Kyle Rankin

Kyle Rankin

Chief Security Officer
PGP ID: 0xB9EF770D6EFE360F
Fingerprint: 0DFE 2A03 7FEF B6BF C56F73C5 B9EF 770D 6EFE 360F
Librem Social
Kyle Rankin

Latest posts by Kyle Rankin (see all)

While we default to our own PureOS on our hardware, we have also supported the high-security QubesOS on Purism hardware ever since the Librem 13 v1 became the first hardware officially supported by the Qubes project. Since then we have continued to treat Qubes as a first-class citizen and ensured that it works well on new iterations of our hardware, up to and including our current Librem Mini and Librem 14 which we feel is the best laptop for running Qubes. We are pleased to announce this support now extends to pre-installing Qubes on the Librem Mini and Librem 14, for any customer who selects it as their OS of choice.

Self-Install Option

Up to this point customers who have wanted to use Qubes would select a Qubes USB install disk in a drop-down menu when they place their order, and we would ship them a trusted Qubes install disk that was compatible with their hardware that they could install themselves. This was because Qubes did not include an “OEM install” mode like we have with PureOS, which allows us to pre-install the OS with a blank disk encryption key, allowing the customer to select their disk unlock passphrase at first boot in an easy-to-use wizard.

As a result, before now, if we pre-installed Qubes we would have had to ask the customer to select a passphrase and set it for them by hand, or set a weak default passphrase and walk each customer through the command line options to change it. These weren’t approaches we wanted to take, so up to now customers who wanted to run Qubes on Purism hardware needed to install it themselves.

What Changed?

So what changed? First, Nitrokey laid the groundwork by creating and publishing an “OEM install” version of Qubes for their own hardware. This automates the Qubes install using kickstart, so that once you boot from the install disk, it erases the disk and installs Qubes automatically. This worked well but unfortunately was still missing our key requirement to use it ourselves: allowing the user to change the disk unlock passphrase at first boot. Instead it simply set the disk unlock passphrase to a “changeme” style passphrase so the customer could change it via the cryptsetup command line tool later.

We created a downstream fork of Nitrokey’s project and set about adding the ability to change the disk unlock passphrase at first boot in the same wizard that Qubes already uses to set up system VMs and the user. Unfortunately due to the way that anaconda add-ons work, and the fact that the OEM project modifies the official installer in the post-install area of kickstart, we couldn’t do this by adding a new add-on. The anaconda installer simply ignores any add-ons you add in the post-install part of the install process. Instead we had to modify the existing user add-on on disk, and add additional fields for disk passphrases and internal handlers to change the default (blank) passphrase with what the user selects.

What Now?

Now that we have a functioning Qubes OEM install that meets our requirements, we are now offering Qubes as a pre-install option on Librem Mini and Librem 14. Customers who select this will receive a computer with Qubes installed, and will be able to set their own disk passphrase as part of the initial first boot wizard.

We have also submitted a pull request with the upstream Nitrokey project in case they would like to incorporate our changes in the short term. Modifying the user add-on directly was necessary given the circumstances, but not ideal for the long-term. The ideal long-term approach would be for this functionality to become a proper, separate add-on in Qubes itself instead of part of the user add-on.

In the mean time though, this tweak works well enough to allow us to ship Qubes pre-installed, so if you want to try out Qubes on your next Purism order, be sure to select it when you customize your computer. The combination of the Librem 14 hardware security features, firmware security via PureBoot, supply-chain security with anti-interdiction services, and OS security with Qubes makes it the most secure laptop you can buy.


Purism Products and Availability Chart

 ModelIn StockLead Time 
Most Secure PC Purism Librem Mini
Librem MiniIn Stock10 days
Most Secure Server Purism Librem ServersLibrem ServersIn Stock10 days
USB Security Token Purism Librem KeyLibrem KeyIn Stock10 days
Most Secure Laptop Purism Librem 14Librem 14In Stock60 days
Made in USA Phone Purism Librem 5 USALibrem 5 USAIn Stock60 days
Librem 5Rolling Manufacturing180 days
The current product and shipping chart of Purism Librem products

Recent Posts

Related Content

Tags