Trusted Platform Module now available as an add-on for Librem laptops

Over the past few months, we have been busy with a plethora of great projects being set afoot. We have been incrementally building a laptop inventory to ship from, we have been continuing the coreboot enablement work on our laptops, neutralizing—and then disabling—the Intel Management Engine, and launching our much awaited Librem phone campaign, which ended in a very motivating success—involving many great organizations part of the Free Software community, such as Matrix, KDE e.v., the GNOME Foundation, Nextcloud, and Monero.

It really has been a whirlwind of events, and this has been happening in parallel to us continuing our existing R&D and operations work, such as preparing a new batch of laptops—namely the much anticipated Librem 13 with i7 processor.

One particular security R&D project dear to our hearts has been the beginning of our collaboration with “Heads” developer Trammell Hudson, a project that has been quietly going on behind the scenes for the past few months. We are very pleased to announce today that we are making a positive step to make this effort within reach of early adopters, with the availability of a Trusted Platform Module (TPM) as an optional component for currently pending and near-future laptop orders.

What is a TPM? Is it for me?

A Trusted Platform Module is a specialized computer chip dedicated to enabling hardware-based (or, I would say, hardware-augmented) security, allowing you to secure your operating system and boot process at the hardware level, with your own cryptographic keys. It facilitates password protection (by storing keys in the dedicated hardware module and preventing “dictionary” attacks) and provides platform integrity verification (allows you to know whether your computer is behaving as intended or not, from a “deep security” standpoint).

The functionality provided by a TPM is useful if you care deeply about the security of your system, to the point where you want absolute certainty that your boot has not been compromised—by viruses, criminal activity, or some other hostile force trying to take over your system—allowing you to enforce a “trusted boot chain” through our coreboot firmware, signed and verified with your own encryption keys, using a special coreboot payload such as Heads, for example. You can read more about the implications in this article by Tom’s Hardware.

At the moment, we simply provide the hardware. We do not yet provide a turn-key “hardware+software” solution for this, so consider this an add-on for early adopters and security professionals, not a product for Joe Plumber.

This is amazing! How do I get one with my order?

If you already have a pending Librem 13 or Librem 15 order, please email ops@puri.sm to request this feature to be added to your order, which will ship out in the coming weeks. A $99 fee will apply (to cover parts and labor costs, as we are hand-soldering the TPMs on a case-by-case basis).

If you haven’t made an order yet, you can simply select it in the options available in the Librem 13 shop page and Librem 15 shop page.

What are your future plans?

As you can imagine, we are testing the market first by providing this as an optional component that we solder onto the motherboard on a case-by-case basis during final assembly. If there is enough demand, we plan to incorporate this as a standard feature into all our future motherboard designs.