New Inventory with TPM by Default, Free International Shipping

In November, we announced the availability of our Trusted Platform Module as a $99 add-on for early adopters, something that would allow us to cover the additional parts & labor costs, as well as test the waters to see how much demand there might be for this feature. We thought there would be “some” interest in that as an option, but we were not sure how much, especially since it was clearly presented as an “early preview” and offered at extra cost.

Well, it turns out that a lot of people want this. We were pleasantly surprised to see that, with orders placed since that time, 98% of customers chose to have a TPM even at extra cost. This proved there is very strong market demand for the level of security this hardware add-on can provide.

2018’s first new batch is in stock—with TPM

Thanks to the investment of those early TPM adopters who voted with their wallets and gave us the necessary “business case” and resources to work it out, we are extremely proud to announce that we now include the TPM chip in all new Librem 13 and Librem 15 orders by default, as a standard feature of our newest hardware revision shipping out this month.

All the rest of the chip specifications remain the same.

It is still costing us money to add the TPM feature, but we decided to eat the cost, as the greater public benefit is more important than profits (and that is in line with our social purpose status and mission). Adding a TPM by default without increasing the base price is a major accomplishment toward having security by default, and paves the way for convenient security and privacy protection for everyone. In addition to the previous announcement, you can read Kyle’s post to understand the security implications.

Wait, there’s more!

  • We are now offering Free International Shipping on all orders. This is essentially a permanent rebate of approximately 100 USD to all new international customers! As we have grown we have been able to leverage more standardized shipping options, and are now in a position to pass on that savings to Purism customers. Please note, however, that shipping insurance, local taxes, customs fees and import duties are still your responsibility as customers.
  • Thanks to popular demand, we are now offering Librem 13 and Librem 15 laptops with the backlit German keyboard layout. They are available for purchase in our store now, and will begin rolling out in mid-March.

Only a few non-TPM laptops remain in stock with the UK keyboard layout, so we are making a sale today to clear out that portion of the inventory. If you were looking for a Librem 13 with the UK physical key layout and no TPM, you can grab one of the few remaining ones and get an additional $99 off the previous no-TPM base price. In other words, instead of paying $1,478 “plus shipping” for the base configuration of the Librem 13 UK, you now pay $1,379 with free shipping!

We would like to thank all our users of Librem laptops and FSF endorsed PureOS, as well as all those that have backed the Librem 5 phone, and of course all those people who support us by feedback, kind words, and spreading the word. It is with this unified education approach that we can change the future of computing and digital rights for the better.

We have more great news in the pipeline. Next month, we hope to announce another major milestone in our inventory management & shipping operations. Stay tuned!

Librem 5 Phone Progress Report

Back from FOSDEM

Being at FOSDEM 2018 was a blast! We received a lot of great feedback about what we have accomplished and what we aim to achieve.  These sorts of constructive critiques from our community are how we grow and thrive so thank you so much for this! It helps us to focus our development. Moreover, I was very impressed by the appreciation that we received from the free software community. I know that relationships between companies, even Social Purpose Corporations—like Purism, and the free software communities are a delicate balance. You need to find a good balance between being transparent, open, and free on one side but also having revenue to sustain the development on the other side. The positive feedback we received at FOSDEM and the appreciation that was expressed for our projects was great to hear.

We are working really hard on making ethical products, based on free/libre and open source software a reality. This is not “just a job” for anybody on the Purism staff, we all love what we do and deeply believe in the good cause we are working so hard to achieve. Your appreciation and feedback is the fuel that drives us to work on it even harder. Thank you so much!

Software Work

As I mentioned before, we have the i.MX 6 QuadPlus test hardware on hand, so here are some photos of our development board actually running something:

On the right, you can see the Nitrogen board with the modem card installed. On the left is our display running a browser displaying the Purism web-page and below it a terminal window in which I started the browser. To put the resolution of the display into perspective I put a Micro SD card on the display:

Click to enlarge

The terminal window is about as big as three Micro SD cards! This makes it very clear that a lot of work has to be put into making applications usable on a high resolution screen and to make them finger friendly since the only input system we have is the touch screen. In the next picture I put an Euro coin on the screen and switched back to text console:

Click to enlarge

Concerning the software, we are working on getting the basic framework to work with the hardware we have at hand. One essential piece is the middleware that handles the mobile modem that deals with making phone calls and sending and receiving SMS text messages. For this we want to bring up oFono since it is also used by KDE Plasma mobile. We have a first success to share:

This is the first SMS sent through oFono from the iMX board and the attached modem to a regular mobile smartphone where the screenshot was taken. So we are on the right track here and have a solution that is starting to work that suits multiple possible systems, like Plasma mobile or a future GNOME/GTK+ based mobile environment.

The SMS was sent with a python script using the native oFono DBus API. First the kernel drivers for the modem had to be enabled followed by running ofonod which autodetects the modem. Next the modem must be enabled and brought online (online-modem). Once this was done sending an SMS was as simple as:

purism@pureos:~/ofono/test$ sudo ./send-sms 07XXXXXXXXX "Sent from my Librem 5 i.MX6 dev board!"

The script itself is very simple and instructive. Simulating the reception of a text message can also be done, with a command such as this one:

purism@pureos:~/ofono/test$ sudo ./receive-smsb 'Sent to my Librem 5 i.MX6 dev board!' LocalSentTime = 2018-02-07T10:26:19+0000 SentTime = 2018-02-07T10:26:19+0000 Sender = +447XXXXXXXXX

The evolution of mobile hardware manufacturing

We are building a phone, so hardware is an important part of the process. In our last blog post we talked a bit about researching hardware manufacturing partners. Since we are not building yet-another Qualcomm SOC based phone, but starting from scratch, we are working to narrow down all the design choices and fabrication partners in the coming months. This additional research phase has everything to do with how the mobile phone hardware market has evolved in the past years and I want to share how this all works with you.

In the early days of smartphones, a common case was that the main CPU was separated from the cellular baseband modem and that the cellular modem would run its own firmware when implementing all of the necessary protocols that operate the radio interface—at first it was GSM, then UMTS (3G) and finally LTE (4G). These protocols and the handling of the radio interface have become so complex that the necessary computational power for handling this as well as the firmware sizes have grown over time. Current 3G/4G modems include a firmware of 60 or more megabytes are becoming more common. It did not take long before storing this firmware became an issue as well as at run time since this requires significant increases of RAM usage.

Smartphones usually have a second CPU core for the main operating system which also runs the phone applications and interacts with the users. This means that your device must have two RAM systems as well, one for the baseband and one for the host CPU. This also means you need two storages for firmware, one for the host CPU and one for the baseband. As you may imagine, getting all of these components working together in a form factor small enough to fit into someone’s hand takes a lot of development and manufacturing resources.

The advent of cheap smartphones

There is extreme pressure about the cost of smartphones. In today’s commodity market, we see simple smartphones starting at prices less than $100 USD.

The introduction of combined chips, with radio baseband plus host CPU on one silicon die inside one chip, massively reduced costs. This allows the host CPU and baseband to share RAM and storage. Since the radio can be made in the same silicon process as the host CPU, and both can be placed in a single chip package, we see substantial cost reduction in the semiconductor manufacturing as well as the cost of manufacturing the device. This saves you from having to use a second large chip for the radio itself, an extra flash chip for its firmware, and possibly an extra RAM chip for its operation. This does not only reduce the Bill of Materials (BOM), but also PCB space, and it enables the creation of even smaller and thinner devices. Today we see many big companies offer these types of combined chipsets—such as Qualcomm, Broadcom, and Mediatek to name a few.

These chips caused a big shift in the mobile baseband modem market. Formerly it was common to find discrete baseband modems on the market that were applicable for mobile battery powered handsets like the one we are developing. But since the rise of the combined chipsets, the need for separated modems has dropped to a level that does not justify their development as much. You can still find modem modules and cards but these modules are usually targeted for M2M (machine to machine) communication with only limited data rates and most of them do not have audio/voice functions. They usually come in pretty large cards, such as the miniPCIe or M.2. For us this means that our choice of separated baseband modems suitable for a phone is narrowed.

What this means for OEM, ODM or Build it Yourself

All of this consolidation has an impact on hardware manufacturers and our choices. Pretty much all current smartphone designs by OEM/ODM manufacturers are based on the combined chipset types; this is all they know and it is where they have expertise. Almost no one is making phones with separated basebands anymore, and the ones who do are not OEMs nor ODMs. The options are further limited by our requirement not to include any proprietary firmware on our host CPU (which we wrote about before): most fabricators are unfamiliar with i.MX 6 or i.MX 8 and do not want to risk a development based on it, which narrows our hardware design and manufacturing partners to a much smaller list.

However, we have some promising partners that we will continue to evaluate, and we are confident that we are going to be able to design and manufacture the Librem 5 as we originally specified. We just wanted to share with you why making this particular hardware is so challenging and why our team is the best one to execute on this design. To continue to discuss with some of the manufacturers and providers, Purism will visit Embedded World, one of the world’s largest embedded electronics trade shows, in Nürnberg (Germany) in the beginning of March. And, as usual, we will continue to keep you updated on our progress!

Good news with our existing evaluation boards

We have been patiently waiting for the i.MX 8M to become available, all according to the forecast timeline from NXP. In the meantime, we have started developing software using the i.MX 6 QuadPlus board from Boundary Devices, specifically the NITROGEN6_MAX (Nit6Qp_MAX) since it is the closest we get to production devices before NXP releases the i.MX 8M. We have a Debian Testing based image running as a testbed on these boards while the PureOS team is preparing to build PureOS for ARM and ARM64 in special.

On these evaluation boards we have all the interfaces that we need for software development:

  1. Wi-Fi
  2. Video input and output
  3. USB for input devices
  4. Serial console and a miniPCIe socket with SIM card connected for attaching a mobile modem
  5. At the moment, we are using a Sierra Wireless MC7455 LTE miniPCIe modem card for development, which uses a Qualcomm MDM9230 baseband modem chip. This card is basically a USB device in a mPCIe form factor, i.e. we do not actually use the PCIe interface.
  6. An extremely nice display to our kits using an HDMI-to-MIPI adapter board. The display is a 5.5″ AMOLED display with full-HD resolution with the native orientation as portrait mode.

This hardware setup allows us to start a lot of the software development work now to ensure our development continues in parallel until we have the i.MX 8M based hardware in hand.

Next on our to-do list: phone calls!

Qubes 4.0 fully working on Librem laptops, coreboot added IOMMU and TPM

It’s easy to take things for granted when your computer runs a non-free proprietary BIOS. While the BIOS that comes with your computer is usually configured to match its features that’s not always the case. You end up with a sort of binary arrangement: if your BIOS supports a feature or allows you to change a setting, great, but if it doesn’t, you are generally out of luck. One example is with some of the new UEFI computers that ship with stripped-down BIOS options. One example we ran across recently had legacy boot disabled, secure boot enabled, and no way to change either setting, which is a terrible restriction for users wanting a free software distribution like PureOS or any another distribution that avoids the misnamed “secure boot” UEFI option.

From the beginning our goal has been to ship ethical computers without any proprietary code and the BIOS was one of our first targets. Starting last summer, all our computers come with the Free/Libre and Open Source coreboot BIOS. In addition to the many ethical and security advantages behind shipping an ethical BIOS/firmware, another advantage we have is that if our coreboot image doesn’t support a feature today, that doesn’t mean it won’t tomorrow.

We are happy to announce that due to the hard work of Youness “KaKaRoTo” Alaoui and Matt “Mr. Chromebox” DeVillier we have added IOMMU and TPM support to our new coreboot 4.7 BIOS. I’ve tested this personally on a Librem 13v2 with the latest Qubes 4.0-rc4 installer and the install completes with no warnings and reboots into a functional Qubes 4 desktop with working sys-net and sys-usb HVM VMs. In this blog post I’ll go over these different features, what they are, and why they are important. Read more

Designing the Mobile Experience with Convergence in Mind

It is always great to have the opportunity to discuss face to face with community members to get the pulse of what their thoughts are and suggestions they might have for the Librem 5 project. As such, I was happy to spend time discussing at length with people attending FOSDEM this week-end. Comments from the many supporters made me realize that there are some points regarding goals and vision, in terms of design for the entire Librem line, that needed to be expanded upon and clarified. Keep in mind that although the vision for our short and long-term design goals for the Librem 5 is becoming increasingly clearer, it is of course still “work in progress” from a design perspective; things are not set in stone and therefore we are listening (and responding) to the community’s feedback.

Convergence, for Purism, is a long-term goal to unify the human experience across different devices.

  • A user interface is made of a layout and interactive elements. Different devices using different input and output technologies will have different requirements for layout and interaction. In this case, our approach will consist in designing “responsive” (adaptative) layouts and interaction patterns that will allow modern apps to adapt themselves to the device that it is running on. We don’t have to port/adapt every single existing desktop app under the sun to achieve that goal though, and our partners in the GNU+Linux community have aligned goals with this direction.
  • That approach of convergence is also about the simplicity of accessing the same data and services between different devices, transparently.
  • Part of our plan for convergence is about helping define some consistent Human Interface Guidelines and optimizing the development tools & documentation, in order to help developers create a great experience across devices.

The implementation of our design involves the use of existing technologies, and the UI+UX design itself is not made with a specific technology in mind. Our design work is an attempt to define a set of Human Interface Guidelines that rely on the Ethical Design manifesto and our requirements for security and privacy. The technical details of its implementation are out of the scope of this design report and should be discussed with the development team.

Designing a Mobile Experience

Over the last two weeks, we have been thinking about general human interaction principles for the Librem 5. Our idea is to define the best possible mobile interaction design principles and combine it with an “optimal” mobile shell experience. While what you will see below is simply a high-level overview of work in progress that may change before final public versions, it is setting the stage, and is a good starting point for our upcoming work, such as the communications features that I’ll soon write about in a separate blog post.

Some Basic Principles

We think that a good mobile experience should define convenience and comfort when using the device. It should take into account the hardware in all its aspects along with the many different use cases. In that regard, it is important to define principles that are adapted to the physical device. One of these principles is that one-handed usage of a phone is frequent, and so our interaction design should take this fact into account.

One should be able to easily access the most important features of the phone when holding it with one hand; it supposes touching the screen with the thumb only. That doesn’t necessarily mean that all the screen surface and features must be accessible by the thumb (given the planned 5.5″ screen size, that would not be physically possible), but that the lower area is preferable to access the most useful phone features by default. Those features would include answering an audio or video call, reviewing notifications, unlocking the phone, accessing the home screen, requesting a search or launching the most frequently used applications.

To remain useful for both right and left-handed persons, the optimal area should favor the bottom half of the screen while also avoiding going too far towards the edges (that may be more difficult to access).

The size of the touch (tap) area is also something to take into account in order to give the user the best precision when interacting with the user interface.

Action targets like links, buttons, sliders and other interactive UI elements should take into consideration a sufficient surface size to be used with comfort and precision.

A First Look at the Shell

Peter K., our lead UI/UX designer, has been working on adapting these basic principles to the overall UI shell experience :

The main navigation happens at the bottom half of the screen, and similarly the majority of the interaction with the Lock Screen would happen in the lower half of the screen. When unlocked, the phone would reveal the Home Screen and show the most frequently used applications (or features) of the phone by default. Some useful widgets may use the remaining space (our example is showing music controls and web search widgets). Swiping up the frequently used applications icons reveals the full list of applications as well as the “main” search field, that is also accessible at the bottom of the screen. Less recurrent gestures, like accessing the settings or the detailed list of notifications, are available in the upper part of the screen.

More to Come

This was a quick appetizer regarding the ongoing design effort. Upcoming work will be about finalizing the shell experience and designing privacy-respecting communication features, so stay tuned!

Librem 5 Phone Progress Report

The Librem 5 and recent industry news

Lately, news headlines have been packed with discussions about critical CPU bugs which are not only found in Intel CPUs, but also partially in AMD CPUs and some ARM cores. At the same time, some of our backers have voiced concerns about the future of NXP in light of a potential acquisition by Qualcomm. Therefore you might be wondering, “Will the Librem 5 be affected by these bugs too?” and “will the Purism team get the i.MX 8 chips as planned?”, so let’s address those questions now.

Not affected by Spectre/Meltdown

At the moment we are pretty confident that we will be using one of NXP’s new i.MX 8 family of CPUs/SOCs for the Librem 5 phone. More specifically we are looking at the i.MX 8M which features four ARM Cortex A53 cores. According to ARM, these cores are not affected by the issues now known as Spectre or Meltdown, which ARM’s announcement summarizes in their security update bulletin.

So for the moment we are pretty sure that the Librem 5 phone will not be affected, however we will continue to keep an eye on the situation since more information about these bugs is surfacing regularly. In this respect we can also happily report that we have a new consultant assisting our team in security questions concerning hardware-aided security as well as questions like “is the phone’s CPU affected by Spectre/Meltdown or not”.

Qualcomm possibly buying NXP: not a concern

For quite some time there have been rumors that Qualcomm might have an interest in acquiring NXP. Since we will be using an NXP chip as the main CPU, specifically one of the i.MX 8 family, we are well aware of this development and are watching it closely.

Qualcomm is an industry leader for high volume consumer electronics whereas NXP targets lower volume industrial customers. This results in pretty different approaches concerning support, especially for free software. Where NXP traditionally is pretty open with specifications, Qualcomm is rather hard to get information from. This is very well reflected by the Linux kernel support for the respective chips. The question is how would it affect continued free software support and availability of information on NXP SOCs if Qualcomm acquires NXP?

First, it is unlikely that this deal will happen at all. Qualcomm had a pretty bad financial year in 2017 so they might not be in the financial position to buy another company. Second, there is a rumor that Broadcom might acquire Qualcomm first. Third, international monopoly control organizations are still investigating if they can allow such a merger at all. Just a few days ago the EU monopoly control agreed to allow the merge but with substantial constraints, for example Qualcomm would have to license several patents free of charge, etc. Finally, there are industry obligations that NXP cannot drop easily: the way NXP works with small and medium sized customers is a cornerstone of many products and customers; changing this would severely hamper all of those businesses involved, and these changes might cause bad reputation, bad marketing and loss of market share.

So all in all, this merger is not really likely to happen soon and there would probably not be changes for existing products like the i.MX 8 family. If the merger happens it might affect future/unreleased products.

Development outreach

In addition to working on obtaining i.MX6QuadPlus development boards to be able to work properly, the phone team is also intensively researching and evaluating software that we will base our development efforts on during the next few months. We are well aware of the huge amount of work ahead of us and the great responsibility that we have committed to. As part of this research, we reached out to the GNOME human interface design team with whom we began discussions on design as well as implementation. For example, we started to implement a proof of concept widget that would make it much easier to adapt existing desktop applications to a phone or even other style of user interface. What we would like to achieve is a convergence of devices so that a single application can adapt to the user interface it is currently being used with. This is still a long way ahead of us, but we are working on it now. We will meet up also with some GNOME team members at FOSDEM to discuss possible development and design goals as well as collaboration possibilities.

The mobile development work for KDE/Plasma will primarily be performed by their own human interface teams. Purism will be supporting their efforts through supplying hardware and documentation about our phone development progress as it is happening. This will help ensure that that KDE/Plasma will function properly on the Librem 5 right from the factory. To understand better where we’re headed with GNOME and KDE together, take a look at this blog post.

We also reviewed and evaluated compositing managers and desktop shells that we could use for a phone UI. We aim to use only Wayland, trying to get rid of as much X11 legacy as we possibly can, for performance issues and for better security. From our discussions with GNOME maintainers of existing compositors and shells, we may be better off igniting a new compositor (upstreamed and backed by GNOME) in order to avoid the X11 baggage.

On the application and middleware side of things, we have generated an impressive list of applications we could start to modify for the phone to reach the campaign goals and we have further narrowed down middleware stacks. We are still evaluating so I do not want to go into too much detail here, in order not set any expectation. We will of course talk about this in more detail in some later blog posts.

Meeting with Chip Makers

As the CPU choice is pretty clear lately, we are going to have a meeting with NXP and some other chip makers at Embedded World in Nürnberg, Germany, at the end of the month. This is very encouraging since we worked for months on getting a direct contact to NXP, which we now finally have and who we will meet in person at the conference. The search for design and manufacturing partners is taking longer than expected though. Our own hardware engineering team together with the software team, especially our low level and kernel engineers, started to create a hardware BOM (bill of material) and also a “floor plan” for a potential PCB (printed circuit board) layout, but it turns out that many manufacturers are reluctant to work with the i.MX 8M since it is a new CPU/SOC. We have, however, some promising leads and good contacts so we will work on that.

Purism Librem 5 team members attending FOSDEM

By the way, many Purism staff members will be at FOSDEM this week-end, on the 3rd and 4th of February. In addition to the design and marketing team, PureOS and Librem 5 team members will be there and we would love to get in touch with you! Purism representatives dedicated to answering your questions will be wearing this polo shirt so you can easily recognize them:

GNOME and KDE in PureOS: diversity across devices

PureOS, a Free Software Foundation endorsed GNU distribution, is what Purism pre-installs on all Librem laptops (in addition to it being freely available for the public to run on their own compatible hardware or virtual machines). It comes with a GNOME desktop environment by default, and of course, since we love free ethical software, users can use KDE that is also available within PureOS. This is the future we will continue to advance across all our devices: a PureOS GNOME-first strategy, with other Desktop Environments (DEs), such as KDE, available and supported by Purism.

At Purism we want a unified default desktop environment, and considering that we have chosen GNOME to be the default on laptops, we hope to extend GNOME to also be the default on phones. The ability for users to switch is also very powerful, and having a strong, usable, and supported alternative—that is, KDE/Plasma—for the Librem 5 offers the best of the “unified default” world and the “usable user choice” worlds.

Symbiotic GNOME and KDE partnerships

Purism has partnered with both GNOME and KDE for the Librem 5; what this means simply is that users running PureOS on their Librem 5 will get the choice of a GNOME environment or a KDE/Plasma environment, and the user could always switch between the two, like what is already the case on computers running PureOS. Will there be other partnerships in the future? We imagine so, since we will be happy to support any and all ethical OSes, GNU distributions, and want to make sure that the future is bright for a non-Android-non-iOS world.

While the initial GNOME and KDE partnerships mean uplifting diversity at the top level (and greater choice for users), each have a slightly different developmental and support roadmap. The reason for this is pragmatic, since KDE is very far along with their “Plasma” mobile desktop environment, while GNOME is farther behind currently. Investing time and efforts to advance the status of mobile GNOME/GTK+, aligns with our longer-term goals of a unified default desktop environment for PureOS, offering a convenient default for users. Diversity is why we are supporting and developing both GNOME/GTK+ and KDE/Plasma.


  • KDE: Purism is investing in hardware design, development kits, and supporting the KDE/Plasma community, and will be sharing all early documentation, hardware designs, and kernel development progress with the core KDE/Plasma developers and community.
  • GNOME: Purism is investing the same in hardware design, development kits, and supporting the GNOME/GTK+ community as we are with the KDE/Plasma community. In addition, Purism is needing to lead some of the development within the GNOME community, since there is not a large community around an upstream-first GNOME/GTK+ for mobile yet.

Choice is good, redundancy is good, but those are ideal when there is minimal additional investment required to accomplish technological parity. Since Purism uses GNOME as the default desktop environment within PureOS on our laptops, we figured we are going to invest some direct development efforts in GNOME/GTK+ for mobile to stay consistent across our default platforms. Adding KDE as a second desktop environment is directly aligned with our beliefs, and we are very excited to support KDE/Plasma on our Librem 5 phone as well as within PureOS for all our hardware. We will support additional efforts, if they align with our strict beliefs.

Why not just use KDE/Plasma and call it a day?

If we were doing short-term planning it would be easy to “just use Plasma” for the Librem 5, but that would undermine our long-term vision of having a consistent look/feel across all our devices, where GNOME/GTK+ is already the default and what we’ve invested in. Supporting both communities, while advancing GNOME/GTK+ on mobile to allow it to catch up, aligns perfectly with our short-term goals (offering Plasma on our Librem 5 hardware for early adopters who prefer this option), while meeting our long-term vision (offering a unified GNOME stack as our primary technological stack across all our hardware). It is also a good way to give back to a project that needs our help.

Why not just push GNOME and GTK+ and forward?

Because having an amazingly built Plasma offering available early to test and ship to users is a superb plan in many ways—not just for redundancy, but also because KDE/Plasma also aligns so well with our beliefs. The product readiness across these two desktop environments are so different it is not easy to compare side-by-side.

Empowering both communities is possible

Overall, Purism is investing the same amount across hardware, boot loader, kernel, drivers and UI/UX. These are shared resources. The deviation boils down to:

  • GTK+ and the GNOME “shell” development, that Purism is planning to be directly invested in, in close collaboration with upstream
  • Community support: by being involved in both communities, we are effectively doubling our efforts on supporting those communities, but that is a small cost for the greater benefit of users.

Supporting both KDE/Plasma and GNOME means we will continue to build, support, and release software that works well for users across Purism hardware and within PureOS. Purism fully acknowledges that each platform is in different release states, and will be working with each community in the areas required—be that software development, hardware development kits donated, community outreach, conference sponsorship, speaking engagements, and offering product for key personnel.

Meet us at FOSDEM 2018!

Are you attending FOSDEM next week-end? So are we! Join us in this massive Free Software event in Brussels on February 3rd and 4th and ask us anything!

Members of the Purism design team, Librem 5 development team, and PureOS developers will be meeting up and walking around the event, namely: François, Predrag (Peter), Jeff, Nicole, Dorota, Guido, Adrien, Matthias and Zlatan will all be on-site. You can check out what they look like on our team page. Come and say hi!

Jeff and François will be dedicated to answering your questions (in English or French!) and will be walking around the venue wearing clearly identifiable polo shirts, like this:

They will also be carrying our all new information booklet summarizing our approaches to security, freedom, and the goals behind our products such as the Librem 5. Feel free to take one!

Librem 5 Phone Progress Report – A Design Team Assembles

We have spent the last two months building our design team for the Librem 5 Phone project. We have been studying the current state of mobile design within the free software community as well as large companies that have shown success in mobile. We have been in the planning phases of development attempting to produce an ethically designed device and now that we have a working prototype we have shifted to the process of designing User Interfaces (UI) and User eXperience (UX) for the Librem 5.

New members on the design team

Peter K’s Concept Art

Upon successful completion of our funding campaign, we started to look for a Designer to take care of the user experience for the Librem 5, and a web developer to help us improve the look & feel (and more technical parts) of our website in general. Today, I’m glad to finally welcome them publicly!

  • Our new UI & UX Designer is Peter Kolaković, who is very talented and had already gotten involved during the campaign by creating amazing concept art (that we ended up displaying on the campaign page and that became the basis for our potential look and feel of the Librem 5).
  • Our new Web Designer is Eugen Rochko, the web development wizard who already proved his skills by creating Mastodon.

We had a huge amount of talented and motivated applicants who were perfectly aligned with our philosophy of digital ethics, and so picking only two was a very difficult decision to make. Thank you to all of those who applied! We appreciate your interest, motivation, and ideas!

Unified look for PureOS devices

Peter has also been working on the look and feel of PureOS in an effort to make our systems convergent across devices: phone, tablet and laptop.

Our approach to convergence is that mobile is the motivating factor for all other platforms. We are aware that usability is different from a small touchscreen to a laptop monitor with a mouse and keyboard. We want to improve the user experience through ease of use, by creating a graphical environment that doesn’t require a steep learning curve when switching between devices. This approach is also helpful to developers who don’t want to maintain too many different outputs. Mobile design brings efficiency and simplicity first.

The general appearance of the user interface we’ll be designing is expected to follow current visual design approaches in the mobile industry. We expect our design to have a minimalistic aesthetic by default.

We are starting work on a dark theme (a “light” one will be designed as well). Here are a few mockups that we are working on (click to enlarge):

Community involvement approach

We want any of our Librem 5 UI/UX design and development work to be a direct contribution back to the parent projects that they are based on. You may be aware that we have partnered with both the KDE and GNOME projects, and so we wish to make the Librem 5 a mobile platform where the user can have a choice of Desktop Environments. Of course, KDE and GNOME are currently at fairly different levels of development with regards to mobile user experience:

KDE Mobile UI Example
  • KDE already has a beautiful and full-featured mobile interface (that our dev team is busy on making work on the Librem 5 hardware). Whatsmore, from a design standpoint, the KDE design team has done a great job developing a set of clean, touch driven user interfaces that make it a pleasant and functional mobile environment already; there is not much to add to KDE except for a graphical touch interface specific to PureOS. Purism’s contribution to KDE may be generally focused on hardware integration and testing, rather than design.
  • GNOME developers’ resources have not been focused on mobile user experience per se, so there is more work required to make GNOME production ready for a convergent Librem 5. In an effort to bring convergence across our devices which already run PureOS with GNOME, we are hoping to contribute design and software development efforts to the GNOME project. Our teams will develop and design the missing mobile components and improve the existing ones.

This is what free software is all about—not just taking existing work “as is” but adjusting and improving things that we send back for everyone to benefit from. We’re looking forward to giving development back to these two free software giants!


As I said in a previous post, we are working on producing an “ethical design” that:

  • Respects Human Rights by using free/libre technologies and contributing to them for the profit of everyone.
  • Respects Human Effort by unifying the user experience, making convergent designs based on a “Mobile First” approach that favors efficiency and simplicity.
  • Respects Human Experience by designing a modern, clean and efficient look for PureOS.

Dark Caracal: State-Sponsored Spyware for Rent

Spyware has long been a privacy and security risk for personal computers and has been used by a number of groups—ranging from creeps who spy on and blackmail people through Remote Access Trojans, to marketers who want ever more data about you for targeted ads (such as through the Superfish malware we’ve seen preinstalled on some “big brands” computers), to government intelligence agencies.

The Register recently reported on an investigation by the EFF and Lookout into the “Dark Caracal” spyware network. According to the EFF, this spyware has already captured hundreds of gigabytes of data. More troubling, this spyware network is being rented out to nation states that may not be able to develop this capability in-house. Who knew government spies had their own international app store?

The Dark Caracal toolkit contains malware that targets Windows and Android platforms. In particular, Lookout discovered that Dark Caracal uses a particular piece of Android malware called Pallas that disguises itself as a legitimate Signal or WhatsApp app and tricks the unsuspecting user into installing it. Instead of relying on a rootkit, it just uses the fact that chat apps usually have access to a wide variety of permissions on your phone, so most people don’t question all the permissions the malware wants. Once installed, it uses those permissions to get audio, text messages, files, and other data via completely legitimate means and uses the network connection to send it back to the attacker.

Purism, Post-Its and Personal Privacy

Dark Caracal relies on Windows and Android malware, so you might wonder why I’m writing about it at Purism given not only is our Librem 5 phone not out yet, but PureOS is a completely different platform and isn’t vulnerable to this spyware toolkit. What makes spyware like this relevant is that we have focused on protecting customer privacy from the beginning (it’s even part of our corporate charter). Stories like this give us an opportunity to audit the privacy and security protections we put in our products to see how they’d fare if we had been a target.

By performing a tabletop thought exercise against spyware in the wild even if we aren’t vulnerable ourselves, we can rate the protections we have in place against a real-world attack and proactively harden things further based on any gaps we might find. It’s always easier if you start with security as a focus from the beginning instead of tacking it on at the end, so this exercise is not just useful for our existing Librem laptops but is particularly helpful as we develop the Librem 5.

Software Delivery

The first thing to examine is the software delivery mechanism. Malicious lookalike applications are a constant problem in mobile app stores, even more so if you add third party stores into the mix. One advantage GNU/Linux distributions have long had against other operating systems is that all of a particular distribution’s applications come from its own official repository and are signed by its developers. It’s much more difficult for a malicious application to end up in the official repository and pass the signature check, so when you use your distribution’s tool to install LibreOffice, you can be assured you are getting the real thing.

We get an additional advantage due to our dedication to Free Software. Like with other GNU/Linux distributions, all applications in PureOS come from a central PureOS repository and are signed with official PureOS keys. Unlike many GNU/Linux distributions, PureOS is a FSF-endorsed distribution so all of the software in PureOS must be Free Software. PureOS doesn’t include packages that download proprietary codecs, unsigned Flash plugins or any other binary-only code from elsewhere on the Internet. This means you can examine the source for every package in PureOS to check for malware or backdoors.

This is why it’s important to be extra careful when adding third-party repositories or installing software with curl | sh because you bypass trusted code signing and lose many of the protections built into a GNU/Linux distribution’s native packages. Fortunately, because PureOS is derived in part from Debian, it can take advantage of the vast number of packages available in Debian’s free repository, so you are much less likely to need to install software from a third party.

Hardware Privacy Protections

For most vendors you would focus only on software protections against spying because that’s your only option. Fortunately we can go one step further because we also build privacy protections into the hardware itself in the form of kill switches. Purism devices include hardware switches that allow you to cut power to radio hardware (WiFi) and to the webcam and microphone. Unlike a software hot key, these hardware switches disconnect power from the hardware so it can’t be bypassed by malicious software. Dark Caracal attacked both desktops and phones and so we should consider what effect our hardware privacy features would have on the spyware in both cases.

Desktop Protections

On a traditional laptop infected with Dark Caracal, the attacker would be able to stream video from the webcam. Depending on the sophistication of the spyware, it could possibly capture video with the LED light off, a phenomenon that has been demonstrated multiple times in recent years. Even if the victim added the high-tech spying countermeasure of covering the webcam with tape, the attacker could still capture audio off of the microphone and stream it along with the rest of the data over the WiFi connection.

On Librem laptops, the radio kill switch disables WiFi and the webcam/mic kill switch—you guessed it—disables the webcam and microphone together. We recommend users take advantage of the kill switches, in particular the webcam/mic switch, to disable the hardware when you aren’t using it. With the webcam/mic kill switch, even if spyware found its way on your machine, the attacker wouldn’t be able to capture any video or audio from the machine as long as the switch was off.

Customers especially concerned about their privacy or in a high-risk environment could take the additional precaution of using the radio kill switch to keep WiFi powered off and only turning it on briefly when they needed a network connection. In that case the attacker would have to wait until a network connection showed up and use that limited window to upload the data.

Phone Protections

Like with the Librem laptops, the Librem 5 phone will have kill switches, but as you’ll see, they impact a phone’s privacy even more dramatically than on a laptop. For example, the webcam/mic kill switch will protect you in much the same way as in a laptop, but unlike with a laptop, it gives you spyware protection you just wouldn’t have with a traditional phone because most phones just don’t have a good way to disable the microphone (in fact they rely on it being always on for voice commands). While you could tape over the camera like in a laptop, almost no one does. With a kill switch, you can leave your camera and mic off and conveniently turn it on when you need to take a selfie or make a call.

The radio kill switch would protect you in a similar way as on a laptop, but the Librem 5 also has an additional baseband kill switch. This switch powers off the cellular radio completely, not using software like in traditional airplane mode but using hardware so you know for sure it’s off. With the baseband off, you also prevent spyware from using your cellular beacon to track your location or your cellular network to send out your personal data and rack up a large cellphone bill.


It’s hard to add security and privacy protections after the fact—even harder if your company relies on customer data for its revenue. Because we value customer privacy, we continually work to increase privacy protections in our products not just in a reactive way based on a specific threat but in a proactive and general-purpose way that applies to all kinds of threats. Even though Purism products weren’t vulnerable to Dark Caracal, you can see how some of the additional protections we put in place would help keep you safer even if they were.

While this government-sponsored spyware was interesting because of its scope and because it was rented out to other governments, spyware like it is sadly not unique. Everyone from governments to tech companies to hackers to creepy stalkers all want a piece of your personal data and they all use different kinds of spyware to get it. Some of the greatest minds in our generation are focused on the problem of how to capture and store more and more of your data. At Purism we recognize that this data is your data, and we work every day to protect it.