Kyle Rankin

Chief Security Officer
PGP ID: 0xB9EF770D6EFE360F
Fingerprint: 0DFE 2A03 7FEF B6BF C56F73C5 B9EF 770D 6EFE 360F

Strong security

The boot process, in computer hardware, forms the foundation for the security of the rest of the system. Security, in this context, means a “defense in depth” approach, where each layer not only provides an additional barrier to attack, but also builds on the strength of the previous one. Attackers do know that if they can compromise the boot process, they can hide malicious software that will not be detected by the rest of the system. Unfortunately, most of the existing approaches to protect the boot process also conveniently (conveniently for the vendor, of course) remove your control over your own system. How? By using software signing keys that only let you run the boot software that the vendor approves on your hardware. Your only practical choices, under these systems, are either to run OSes that get approval from the vendor, or to disable boot security altogether. In Purism, we believe that you deserve security without sacrificing control or convenience: today we are happy to announce PureBoot, our collection of software and security measures designed for you to protect the boot process, while still holding all the keys.

Why “PureBoot”?

PureBoot comprises a number of different technologies, and together they secure the boot process in a convenient way. Why are we combining all of these different technologies under a single name? Because they all work together to secure the boot process, because it’s easier to talk about our boot security overall calling it by a single name, instead of by the names of its (currently) six individual components:

  1. Neutralized and Disabled Intel Management Engine
  2. The coreboot free software BIOS replacement
  3. A Trusted Platform Module (TPM) chip
  4. Heads, our tamper-evident boot software that loads from within coreboot
  5. Librem Key, our USB security token
  6. Multi-factor authentication that unlocks disk encryption using the Librem Key

How PureBoot Protects You

There are lots of different threats and attacks that focus on the boot process. It’s easier to understand how PureBoot protects you if you understand what some of the threats are, so this section will describe how some very specific attacks work, and how PureBoot stops them.

Theft

One of the most common security threats you face is exposing sensitive data, if and when your laptop is lost or stolen. Disk encryption is a simple, highly efficient way of protecting your data from loss or theft, for it requires a passphrase, without which no one can read the data on your disk. With PureBoot, we ensure that all systems we ship are encrypted by default, with keys you set up on first boot. Many vendors use disk encryption with a passphrase; but we’ve decided to go a step further, and unlock the disk with multi-factor authentication.

Today we’re happy to announce something we’ve only hinted at before: the integration of our Librem Key with LUKS disk encryption. Once set up, you just need to boot with your Librem Key inserted, and when prompted enter the same Librem Key PIN you use for GPG encryption or signing. This means that, in order to unlock your disk, attackers need “something you have” (the Librem Key) and “something you know” (your Librem Key PIN). If you lose your Librem Key you can always fall back to a recovery mode that prompts you for your old passphrase; you can set a strong fallback passphrase and store it somewhere safe, but use the Librem Key for convenience. For even more security, you can delete the recovery passphrase and only use the multi-factor authentication to unlock your disk.

We are working on adding this solution into upstream projects, so it will be available and pre-installed by default. If you want to try it out today, just follow the steps in our documentation, and download a script that automates the process of setting up LUKS to use your Librem Key.

BIOS Malware and Kernel Rootkits

Once attackers do have access to your system, they will want to keep that access and hide themselves from you. One of the best ways for them to hide – and make sure they still have access between reboots — is compromising your OS’s kernel software, so that it filters out any requests to the system that might reveal the attacker’s software. Of course, you could still thwart an attacker by reinstalling or upgrading your operating system, even if you can’t see any evidence of an attack… but the attacker may also have compromised your BIOS (the first code the system runs) so that it re-infects your system after every reinstall, successfully hiding themselves even from a live OS — booted from USB. BIOS malware allows attackers to intercept, and capture, your disk encryption password as you type it in.

With PureBoot you only need to insert your Librem Key and turn the computer on to know: if your BIOS has been tampered with, the Librem Key will flash red to warn you. If your computer is safe, the Librem Key flashes green. When you boot into your OS, it will use your own private keys to test whether any boot files (including your kernel, initrd, and other config files) have changed. You can use your Librem Key to re-sign these files at any time, using keys completely under your control.

PureBoot starts by loading a free software BIOS, coreboot, so that you can audit your BIOS for security bugs or backdoors. Since attackers generally focus on more mainstream proprietary BIOSes for their malware, this alone will protect you from a number of common attacks.

Of course, coreboot is only the beginning.

The next step happens as coreboot loads the Heads tamper-evident boot loader, and uses the TPM chip. TPM chips have traditionally been used to restrict what code you can run at boot, and/or for Digital Rights Management (DRM); but we put the TPM in your control. When Heads is set up for the first time, it stores known-good measurements of all executed boot code into the TPM chip on the system — along with a special secret. You can reset the TPM, set a new TPM passphrase and store new measurements at any time; it doesn’t require Purism’s approval.

Heads authenticates itself to you, not the other way around, by turning that shared secret in the TPM into a 6-digit code it then sends to your Librem Key. If the BIOS changes, or if an attacker resets the TPM, the TPM won’t release the shared secret to Heads, Heads won’t be able to generate the code that matches what the Librem Key generates, and the Librem Key will flash red to warn you.

PureBoot protects against kernel rootkits using your own GPG keys, the ones stored on your Librem Key. When you first set up Heads, it signs all of the files in your /boot directory with your own GPG keys; whenever you boot your OS, it scans all the files in your /boot directory and warns you if anything has changed. It does all this without locking you out of your system or removing control: even in the event of modified files, you always have the possibility of booting into a failsafe mode and get back into your system.

Up to this point, Heads had only been available to a small group of people, in a private Beta program. This program was a success and led to a number of UI and documentation improvements; we are so pleased to announce that, starting today, Heads is an open Beta for anyone who wants to try it out. If you would like to test Heads on your Librem laptop, just visit our official documentation page for details on how to build, install and set it up.

Intel Management Engine Risks

The Intel Management Engine (ME) is a special piece of software from Intel that runs on all modern Intel computers, and is required to initialize the hardware. In some computers, the ME includes Advanced Management Technology (AMT) software, allowing IT to remotely access a computer over the network, see what’s on the screen and control the hardware. Many security experts are very worried about the ME’s complete and fundamental access to your computer’s hardware, because its source code is proprietary and therefore it can’t be audited for security bugs, or for backdoors that might be planted by the vendor or by a sophisticated adversary. These worries aren’t completely unfounded: Positive Technologies has found a number of concerning security vulnerabilities in the ME over the years.

We now know PureBoot protects against ME vulnerabilities in a number of ways, we start by choosing an ME chip that does not contain AMT features to begin with, and then we disable the ME by setting the “disable” bit within the ME. Since we don’t really want to rely on trusting the ME to disable itself, we also neutralize the ME by erasing most of the code within it, leaving only a minimal set of modules, essentially for initializing the hardware. Additionally, we also protect the system – from attacks that might modify the ME code itself — with our TPM chip, and with Heads tamper-evident boot software. You can read more specifics about our process here and here.

Interdiction

Ever since the Snowden revelations about how NSA programs to interdict computer hardware during shipment and modify it with backdoors, the security community has been much more focused on attacks along the supply chain. We have already written about our own approaches to protect the digital supply chain, and have also offered anti-interdiction services to customers who wanted additional assurances that their laptop hasn’t been tampered with in transit.

In the past, most of our anti-interdiction protection was focused on hardware solutions; but with PureBoot we can add even more sophisticated measures, measures that integrate hardware with software. By using PureBoot’s protections against BIOS malware and rootkit tampering combined with a Librem Key, we can ship the laptop and Librem Key separately (and, potentially, to separate locations) to frustrate interdiction attacks. Once you receive both your Librem Key and your laptop, you will have at your disposal an extra tool: one that detects any tampering during shipping.

Convenient Boot Security Under Your Control

Having a secure boot process, you have a stable foundation you can base the rest of your system security on. Having that process under your control, you have the assurance that you truly own your system, that you won’t be locked out of it, or prevented from running any OS you want. We are making this whole process simple and convenient so that you can get stronger security features — without being tempted to disable security that is getting in your way. PureBoot accomplishes all of these goals using free software, that you can audit and change.

We’ll soon include it in every laptop we ship. We also have something in the works for existing users of Librem laptops and Librem keys to upgrade to PureBoot — and expect to have general availability in the second quarter of 2019.

That’s all from us, for now. For more information about PureBoot, check out our official PureBoot documentation page.