San Francisco (May 17, 2018) – Purism, the social purpose corporation which designs and produces security focused hardware and software, has announced today that they are partnering with Nitrokey, maker of Free Software and Open Hardware USB OpenPGP security tokens and Hardware Security Modules (HSMs) to create Purekey, Purism’s own OpenPGP security token designed to integrate with its hardware and software. Purekey embodies Purism’s mission to make security and cryptography accessible where its customers hold the keys to their own security and follows on the heels of their announcement of a partnership with cryptography pioneer and GnuPG maintainer Werner Koch.
Purism customers will be able to purchase a Purekey by itself or as an add-on with a laptop order. For add-on orders, Purism can pre-configure the Purekey at the factory to act as an easy-to-use disk decryption key and ship laptops that are pre-encrypted. Customers will be able to insert their Purekey at boot and decrypt their drive automatically without having to type in a long passphrase. Customers will also be able to replace the factory-generated keys with their own at any time.
Purekey will also be a critical component in Purism’s tamper-evident boot protection. Purism will tightly integrate Purekey into their tamper-evident boot software so that customers will be able to detect tampering on their hardware from the moment it leaves the factory.
Enterprise customers have long used security tokens for easy and secure key management from everything from email encryption to code signing and multi-factor authentication. With Purekey, IT departments will have an integrated solution out of the box for disk and email encryption, authentication, and tamper-evident boot security that’s easy to use.
“Often security comes at the expense of convenience but Purekey provides a rare exception. By keeping your encryption keys on a Purekey instead of on a hard drive, your keys never leave the tamper-proof hardware. This not only makes your keys more secure from attackers, it makes using your keys on multiple devices more convenient. When your system needs to encrypt, decrypt, or sign something, just insert your Purekey; when you are done, remove it and put it back in your pocket.” — Purism CSO Kyle Rankin
“We’re pleased to be working with the Purism team, who are very aligned with our commitment to open hardware and free software. The possibilities of this partnership are exciting, especially given the growing importance of secure key storage on hardware smart cards and Purism’s important work on tamper-evident protection.” — Nitrokey CEO Jan Suhr
“We are long-time fans of Nitrokey as they are the only smart card vendor that shares our commitment to open hardware and free software. Their company and security products are a perfect complement to Purism’s belief that ethical computing means privacy and security without sacrificing personal control over your devices.” — Purism CEO Todd Weaver
About Nitrokey UG
Founded as an open source project in 2008 and turned into a full corporate entity in 2015, Nitrokey develops and produces highly secure open-source hardware and software USB keys that provide cryptographic functions for protecting; emails, files, hard drives, server certificates, online accounts and data at rest, preventing against identity theft and data loss.
About Purism
Purism is a Social Purpose Corporation devoted to bringing security, privacy, software freedom, and digital independence to everyone’s personal computing experience. With operations based in San Francisco (California) and around the world, Purism manufactures premium-quality laptops, tablets and phones, creating beautiful and powerful devices meant to protect users’ digital lives without requiring a compromise on ease of use. Purism designs and assembles its hardware in the United States, carefully selecting internationally sourced components to be privacy-respecting and fully Free-Software-compliant. Security and privacy-centric features come built-in with every product Purism makes, making security and privacy the simpler, logical choice for individuals and businesses.
We are excited about the future of Heads on Librem laptops and the extra level of protection it can give customers. As a result we’ve both been writing about it a lot publicly and working on it a lot privately. What I’ve realized when I’ve talked to people about Heads and given demos, is that many people have never seen a tamper-evident boot process before. All of the concepts around tamper-evident boot are pretty abstract and it can be difficult to fully grasp how it protects you if you’ve never seen it work.
We have created a short demo that walks through a normal Heads boot process and demonstrates tamper detection. In the interest of keeping the demo short I only briefly described what was happening. In this post I will elaborate on what you are seeing in the video.
Step One: Normal Boot
The normal boot process for a computer that uses Heads is much like with any other computer, at least from a user experience standpoint. Like with other computers, you can bring up a full menu of different items to boot, but you can also pick one to set as your default. Once you set a boot option as a default, at boot time you can just press Enter and it will boot into your operating system just like with any other system.
Default Heads Boot Menu
Unlike with other systems, Heads is providing extra levels of security during the boot process. At that default boot screen, you will see a 6-digit number above the menu options. That is a TOTP (Time-based One Time Password) code that Heads uses to prove to you that it hasn’t been tampered with and can be trusted. If you’ve ever used a TOTP code in the past, normally it’s so you can authenticate yourself to a website using Two-Factor Authentication. In this case it’s the reverse: the computer (specifically Heads) is authenticating itself to you! If that code matches the code on your phone, you know it’s safe to proceed.
Once you hit Enter during a normal boot, Heads then verifies the signatures of all of its configuration files stored in /boot based on the copy of your public GPG key it has within it. These configuration files include a file that contains sha256 checksums for the rest of the files in /boot. Once it verifies your signature for that file, Heads can trust it hasn’t been modified so it uses it to make sure the rest of the files in /boot haven’t changed. Since all of them match, they weren’t tampered with so Heads proceeds with the boot process.
Step Two: Hack The Computer
Hacking grub.cfg
Once the computer boots, I put my black hat on and “hack” my computer by defacing my /boot/grub/grub.cfg file with a comment. This is a benign hack for demonstration purposes, but the attacker could have just as easily modified grub.cfg to boot from an older kernel on your system that has a known security vulnerability, added a single user mode, or otherwise altered the boot process to make it easier to launch another attack.
An attack that changes a plain text configuration file leaves a trail that might be easier for a user to detect if they happened to edit the file themselves. A more sophisticated hacker would put a back door into your default initrd file (the initial file system your kernel uses when it boots) or even replace your kernel with a compromised version. Both of these kinds of attacks are almost impossible to detect without a system like Heads. Because all of these files are stored in /boot, and Heads checks all of them, it is able to detect all of these types of tampering.
Step Three: Detect Tampering
When the system reboots, it returns back to the main Heads boot screen. First I hit Enter to select the default boot option but this time when Heads scans all of the files in /boot, it detects that grub.cfg has been changed! Along with the warning, I also get the option to re-sign all of the files in /boot. This option exists because there are a number of perfectly legitimate reasons why your grub.cfg, initrd, kernel, or other /boot files might change either because you edited them yourself or you updated software that changed them. Otherwise if you don’t want to re-sign files you can return to the main menu.
Tampering detected!
If you choose to re-sign all of the files, you will get an additional warning screen that explains what Heads is about to do and another chance to exit out to the main menu. If you did choose to re-sign all of the files you would then insert a USB GPG smart card that held your private keys so you could re-sign the Heads configuration files in /boot.
Since I knew that I didn’t want to keep that “hacked” grub.cfg file, instead of signing the files I returned to the main menu. By default Heads used to error out to a recovery shell if it detected a file was tampered with. The assumption is that the expert user could then investigate and remedy the problem from within that shell. If you aren’t an expert user in this situation you might not know how to recover and would end up being locked out of your computer!
We understand that there are a number of situations where a user might legitimately or accidentally change files in /boot and while it’s not advisable to boot into a system that is actually tampered with by an attacker (because among other reasons, an attacker might be able to get your disk encryption or login passwords), we also don’t want to lock you out. We’ve added an “insecure boot mode” to Heads for these circumstances. When you select that option, Heads will ignore any tamper warnings and present you with a GRUB-style menu of boot options. You can then select a boot option and Heads will boot into your system. To make sure you know that this is an unsafe option, in addition to the warnings in the user interface, we also disable the splash screen and change the console to have a red background.
Insecure boot mode
Step Four: (Optionally) Investigate Tampering
So what should you do if Heads alerts you to tampering? Exactly how you respond to a potentially legitimate tampering alert depends on a number of factors including what kind of user you are. I’ll step through three of the most common categories of Heads user and describe how they might respond to a legitimate tampering alert.
Category 1: Enterprise User
In the event of tampering, enterprise users would just hand the laptop over to their IT team and pick up a replacement while the IT team investigates. Some organizations might want to go a step further and work with us to customize their Heads image with branded and customized warning messages with their custom policies or direct the employee to an internal wiki or other resources. Some enterprises may even want to go even further and remove the ability to boot a machine that sets off tampering alerts. This would also be useful for employees who take their machine overseas to ensure the machine is in a safe state before they reconnect it to the corporate network.
Once the IT team receives the laptop, they can then inspect the laptop for tampering using their in-house tools and procedures, and then reflash the system back to their secure, internal image. For smaller organizations who may not have those capabilities, Purism also provides support services to bring the laptop back to a clean factory state.
Category 2: Expert-level End User
The expert level user will likely want to inspect the system themselves in the event of a legitimate tamper alert. While I demonstrate the insecure forced boot mode in the demo, the expert user would likely use the Heads recovery shell or boot into a USB recovery disk instead (like the PureOS live install disk) to investigate from there. Otherwise, when they boot their compromised system, they will be prompted for their disk decryption passphrase and login password and risk turning those secrets over to the attacker.
While the Heads recovery shell is limited to a small subset of Linux command-line tools, it has enough tools for the expert user to inspect files in /boot including a text editor to inspect grub.cfg and tools to mount the encrypted root file system from a trusted environment. Provided you trust Heads itself hasn’t been tampered with, you could inspect quite a bit just from this recovery shell alone.
If the Heads recovery shell didn’t provide enough tools, the expert user could also boot from a USB disk, mount the /boot partition and inspect the changed files. In the case of a modified grub.cfg they would just use a text editor for this. In the case of a modified initrd they would need to extract the file and inspect the extracted file system. From there they could also decide to mount the root file system and inspect it for rootkits as well. For users who may suspect Heads itself was tampered with, they would be able to use flashrom to pull down a copy of the version of Heads on the system and inspect it directly.
Category 3: Everyone Else
The average user is unlikely to put on their forensics hat and inspect a compromised system. While for the most part any alerts an average user will see will likely be a direct result of package updates or other changes they know they made, there’s a possibility that sometimes they might get an alert they weren’t expecting. For instance, if you took your laptop overseas on a trip and didn’t update it or otherwise change it during the trip, a tampering alert when you got home would be much more suspicious.
So what’s the average user to do? No matter what, you can always fall back to the insecure boot mode so you won’t lose access to their system or files. In that case even if you couldn’t inspect or fix the errors yourself, you could at least backup your personal files and reinstall the OS to get back to a safe state. Alternatively like with enterprise users you could also take advantage of Purism support services to reflash your system to a factory state.
Conclusion
Hopefully watching Heads in action has helped make it a bit more clear just how it will protect you from tampering. In future posts I will walk through other Heads features and workflows including registering a new TOTP code and completely resetting the TPM.
Heads is cutting edge software and provides a level of security beyond what you would find in a regular computer. Up to this point though, its main user base are expert-level users who are willing to hardware flash their BIOS. The current user interface is also geared more toward those expert users with command-line scripts that make the assumption that you know a fair amount about how Heads works under the hood.
We want all our customers to benefit from the extra security in Heads so we intend to include it by default in all of our laptops in the future. For that to work though, Heads needs to be accessible for people of all experience levels. Most users don’t want to drop to a recovery shell with an odd error message so they can type some commands if they happen to update their BIOS, and they don’t want to be locked out of their system if they forgot to update their file signatures in /boot after a kernel update.
When we announced that we were partnering with Trammell Hudson to use Heads on our laptops, we didn’t just mean “thanks for the Free Software, see you later!” Instead, we are putting our own internal engineering efforts to the task of not just porting Heads to our hardware, but also improving it–and sharing those improvements upstream.
The Delicious GUI Center
The first of our improvements is focused on making the boot screen more accessible. We started by added whiptail (software that lets you display GUI menus in a console) to Heads so that we can display a boot menu that more closely resembles GRUB. We then duplicated the features of the existing Heads boot menu so that instead of this:
Heads booting on a Librem 13v2
you now see this:
Initial Heads GUI Menu
If you hit enter, you boot straight into your OS just like with GRUB, only behind the scenes Heads is checking all the files in /boot for tampering. If you hadn’t already configured a default boot option, instead of dumping you back to a main menu with no explanation or existing out to a shell, we decided to provide a GUI so you can decide what to do next:
No Default Boot Set
If you decide to load a menu of boot options from the main menu or from this dialog, we also wrapped a GUI around the Heads boot menu that parses your GRUB config file:
Heads Boot Selection Menu
In each of the most common workflows, we’ve replaced the console output with an easier-to-use menu that also provides a bit more explanation on what’s happening if something goes wrong. For the most part the average user will just verify the TOTP code and then hit Enter to boot their system so in that way it’s not much different from a standard GRUB boot screen. These extra menus come in only if the user ever needs to deviate from the default and select a different kernel, generate a new TOTP code, or do other maintenance within Heads.
What’s Next
We now have these GUI menus working well in our internal Heads prototypes and we’ve also pushed our changes upstream, where most of them have already been pulled into the Heads project. That said, having a GUI boot menu is only part of what you need to make tamper-evident boot usable. Now that the boot menu is in a good place, our next focus is on making the overall Heads bootstrap and update process, key management, and signature generation easy (if only we had a GPG expert to help us with smart card integration, that would sure make things easier). Keep an eye out for more updates along all these lines soon.
Koch’s GnuPG and Smartcard encryption innovations popularized by Edward Snowden to be implemented in Purism’s Librem 5 smartphone and Librem laptop devices.
SAN FRANCISCO, California — March 8th, 2018 — Purism, maker of security-focused laptops has announced today that they have joined forces with leading cryptography pioneer, Werner Koch, to integrate hardware encryption into the company’s Librem laptops and forthcoming Librem 5 phone. By manufacturing hardware with its own software and services, Purism will include cryptography by default pushing the industry forward with unprecedented protection for end-user devices. Read more
Librem devices add tamper-evident features to further protect users from cybersecurity threats by offering users the full control that no mainstream computer manufacturer ever has before
SAN FRANCISCO, Calif., February 27, 2018 — Purism, maker of security-focused laptops has announced today that they have successfully tested integration of Trammel Hudson’s Heads security firmware into their Trusted Platform Module (TPM)-enabled coreboot-running Librem laptops. This integration allows Librem laptop users to freely inspect the code, build and install it (and customize it) themselves, and own control of the secure boot process as Heads uses the TPM on the system to provide tamper-evidence. Read more
Protecting customer privacy, security and freedom is so fundamental to Purism’s mission that we codified it in our Social Purpose Corporation charter. We believe that these three concepts of privacy, security, and freedom are not just important by themselves but are also dependent on each other. For example, it’s obvious that by improving your security, we help protect your privacy. What might be less obvious is how dependent your privacy is on your freedom. True privacy means your computer and data are under your control, not controlled by unethical big-tech corporations. When your digital life is under your control you have the freedom to share your data only when you want to. So as we consider ways to improve your security, it can’t be at the cost of privacy or freedom.
As part of our goal to improve security we are excited to announce that we have successfully integrated Heads into our TPM-enabled coreboot-running Librem laptops. This integration effort began in April 2017 with the partnership of Purism and Trammell Hudson’s Heads project, which required hardware design changes, coreboot modifications, and operating system updates to reach where we are with this announcement today. We now have a tamper-evident boot process starting with the BIOS all the way through verifying that the kernel, initrd, and boot configuration files haven’t been changed in any way. Soon Heads will be enabled by default on all our laptops and this critical piece combined with the rest of our security features will make Librem laptops the most secure laptop you can buy where you hold the keys.
In this post we will describe why Heads is such an integral part of our security and how it combines with the rest of our features to create a unique combination of security, privacy and freedom that don’t exist in any other laptop you can buy today.
Heads booting on a Librem 13 with TPM
Why Tamper-Evident Software Matters
For your computer to be secure, you need to be able to trust that your software hasn’t been modified to run malicious code instead. This is one of many reasons why it’s so important that you can see the source code for all of the software on your system from your web browser to your hardware drivers to the kernel and up to your BIOS. We’ve gone to great lengths to choose hardware that can run with free software drivers, load our laptops with the FSF-endorsedPureOS, use coreboot as our Free/Libre and Open Source BIOS, and have neutralized and disabled the Intel Management Engine.
Unfortunately being able to see the source code isn’t enough. All of the software you run trusts the kernel, and the kernel trusts the BIOS. Without tamper-evident features that start the moment the computer turns on, an attacker can inject malicious code into your BIOS or kernel with no way to detect it. Once started, that malicious software could capture your encrypted disk or login passwords along with any other secrets or other personal information on your computer. By running tamper-evident software at boot, you get peace of mind that your system can be trusted before you start using it. With Purism’s combined approach the first bit loaded into the CPU is measured and signed by the user to prove nothing has been tampered with.
Heads Above the Rest
There are a number of different technologies we could have chosen to protect the boot process, but unfortunately very few of them are Free/Libre and Open Source and almost all of them work by taking control away from you and putting it into a vendor that owns the keys that determine what software you can run at boot. We have witnessed first-hand unethical laptops that ship with “Secure Boot” enabled (a technology that only allows software signed with pre-approved (e.g. paid-for) corporate controlled keys to run at boot). The very limited BIOS on this machine offered no way to disable Secure Boot so it is impossible to install Debian, PureOS or any other distribution that hadn’t gotten the BIOS vendor and Microsoft’s (paid) approval.
Heads has a lot of advantages over all of the other boot verification technologies that make it perfect for Librem laptops. First, it is Free Software that works with the Open Source coreboot BIOS so you don’t have to take our word for it that it is backdoor-free–anybody is free to inspect the code and build and install it (and customize it) themselves.
Second, the way it uses the TPM on your system to provide tamper-evidence puts the keys under your control, not ours. The fact that you retain control over the keys that secure your system is incredibly important. While we intend to make the secure boot process painless, we also don’t think you should have to trust us for it to work–you can change your keys any time.
Enterprise Level Security, Easily
If you manage a fleet of machines, this means with Purism Librem laptops that include TPM and Heads, you now have the ideal platform that you can tailor for your specific enterprise needs with custom features and your own trusted company keys. You can provide a trusted boot environment that protects your users from persistent malware and detects tampering while they travel, while still integrating with your custom in-house laptop images. And you can do this without having to ask us to sign your software.
The IT Security department’s dream of self-signed, tamper-evident, persistent-malware-detecting, laptop computer is now a reality with Purism Librem laptops.
Part of a Bigger Story
Having a secure boot process is the foundation of security on a modern laptop but it’s only part of the reason why Librem laptops are so secure. Here we will review some of the other security features that when combined with Heads puts Librem laptops in a totally different league.
Snitches get Switches
One of the first security features that set us apart was our hardware kill switches. Unlike a software switch that asks the hardware to turn off politely and hopes it listens, our hardware kill switches sever the circuit at the hardware level. This means you don’t have to worry about Remote Access Trojan malware that can disable your webcam LED to spy on you more easily. When you hit the radio kill switch, your WiFi is completely off, and when you hit the webcam/mic kill switch, the webcam is truly powered off–no webcam stickers needed.
Extra Security with Qubes
Our laptops default to PureOS because we feel it provides the best overall desktop experience for every type of user while still protecting your privacy, security and freedom. For customers who want an even higher level of security, Qubes uses virtualization features to provide extra security through compartmentalization. In 2015, our Librem 13 (version 1) was the first (and currently only) hardware to have received Qubes certification. Our current line of laptops remains compatible, and we recently announced that our current generation of Librem 13 and 15 laptops now fully work with Qubes 4.0.
We are also investigating ways to incorporate some of the compartmentalization features of Qubes into PureOS so you can still have good security but with an easier learning curve. Disposable web browsers and protected USB ports are just some of the features we are considering.
We Won’t Stop There
When you combine tamper-evident secure booting with Heads, an Open Source coreboot BIOS, a neutered and disabled Intel Management Engine, hardware kill switches, and the advanced security features of Qubes, Librem laptops have a security advantage over any other laptop you can buy. Equally important, they have extra security without sacrificing your privacy, freedom, or control. While we are excited to hit this major milestone, and can’t wait to have Heads on by default for all our laptops, we aren’t stopping there.
A secured boot process opens the possibility for even stronger tamper-evidence that extends further into the file system. From there you can move past tamper-evidence into tamper-resistance or even tamper-proofing in some advanced applications. We are also investigating better ways to incorporate hardware tokens with our products to provide more convenient authentication and encryption while still leaving the keys in your hands.
Ultimately, our goal is to provide you with the most secure computer you can buy that protects your privacy while also respecting your freedom. Since these values are inter-dependent, each milestone that improves one ultimately strengthens them all, and we will continue to work to raise the bar on all of them.
Hey everyone, I’m happy to announce the release of an update to our coreboot images for Librem 13 v2 and Librem 15 v3 machines.
All new laptops will come pre-loaded with this new update, and everyone else can update their machines using our existing build script which was updated to build the newest image. Some important remarks:
Please read the instructions below to make sure the image gets built properly and make sure to select the correct machine type in the menu for the build script.
The build script was initially written as a tool for internal use, and therefore isn’t as polished as it could be, so if you want something that just quickly applies updates without building/compiling the whole thing, we hope to provide such a (simpler) script in the future.
What’s new?
This is a follow up from Kyle’s previous blog post, and now that the image has been fully tested, you can all enjoy it and get one of our most requested feature : VT-d support for Qubes 4.0 to work.
The new version is “4.7-Purism-1” and here is the ChangeLog:
Update to coreboot 4.7
Update to FSP 2.0
Add IOMMU support
Enable TPM support
Fixed ATA errors at 6Gbps
While coreboot 4.7 has not been officially released, it was “tagged” on October 31st in coreboot’s git repository, and this release is based on that tag with the IOMMU (VT-d) and TPM support added on top of it.
If your laptop came with the TPM chip installed, you need to update your coreboot image to this version in order to use the TPM hardware.
How to build it?
To build the latest coreboot image :
Download the build script mkdir building-coreboot && cd building-coreboot && wget https://code.puri.sm/kakaroto/coreboot-files/raw/master/build_coreboot.sh
Run the script on your Librem machine: chmod +x build_coreboot.sh && ./build_coreboot.sh
Follow the instructions on the screen, be sure to select your correct Librem laptop revision (Librem 13v2 or Librem 15v3), and give it time to build the image.
Once done, if everything went according to plan, it will ask you if you want to flash the newly built image
Make sure you are not running on low battery and select Yes
Reboot your machine once the flashing process is done.
For matters specifically related to this build script (not related to how to use a TPM per se), you may also want to check out the main forum thread about our coreboot build script, where discussion and testing has been going on over the past few months.
Verifying the presence of a TPM
If you are unsure whether or not you have a TPM installed on your system, install the tpm_tools package and then run sudo tpm_version to confirm that a TPM is detected on your system.
In November, we announced the availability of our Trusted Platform Module as a $99 add-on for early adopters, something that would allow us to cover the additional parts & labor costs, as well as test the waters to see how much demand there might be for this feature. We thought there would be “some” interest in that as an option, but we were not sure how much, especially since it was clearly presented as an “early preview” and offered at extra cost.
Well, it turns out that a lot of people want this. We were pleasantly surprised to see that, with orders placed since that time, 98% of customers chose to have a TPM even at extra cost. This proved there is very strong market demand for the level of security this hardware add-on can provide.
2018’s first new batch is in stock—with TPM
Thanks to the investment of those early TPM adopters who voted with their wallets and gave us the necessary “business case” and resources to work it out, we are extremely proud to announce that we now include the TPM chip in all new Librem 13 and Librem 15 orders by default, as a standard feature of our newest hardware revision shipping out this month.
All the rest of the chip specifications remain the same.
It is still costing us money to add the TPM feature, but we decided to eat the cost, as the greater public benefit is more important than profits (and that is in line with our social purpose status and mission). Adding a TPM by default without increasing the base price is a major accomplishment toward having security by default, and paves the way for convenient security and privacy protection for everyone. In addition to the previous announcement, you can read Kyle’s post to understand the security implications.
Wait, there’s more!
We are now offering Free International Shipping on all orders. This is essentially a permanent rebate of approximately 100 USD to all new international customers! As we have grown we have been able to leverage more standardized shipping options, and are now in a position to pass on that savings to Purism customers. Please note, however, that shipping insurance, local taxes, customs fees and import duties are still your responsibility as customers.
Thanks to popular demand, we are now offering Librem 13 and Librem 15 laptops with the backlit German keyboard layout. They are available for purchase in our store now, and will begin rolling out in mid-March.
Only a few non-TPM laptops remain in stock with the UK keyboard layout, so we are making a sale today to clear out that portion of the inventory. If you were looking for a Librem 13 with the UK physical key layout and no TPM, you can grab one of the few remaining ones and get an additional $99 off the previous no-TPM base price. In other words, instead of paying $1,478 “plus shipping” for the base configuration of the Librem 13 UK, you now pay $1,379 with free shipping!
We would like to thank all our users of Librem laptops and FSF endorsedPureOS, as well as all those that have backed the Librem 5 phone, and of course all those people who support us by feedback, kind words, and spreading the word. It is with this unified education approach that we can change the future of computing and digital rights for the better.
We have more great news in the pipeline. Next month, we hope to announce another major milestone in our inventory management & shipping operations. Stay tuned!
It’s easy to take things for granted when your computer runs a non-free proprietary BIOS. While the BIOS that comes with your computer is usually configured to match its features that’s not always the case. You end up with a sort of binary arrangement: if your BIOS supports a feature or allows you to change a setting, great, but if it doesn’t, you are generally out of luck. One example is with some of the new UEFI computers that ship with stripped-down BIOS options. One example we ran across recently had legacy boot disabled, secure boot enabled, and no way to change either setting, which is a terrible restriction for users wanting a free software distribution like PureOS or any another distribution that avoids the misnamed “secure boot” UEFI option.
From the beginning our goal has been to ship ethical computers without any proprietary code and the BIOS was one of our first targets. Starting last summer, all our computers come with the Free/Libre and Open Source coreboot BIOS. In addition to the many ethical and security advantages behind shipping an ethical BIOS/firmware, another advantage we have is that if our coreboot image doesn’t support a feature today, that doesn’t mean it won’t tomorrow.
We are happy to announce that due to the hard work of Youness “KaKaRoTo” Alaoui and Matt “Mr. Chromebox” DeVillier we have added IOMMU and TPM support to our new coreboot 4.7 BIOS. I’ve tested this personally on a Librem 13v2 with the latest Qubes 4.0-rc4 installer and the install completes with no warnings and reboots into a functional Qubes 4 desktop with working sys-net and sys-usb HVM VMs. In this blog post I’ll go over these different features, what they are, and why they are important. Read more
Lately, news headlines have been packed with discussions about critical CPU bugs which are not only found in Intel CPUs, but also partially in AMD CPUs and some ARM cores. At the same time, some of our backers have voiced concerns about the future of NXP in light of a potential acquisition by Qualcomm. Therefore you might be wondering, “Will the Librem 5 be affected by these bugs too?” and “will the Purism team get the i.MX 8 chips as planned?”, so let’s address those questions now.
Not affected by Spectre/Meltdown
At the moment we are pretty confident that we will be using one of NXP’s new i.MX 8 family of CPUs/SOCs for the Librem 5 phone. More specifically we are looking at the i.MX 8M which features four ARM Cortex A53 cores. According to ARM, these cores are not affected by the issues now known as Spectre or Meltdown, which ARM’s announcement summarizes in their security update bulletin.
So for the moment we are pretty sure that the Librem 5 phone will not be affected, however we will continue to keep an eye on the situation since more information about these bugs is surfacing regularly. In this respect we can also happily report that we have a new consultant assisting our team in security questions concerning hardware-aided security as well as questions like “is the phone’s CPU affected by Spectre/Meltdown or not”.
Qualcomm possibly buying NXP: not a concern
For quite some time there have been rumors that Qualcomm might have an interest in acquiring NXP. Since we will be using an NXP chip as the main CPU, specifically one of the i.MX 8 family, we are well aware of this development and are watching it closely.
Qualcomm is an industry leader for high volume consumer electronics whereas NXP targets lower volume industrial customers. This results in pretty different approaches concerning support, especially for free software. Where NXP traditionally is pretty open with specifications, Qualcomm is rather hard to get information from. This is very well reflected by the Linux kernel support for the respective chips. The question is how would it affect continued free software support and availability of information on NXP SOCs if Qualcomm acquires NXP?
First, it is unlikely that this deal will happen at all. Qualcomm had a pretty bad financial year in 2017 so they might not be in the financial position to buy another company. Second, there is a rumor that Broadcom might acquire Qualcomm first. Third, international monopoly control organizations are still investigating if they can allow such a merger at all. Just a few days ago the EU monopoly control agreed to allow the merge but with substantial constraints, for example Qualcomm would have to license several patents free of charge, etc. Finally, there are industry obligations that NXP cannot drop easily: the way NXP works with small and medium sized customers is a cornerstone of many products and customers; changing this would severely hamper all of those businesses involved, and these changes might cause bad reputation, bad marketing and loss of market share.
So all in all, this merger is not really likely to happen soon and there would probably not be changes for existing products like the i.MX 8 family. If the merger happens it might affect future/unreleased products.
Development outreach
In addition to working on obtaining i.MX6QuadPlus development boards to be able to work properly, the phone team is also intensively researching and evaluating software that we will base our development efforts on during the next few months. We are well aware of the huge amount of work ahead of us and the great responsibility that we have committed to. As part of this research, we reached out to the GNOME human interface design team with whom we began discussions on design as well as implementation. For example, we started to implement a proof of concept widget that would make it much easier to adapt existing desktop applications to a phone or even other style of user interface. What we would like to achieve is a convergence of devices so that a single application can adapt to the user interface it is currently being used with. This is still a long way ahead of us, but we are working on it now. We will meet up also with some GNOME team members at FOSDEM to discuss possible development and design goals as well as collaboration possibilities.
The mobile development work for KDE/Plasma will primarily be performed by their own human interface teams. Purism will be supporting their efforts through supplying hardware and documentation about our phone development progress as it is happening. This will help ensure that that KDE/Plasma will function properly on the Librem 5 right from the factory. To understand better where we’re headed with GNOME and KDE together, take a look at this blog post.
We also reviewed and evaluated compositing managers and desktop shells that we could use for a phone UI. We aim to use only Wayland, trying to get rid of as much X11 legacy as we possibly can, for performance issues and for better security. From our discussions with GNOME maintainers of existing compositors and shells, we may be better off igniting a new compositor (upstreamed and backed by GNOME) in order to avoid the X11 baggage.
On the application and middleware side of things, we have generated an impressive list of applications we could start to modify for the phone to reach the campaign goals and we have further narrowed down middleware stacks. We are still evaluating so I do not want to go into too much detail here, in order not set any expectation. We will of course talk about this in more detail in some later blog posts.
Meeting with Chip Makers
As the CPU choice is pretty clear lately, we are going to have a meeting with NXP and some other chip makers at Embedded World in Nürnberg, Germany, at the end of the month. This is very encouraging since we worked for months on getting a direct contact to NXP, which we now finally have and who we will meet in person at the conference. The search for design and manufacturing partners is taking longer than expected though. Our own hardware engineering team together with the software team, especially our low level and kernel engineers, started to create a hardware BOM (bill of material) and also a “floor plan” for a potential PCB (printed circuit board) layout, but it turns out that many manufacturers are reluctant to work with the i.MX 8M since it is a new CPU/SOC. We have, however, some promising leads and good contacts so we will work on that.
Purism Librem 5 team members attending FOSDEM
By the way, many Purism staff members will be at FOSDEM this week-end, on the 3rd and 4th of February. In addition to the design and marketing team, PureOS and Librem 5 team members will be there and we would love to get in touch with you! Purism representatives dedicated to answering your questions will be wearing this polo shirt so you can easily recognize them:
