As we have said a few times already, we set out to build our dream laptop with the Librem 14. We approached our flagship Librem 13 laptop with a wishlist of features to fit into the reimagined Librem 14. As we have been able to confirm certain features with a strong degree of confidence (like having 2 SO-DIMM slots to double the max RAM to 64Gb) we have updated our specs and made new posts and today I’m excited to announce another item from our wishlist that we will be able to fit into the first generation Librem 14: BIOS and EC flash chip write protection with a hardware switch!
We have been focused on BIOS security at Purism since the beginning, starting with our initiative to replace the proprietary BIOS on our first generation laptops with the open source coreboot project. This was a great first step as it not only meant customers could avoid proprietary code in line with Purism’s social purpose, it also meant the BIOS on Purism laptops could be audited for security bugs and possible backdoors to help avoid problems like the privilege escalation bug in Lenovo’s AMI firmware.
Our next goal in BIOS security was to eliminate, replace or otherwise bypass the proprietary Intel Management Engine (ME) in our firmware. We have made massive progress on this front and our Librem laptops, Librem Mini, and Librem Server all ship with an ME that’s been disabled and neutralized.
After that we shifted focus to protecting the BIOS against tampering. We started by adding TPM chips to our laptops and began work on integrating the Heads tamper-evident firmware project into our overall boot security package we call PureBoot. Now customers can choose between our default coreboot BIOS or our “PureBoot Bundle” when they place an order. The PureBoot Bundle also enabled us to enhance our anti-interdiction services and change it from a secret menu option to a drop-down choice both for customers facing stronger threats and those who just want more peace of mind.
On the Librem 14 we will further improve BIOS (technically AP) and EC firmware security with the addition of a write-protect dip switch on the motherboard. For regular coreboot users this means you can flip the switch and know that your BIOS is safe from remote tampering without installing PureBoot. You would also get additional protection from in-person attackers who would now need to remove the bottom of the laptop to modify the firmware.
For PureBoot users this provides even more security on top of the tamper-detection you already have in place. With write protection on, you can rest assured that PureBoot will only change when you open the case and flip the switch and if PureBoot does report BIOS tampering when you have enabled write protection, you know to physically inspect your motherboard for tampering.
In combination with anti-interdiction tamper-detection measures like painting screws with glitter nail polish, write-protect switches dramatically increase the difficulty for even a sophisticated attacker to modify your BIOS undetected during shipping. This protection extends to whenever the laptop is out of your possession provided you inspect the case screws.
The Librem 14 is our most powerful and most secure laptop yet. If you want full control over your own BIOS security with cutting-edge, powerful hardware, the Librem 14 is the best (some would say the only) choice. Be sure to pre-order the Librem 14 before our $300 off early bird discount expires on August 7th!