Kyle Rankin

Kyle Rankin

Chief Security Officer
PGP ID: 0xB9EF770D6EFE360F
Fingerprint: 0DFE 2A03 7FEF B6BF C56F73C5 B9EF 770D 6EFE 360F
Librem Social
Kyle Rankin

The Librem 14 was designed based on a long wishlist we made to build our dream laptop. When we first announced the Librem 14 we stuck to the features we knew for sure would be part of the first revision. Over the next few months as we worked through prototypes we were able to announce new features such as dual RAM slots and a number of exciting security features. While these features are mentioned on the Librem 14 product page, I thought it would be useful to collect all of the security features of the Librem 14 into a single place.

Hardware

Our previous Librem laptop lines touted a number of unique hardware security features and we have learned many lessons over the years as we use the hardware ourselves and get feedback from security-minded customers. With the Librem 14 we have been able to improve hardware security across the board.

Hardware Kill Switches

Our most famous hardware security feature is our hardware kill switches (HKS), a set of physical switches that disables the webcam and microphone, or WiFi, in hardware. Placing a sticker over a webcam is a nice start, but with HKS you can be sure that your computer isn’t spying on you and can conveniently enable the camera and microphone only when you need it.

We got feedback from a number of customers that having HKS on the side meant you had to crane your neck to see the current state and find the right switch. We also heard that some customers were flipping HKS when inserting their laptops into a case. With the Librem 14 we have moved the HKS back above the keyboard and have added LEDs to make the current state of the hardware obvious at a glance. We have also extended the webcam/microphone hardware kill switch so that it also disables the microphone in the headphone jack.

Ethernet Port

A physical Ethernet port might not seem like a security feature to some people, but for people facing particular threats it’s a critical security feature. The ability to remove the WiFi card completely, or at least keep it disabled with a HKS, and access the network over a physical Ethernet port, means you can completely avoid entire classes of attacks on WiFi cards and protocols.

Firmware Write Protection Switches

Another security feature that’s completely new to the Librem 14 is a set of switches on the motherboard that will allow you to write protect the BIOS and EC firmware. Currently the physical switches are implemented, but we still need to complete some software and configuration work so that they actually trigger write protection.

Librem 14 Firmware Write Protect Switch in the Off Position
Librem 14 Firmware Write Protect Switches in the Off Position

Firmware

After the hardware, the next area to focus on for security is the firmware–code that runs on discrete chips on your hardware that straddles the fence between hardware and software. Supply-chain attacks on firmware continue to be a growing concern in the security community so we take a number of additional steps on the Librem 14 to help secure its firmware.

Intel Management Engine

Perhaps one of the most famous bits of firmware on a modern Intel computer is the firmware for the Intel Management Engine (ME)–a chip that initializes Intel hardware and that is required for it to boot. Because the ME has core access to your hardware, because the code is proprietary so it can’t be audited, and because some versions of the ME include Active Management Technology (AMT) that enable IT administrators to control machines remotely over the network, there have been some concerns that the ME might contain secret backdoors. Also, as the features of the ME expand, there have also been concerns that the increased attack surface might allow attackers to exploit flaws in ME firmware and take remote control over a computer.

Like in past Librem laptops we select the simplest version of ME firmware available, without AMT, so that we begin with the smallest possible attack surface. Next we disable the ME by setting what is known as the HAP bit so that after the hardware is initialized the ME is disabled. In the past we have also performed an additional step of “neutralizing” the ME (overwriting most of the ME firmware with zeros, leaving only the bits critical to booting). As the Librem 14 is newer hardware running a newer version of the Intel ME, we haven’t yet been able to neutralize it, but hope to be able to add that in a future firmware release.

PureBoot

PureBoot is the name we give for a suite of technologies we use to secure the boot process. It starts with our boot firmware based on free software projects coreboot and Heads that help you detect firmware tampering when paired with a Librem Key. When you order a Librem 14 with the PureBoot Bundle, we pair the laptop with a Librem Key at our facility so that when you boot the laptop with the Librem Key inserted, the key will blink green if the system is safe, and blink red indefinitely if it detects firmware tampering.

PureBoot also extends into the operating system itself and will detect any tampering in the kernel or boot configuration files and alert you to them before it boots. Finally, PureBoot can even be configured to use your Librem Key to unlock disk encryption.

Embedded Controller

In addition to the Intel ME, another area of concern for firmware security is the embedded controller (EC). This chip manages the keyboard in addition to many other things:

With more tasks assigned to the EC, the software and its capabilities grew which makes it a pretty essential piece these days, especially for laptops. So the first thing the EC needs to do is to control the power up and power down of the machine, which means to enable or disable certain voltage domains, doing that in a controlled fashion honoring dependencies (often some power rails are derived from others), and also taking into account the power supply constraints of the main CPU in certain power modes. This is especially important for low power states like suspend to RAM where you just want to power what is needed. There are also other very interesting peripherals attached to the EC. Of course the EC controls the keyboard matrix, i.e. it assigns keypresses in that matrix to key scan codes sent to the main CPU.

Normally the EC runs proprietary firmware, and like with the ME, due to the level of access the EC has (such as the fact that it controls the keyboard), there is concern over what an attacker could do with backdoored or hacked EC firmware.

Starting with the Librem 14 we are freeing the EC firmware which will not only allow you to audit the firmware for backdoors and security flaws, but also give a Librem 14 owner much more control over their hardware. The blog post I linked above goes into much detail about the EC overall as well as our plans for it.

Software

By default the Librem 14 will ship with PureOS Byzantium–our latest and greatest release of PureOS featuring many security and feature updates while being accessible and convenient for the average user to use. For users who want even more security, perhaps at the expense of some convenience, we also offer Qubes as an operating system option on the Librem 14.

We have a long history of Qubes support on our hardware and treat Qubes as a first class operating system at Purism. Because Qubes makes heavy use of hardware virtualization, the average Qubes users finds themselves running ten or more virtual machines simultaneously, with some users running many more than that. With the 6 core, 12 thread tenth generation Intel i7 CPU, fast NVMe storage, and dual SO-DIMM slots allowing a maximum of 64GB RAM, we believe the Librem 14 is the best laptop for Qubes.

Anti-Interdiction

Finally, some customers face security threats such that having their laptop tampered with during shipment is a real concern. Other customers simply want the peace of mind that their laptop hasn’t been tampered with. Regardless of the reasons, Purism offers a premium anti-interdiction service where we work with a customer over encrypted email to model their particular threats and custom-tailor our anti-interdiction measures both on the hardware itself with glitter nail polish and tamper-evident seals, and on the software with an integrated PureBoot Bundle using customer-supplied secrets.

A close-up of the unique pattern of blue glitter nail polish on the center screw.
A close-up of the unique pattern of blue glitter nail polish on the center screw.

Conclusion

We are very proud of the Librem 14 and believe that its combination of hardware, firmware, software, and anti-interdiction features make it one of the most secure laptops you can buy.

Librem 14

Discover the Librem 14

The first 14″ laptop designed to protect your digital life. Ultra-portable workstation laptop that was designed chip-by-chip, line-by-line, to respect your rights to privacy, security, & freedom.

Pre-Order Now

Recent Posts

Related Content

Tags