You first learn about the importance of the supply chain as a child. You discover a shiny object on the ground and as you reach down to pick it up your parent says “Don’t touch that! You don’t know where it’s been!” But why does it matter whether you know where it’s been? When your parents know where something came from, they can trust that it’s clean and safe for you to play with. When they don’t, their imagination runs wild with all of the disgusting bacteria and viruses that might taint it.
The food supply chain is important. Food is sealed not just so that it will keep longer, but also so that you can trust that no one has tampered with it between the time it left the supplier to the time it goes in your grocery bag. Some food goes even further and provides a tamper-evident seal that makes it obvious if someone else opened it before you. Again, the concern isn’t just about food freshness, or even someone stealing food from a package, it’s about the supplier protecting you from a malicious person who might go as far as poisoning the food.
The supply chain ultimately comes down to trust and your ability to audit that trust. You trust the grocery and the supplier to protect the food you buy, but you still check the expiry date and whether it’s been opened before you buy it. The grocery then trusts and audits their suppliers and so on down the line until you get to a farm that produces the raw materials that go into your food. Of course it doesn’t stop there. In the case of organic farming, the farmer is also audited for the processes they use to fertilize and remove pests in their crops, and in the case of livestock this even extends to the supply chain behind the food the livestock eats.
You deserve to know where things have been whether it’s the food that sustains your physical life or the devices and software that protect your digital life. Tainted food can make you sick or even kill you, and tainted devices can steal your data and take over your device to infect others. In this post I’ll describe some of the steps that Purism takes to protect the digital supply chain in our own products.
A lot has been written recently about threats to the hardware supply chain in light of Bloomberg’s allegations about hardware implants that intercepted the BMC remote management features in certain SuperMicro server hardware. While all of the vendors have denied these allegations (and Bloomberg stands by its story), everyone acknowledges that whether this particular incident happened, this kind of implant is certainly possible.
A crucial point that many are missing, and one that leads me personally to doubt the Bloomberg story, is that while a hardware implant is possible, it’s unnecessary–the BMC firmware and IPMI protocol have a long history of vulnerabilities and it would be a lot easier (and stealthier) for an attacker either to take advantage of existing vulnerabilities or flash a malicious firmware, than risk a hardware implant. An attacker who is sophisticated enough to deploy a hardware implant is sophisticated enough to pick a safer approach.
Why is attacking the firmware safer than implanting hardware? First, firmware hacking is easier. Firmware used to be something that was flashed onto hardware once and could never be overwritten. In those days it might have been just as easy to add a malicious chip onto the motherboard. Now most firmware is loaded onto chips that can be written and overwritten multiple times to allow updates in the field, so anyone along the hardware supply chain could overwrite trusted firmware with their own.
Second, firmware attacks are harder to detect. Hardware attacks risk detection all along the supply chain whenever someone physically inspects the hardware. Motherboards have published diagrams you can compare hardware against, and if a chip is on the board that isn’t in a diagram, that raises alarms. Since so much firmware is closed, it’s more difficult to detect if someone added malicious code and it’s certainly something you can’t detect by visual inspection.
Finally, firmware attacks offer deniability. It’s hard for someone to explain away a malicious chip that’s added onto hardware unannounced. If firmware vulnerabilities are detected, they can almost always be explained away as a security bug or a developer mistake.
Purism has a number of strategies it uses to protect the firmware supply chain. The first strategy is to limit the overall threat by reducing the amount of proprietary firmware on our hardware as much as possible. We select the hardware components in our laptops such as the graphics chip and WiFi card so that we can run them with free software drivers that anyone can audit. Like a dairy that only packages milk from antibiotic-free cows, we can avoid a lot of other audit worries by starting with a clean source.
The next area we focus on is the Intel Management Engine (ME). Like all modern Intel-based hardware, our laptops include the Intel Management Engine, but we intentionally exclude Intel’s Active Management Technology (AMT) to avoid the risk posed by that proprietary out-of-band management software. We then neutralize and disable the ME so that only a small percentage of the firmware remains on the chip, further reducing the avenues for attack. Whether a dairy gets antibiotic-free milk or not, it still pasteurizes it to kill any unseen microbes in the raw milk.
The other important piece of firmware on a laptop is the BIOS. Since it runs before the operating system, it’s a tempting piece of code to attack because such a compromise can easily hide from the OS in a regular system and survive reboots. We protect the BIOS firmware from supply chain attacks both upstream and downstream from us and next I will describe our approaches.
The motherboards’ BIOS chip arrives to us with a proprietary BIOS from the supplier. To protect against any upstream attempts to replace that default BIOS with something malicious we overwrite it with our own coreboot BIOS. This further reduces the amount of proprietary firmware in the BIOS since with coreboot the bulk of the BIOS is free software. Even though the Intel Firmware Support Package (FSP) proprietary blob still remains we still greatly reduce the risk (and aim to liberate or replace the FSP as well). It’s like repackaging food in BPA-free plastic when you aren’t sure about the make-up of the original packaging.
That leaves how we protect you from attacks on the BIOS that might occur either during shipping or after you have the computer in your possession. For this we are working to offer the combination of the Heads tamper-evident BIOS that sits on top of coreboot and our Librem Key USB security token and we are starting a private beta program right now to get feedback before a wider release. With Heads combined with the Librem Key, we can configure a shared secret between the computer and the Librem Key at the factory and ship the devices separately. If someone tampers with your computer during shipping or at any point after you receive it, you will then be able to detect it with an easy “green is good, red is bad” blinking light on the Librem Key. Think of it like a pop-up tamper-evident seal on a jar of food.
While the hardware and firmware supply chain attacks get a lot of focus due to their exciting “spy versus spy” nature, software supply chain attacks are a much greater and more present threat today. While many of the hardware and firmware attacks still exist in the realm of the hypothetical, software attacks are much more real. Vendors have been caught installing spyware on their laptops, in some cases multiple times, to collect data to sell to advertisers or to pop up ads of their own. When you can’t audit the code, even a computer direct from the factory might be suspect.
With proprietary operating systems, there’s the risk that comes from not being able to audit the programs you run. A malicious developer or a developer hired by a state actor could add backdoors into the code with no easy way to detect it. This isn’t just a hypothetical risk as the NSA is suspected in a back door found in Juniper’s ScreenOS.
If you decide that you can trust your OS vendor you might be comfortable relying on the fact that OS vendors sign their software updates these days so the OS can be sure that the software came directly from the vendor and wasn’t tampered with while it was being downloaded. Yet applications on proprietary operating systems come from multiple sources, not just the OS vendor, and in many cases software you download and install from a website has no way to verify that it hasn’t been tampered with along the way.
Even if you only use software signed by a vendor you still aren’t safe from supply chain attacks. Since you don’t have access to the source code, there’s no way to prove that the signed software that you download from a vendor matches the source code that created it. When developers update software, their code generally goes to a build system that converts it into a binary and performs tests on it before it packages it, signs it, and makes it available to the public. An attacker with access to the build system could implant a back door at some point in the build process after source code has been checked in. With this kind of attack, the malicious code might go unnoticed for quite some time since it isn’t present in the source code itself yet the resulting software would still get signed with the vendor’s signature.
Purism has a great advantage over proprietary software vendors when it comes to protecting the software supply chain because we can offer a 100% free software operating system, PureOS, on our laptops. By only installing free software on our laptops, all of the source code in the operating system can be audited by anyone for backdoors or other malicious code. For processed food to be labeled as organic, it must be made only from organic sources, and having our operating system certified as 100% free software means you can trust the software supply chain all the way to the source. Beyond that, all of the software within PureOS is signed and those signatures are verified every time you install new software or update existing software.
Unlike proprietary software, we can also address the risk from an attacker who can inject malicious code somewhere in the build process before it’s signed. With Reproducible Builds you can download the source code used to build your software, build it yourself, and compare your output with the output you get from a vendor. If the output matches, you can be assured that no malicious code was injected somewhere in the software supply chain and it 100% matches the public code that can be audited for back doors. Think of it like the combination of a food safety inspector and an independent lab that verifies the nutrition claims on a box of cereal all rolled into one. We are working to ensure all of the software within PureOS can be reproducibly built and to provide you tools to audit our work. Stay tuned for more details on that.
The supply chain comes down to trust and your ability to audit that trust. Unfortunately all too often a company’s economic incentives run counter to your trust. This is why Purism is registered as a Social Purpose Corporation (SPC) so we can put our ethics and principles above economic incentives. We also continue to improve our own ability to audit the supply chain and isolate (and ultimately eliminate) any proprietary code that remains. Beyond that we are also working to provide you the tools to audit the supply chain (and audit us) yourself, because while we feel you should trust us, your security shouldn’t have to depend on that trust alone.