How Purism Avoids Intel AMT, but in case you wanted the shorter version:

  1. We choose Intel CPUs that do not have the hardware enabled to be exploitable (no vPro/AMT)
  2. We avoid Intel networking, to remove this exact threat (no Intel networking, no remote exploit from exploitable firmware)
  3. We neutralize the exploitable firmware

The larger message rings true; if you can’t control the computer, the computer controls you. This turn of events highlights that fact clearly; this exploitable Intel firmware is a binary at the lowest level of the CPU, outside the view of the user, allowing for anybody to use it to gain full control of the computer, even when the device is powered off. This represents the worst of all possible security vulnerabilities, and we are very proud to have a philosophy that makes our products the only high-end current hardware offering that can safely avoid this Intel security exploit.

Security Researcher Trammell Hudson and Device Maker Purism Join Forces to Set a New Standard for Security-Focused Laptops

Hudson’s security firmware Heads will be built into Purism Librem hardware to further protect users from cybersecurity threats, privacy invasion, identity theft, and more.

SAN FRANCISCO, CA — APRIL 12, 2017 — One of the foremost security researchers in the infosec community, Trammell Hudson, is working with secure device maker Purism to integrate his free and open-source “Heads” firmware into the company’s Librem laptop line. Purism will be the first hardware company to integrate Heads into its products, and the partnership will push the industry standard with unprecedented protection for end-user devices. Testing has already begun for the integration of the two platforms. Read more

Bringing Librem 13 v2 and Librem 15 v3 prototypes back from LibrePlanet for further coreboot porting work

A few days ago we gave you a very quick sneak peek of the Librem 15 v3’s anodized black finish as we were doing final preparations for our LibrePlanet 2017 attendance. We were very happy to support the Free Software Foundation by sponsoring LibrePlanet! On Saturday morning, we started setting up our booth slowly, thinking there would not be much activity going on at the beginning of the day. We were proved wrong:

There was a crowd around our booth at pretty much all times (except lunchtime) throughout the day Saturday, during which it was revealed that Todd is possibly a cyborg, as he stood there answering questions for eight hours straight, without needing to eat, drink, or sit:

Great discussions were had. James was also present, attending talks and officially winning our photobomber of the year award, as you can see him in the lower-right corner of this photo:

New passions bloomed among attendees:

People who saw and touched the Librems found them to be quite impressive. For instance:

Some of the frequent comments we heard were “Wow. They’re even better than on the photos!”, “When can I buy one?” and “I was a Purism skeptic, but I see you are delivering on your promises and making the impossible possible.”

Really encouraging!

Upcoming coreboot work

While we were hard at work answering thousands of questions at LibrePlanet, our coreboot developer Youness was on vacation while waiting for some more testing hardware. This week he will be resuming his work on preparing/packaging coreboot for release, and with the two new prototype units I brought back from Boston he will also be able to begin the coreboot port for these devices. We hope to do that in time to factory-flash them for the next batch of deliveries in May-June, but we’ll see how the development work pans out. If it’s not ready within that short timespan, we will provide coreboot as an update that you can flash yourself.

Youness has also made some additional progress on the Intel ME, thanks to information and data that Igor Skochinsky was able to share with us. Stay tuned for Youness’ next report!

Todd’s Purism Librem 13 experience with coreboot and a neutralized ME

A few days ago, I got to experience the efforts of a culmination of free software supporters; from Purism team members, ME hackers, coreboot developers, and a lot of other individuals. I am very pleased to run a Librem 13 with coreboot, running a neutralized Intel Management Engine, and no microcode update. I used that setup to type this blog post! Read more

Neutralizing the Intel Management Engine on Librem Laptops

In my last blog post, I have spoken of the completion of the Purism coreboot port for the Librem 13 v1 and mentioned that I had some good news about the Intel Management Engine disablement efforts (to go further than our existing quarantine) and to “stay tuned” for more information. Since then I got a little side-tracked with some more work on coreboot (more below), but now it’s time to share with you the good news! Read more