Discussion on Purism

It doesn’t help that Purism can be compared to Pine64, which has had much more success with far less sliminess and drama (that I know of). But it should be noted that Pine64 isn’t attempting something as ambitious and challenging as Purism.

1 Like

Hi, I’m not a Qubes user, so sorry to intrude on this forum. However, I noticed this thread (since it is linked to on the Purism forum). Given the amount of controversy that Purism seems to generate, I think it is important to be accurate about what the company has and hasn’t done.

According to Wikipedia, Purism was the first company to sell computers with a neutralized Intel Management Engine. The first code commit for the me_cleaner utility was on 2016-11-16. Purism first posted that it had used me_cleaner to neutralize the ME on 2017-03-09. Purism announced that it would start selling laptops with a neutralized ME on 2017-10-19. Purism’s example pressured System76 to announce on 2017-11-30 that it would also neutralize the ME. Dell started selling some laptops with a neutralized ME in Dec. 2017. Then ThinkPenguin and TUXEDO computers announced that they would neutralize the ME.

As far as I know, Purism is the only company that sells PCs with 90%-92% of the ME’s code replaced with zeros, whereas the other companies just change the HAP bit to disable the ME after booting.

Purism has a history of making announcements which will take years to fulfill, but Purism does work on fulfilling those promises.

In November 2014, when Purism started crowdfunding its first laptop, it claimed that the laptop would have a free BIOS. Purism did eventually port Coreboot to that laptop in summer 2017 and started selling new laptops with Coreboot preinstalled in late August 2017. Its example pushed System76 to work on Coreboot ports for their laptops, which they started shipping in January 2020. Now Slimbook and TUXEDO Computers have announced that they too are working on Coreboot ports. Without Purism pushing the Linux PC industry, the only option to get new hardware with Coreboot would be Google Chromebooks.

In addition, Purism has removed the proprietary VGA BIOS, so the only blobs that remain are the microcode, Firmware Support Package and 10%-12% of the ME. Purism has gotten very close to fulfilling its original promise.

More importantly, Purism has spent the last 3.5 years working on making i.MX 8M a viable platform for Respects Your Freedom devices.

On the question of Qubes, Purism’s Chief Technical Office runs Qubes on his Librem laptops and Purism’s Coreboot developer Matt DeVillier says that he makes sure that Qubes is compatible with every Librem PC. As far as I know, none of the other companies that sell new Linux laptops have the same level of commitment to Qubes, so basically you are telling people to not buy from the one company that attempts to support Qubes on new laptops and mini-PCs.

Zlatan was not truthful in this part of the interview:

the [Librem 5] campaign was going bad (as most of us predict) but then [Klumpp] and I talked about getting KDE community involved as they had Plasma Mobile which was pragmatic way to look at as phone OS base and Todd agreed that we contact them and make deal with them. There needs to be noted that Todd was for Plasma Mobile at that time, but then maybe and then seemingly not in the end. Anyway, this was a good decision and we gained traction, and on wings of that Todd went getting more PR momentum with GNOME, later also Matrix and Monero. THE MOAR THE BETTER! :slight_smile: [emphasis mine]

Zlatan had a disagreement with Todd Weaver about whether the Librem 5 should use KDE Plasma Mobile or create a new interface based on GTK/GNOME. By the time that Purism started its crowdfunding campaign for the Librem 5 on 2017-08-24, the company had decided to make a new mobile interface based on GTK/GNOME, as is seen in its original crowdfunding web page. However, as a compromise, Purism decided that it would also support Plasma Mobile, because it received a lot of feedback from KDE users who wanted to use Plasma Mobile on the Librem 5, however Purism always made it clear from the first day of the crowdfunding that it was developing a new interface based on GTK/GNOME, which would be the default interface. On 2017-09-14, Purism and KDE announced an agreement to work on porting Plasma Mobile to the Librem 5.

The question is why did Zlatan say that Todd was for Plasma Mobile when the crowdfunding started, when Todd was clearly for a GTK/GNOME interface at the time? Maybe Zlatan misremembered or maybe he was lying, but he isn’t a very reliable witness and he wasn’t on the team working on the Librem 5.

The second questionable claim that Zlatan made in that interview was this part:

That said, the Librems are heavily overpriced but that is because Purism seemingly never tried to get better deal and the South San Francisco partner abused this so that is why Purism Librems are double the price they should be. [emphasis mine]

Claiming that Librem’s cost double because a middleman is ridiculous. Most of Purism’s higher prices is due to the higher cost of doing small-scale custom hardware manufacturing and paying for software developers.

PS: I had lots of links in my post but your forum software prohibits me from posting more than two links since I am a new user. This configuration option ought to be changed.

3 Likes

First, thank you @unman and others for the interesting discussion.

I didn’t invest in Purism much and I really want to know all its sides, not just good ones (which is why I posted about the lack of SPC reports above). (By the way, it’s easy to dismiss the arguments of the opponent in this way, but it’s a fallacy.) However I did invest in free software, including Qubes OS. My investment in Purism I consider as a part of my investments in free software. And I think it’s pretty important to support it, which is what Purism arguably does. Don’t you also value free software?

I guess @unman means laptops from 2008 based on Libreboot, where old versions of Intel ME were fully removed. Although unman is right, it is not relevant anymore since those laptops are extremely insecure (Spectre & Meltdown) and I expect no one on these forums would use them anymore.

This sounds like a real issue, but I never saw that despite following Purism closely since a long time. Any actual links?

I’m not sure why Purism would intentionally skip installing Qubes to its customers, while security is their main selling point. Especially given that Qubes install is a relatively simple task. By the way, I ordered my laptop with a Qubes usb stick, but I did not receive the stick. They sent it separately after I complained about it. Should I have lost all my trust in the company in your opinion?

This is true, but such waiting time was reasonable given the goal. Their time estimation was pretty much wrong though.

This is one of the Zlatan’s lies. Actual data is that the phone battery lives for 14+ hours even though suspend is not implemented yet.

I in principle agree, but you should consider the reasons. I have no idea why people become Apple fanatics, but Purism is the only company producing devices with kill switches, the only company strongly pushing towards freedom and having it as a selling point, the only company seeking FSF certification for the phone, one of very few companies testing Qubes on their laptops. I think that everyone in the free software community should become their fan and ignore their drawbacks as long as they do not lie or mislead the customers. If this company fails, we will not get a free phone in the near future. Pinephone never even mentions freedom, calls itself “open-source company”, and supports hardware producers breaking GPL license AFAIK.

Again, for some reason you ignored the problem with Spectre and Meltdown. Did you find a way to fix them for those laptops, or do you ignore the threat of every program reading your RAM? I have such laptops as well, but I have no idea what I should do with them now. They also don’t support Qubes 4.0+.

Pine64 develops no free software, while a large part of Librem 5 phone price is the software development. Purism developed phone shell Phosh, which is used by >50% of Pinephone users. So Pinephone is in fact using Purism developers (which is not bad, but when you are comparing, you should be fair). For more detailed comparison I suggest to check out this link. Especially look at “reasons to buy”. Tl;dr: this is not as ambitions and challenging at all, although definitely very useful and should be supported.

2 Likes

Leaving this discussion open as some sections are relevant for Qubes. But it’s at the edge of what’s off-topic and what’s not.

3 Likes

I disagree. Hardware running Qubes is essential for Qubes users. Trusting hardware comanies is essential for trusting your hardware. Otherwise why bother with security-oriented system?

As I mentioned earlier, this topic is an example of the new category which should definitely be useful for Qubes users. All around Qubes I would call it.

2 Likes

fslover - I didn’t invest in Purism much and I really want to know all its sides, not just good ones (which is why I posted about the lack of SPC reports above). (By the way, it’s easy to dismiss the arguments of the opponent in this way, but it’s a fallacy.) However I did invest in free software, including Qubes OS. My investment in Purism I consider as a part of my investments in free software. And I think it’s pretty important to support it, which is what Purism arguably does. Don’t you also value free software?

To be clear: I didn’t say you had invested in Purism - I said you were
invested in it.
This isn’t Bulverism - I was trying to withdraw from the
discussion/argument.

I value free software, in particular the ethical stance behind it. I do
not think that Purism or individuals like Leah live up to that stance.
I value security more - so where I see the FSF promoting software and
approaches that limit users knowledge and damage their security, I
despair.

As to the Purism/Qubes debacle, you can find mention of it in the
mailing list archives - around mid 2017. i think. Purism renamed the
(certified) 13 to 13v1, introduced a new 13v2 with different hardware,
and kept it linked from the Qubes certified page.
So for 6 months Purism were taking orders for a laptop that was
represented as certified by Qubes, but was not. Some buyers were
unhappy.

I don’t find it fruitful to comment further.

4 Likes

well i mean i can understand you’re point but since we’re talking about the sorts of company that advertises to the slightly more computer savvy
because basically everything’s open sourced/… verifiable the hardware is fairly hard to compromise u know -i guess goverments could but u get the point

u can also pay with crypto ship to a drop location immediately disable the hardware switch for the camera
and connct to a secure wifi network where everything’s router by tor… (just like whonix but in case you’re fearing dom0’s been compromised…) also make sure to deal with such pesky things as allways only having you’r laptop in range of you’r own wifi and so on

i mean think of the “outrage”/fears/lawsuits/… if it’ll turn out the company installed back doors

and the us gov’ can’t really without a warrent (not that it stopped them before… but again like tapping phones… it won’t fly)
(not that i’m saying you should try anything illegal but i mean…) if u need a secure system

also there’s always disk encryption
an attacker can try a cold boot attack or a evil maid attack or… but there are safegaurds in place an if you’re really paranoid then you can allways i guess when booting flash coreboot and everything again and obviously move you’re encrypted drive to a different location/…

also if you are “going dark” which i guess means illegal not off the grid then there are diffrent solutions such as simply using separate encypted storage…
booting life from tails… and so on
i won’t be giving you a guide but there are more effective ways to do such things becuse qubes is designed to be a secure system tails is designed to leave no trace -such as even on the ram for example

also you can alwys prefer trusting companies such as lenovo which literally target bushiness high end etc and is a chinease company…
they’re laptops come with spyware masked as a antivirus… just google it

now they are good laptops indeed but i mean… if it’s good enough for so many companies and…

(just to give an example…) not that it is easy to avoide chinease hardware but having a small stake in a compny being owned by china is very diffrent then fully chinese…)

anyway so far i’m happy with my new librem laptop

and trust if i were to want to do somthing illegal… well i guess it depends on the severity and cost
but i’d just use a cheap burner laptop or better yet a pc or a rasbery pie or…
if i were to try and hack the pentagon… -just to give an example
then i would definatly not be using a lirem laptop but a second hand laptop i guess buying anonymously with cash making sure to keep an eye on the person who sold it to me… -via facebook for example…

so that even if somhow it’s traced back (not to me becuse id take safegaurds using in a park public wifi etc destory later… u get the point i won’t dig deep to give anyone any ideas)
but lets say somhow… then the gov’d end up on a wild gooschase

(yeah don’t break the law)

but it’s nice to think about…

1 Like

This is thread is a showcase of why a trusted level of 2 should be needed to participate in tangential discussions (though some might argue that this is directly relevant to Qubes). Relevant thread here.

Once a product/company had been badmouthed there’s a pattern of new accounts being made with the sole purpose of taking a side. Two brand new accounts are posting here, for example, and neither seem to have an interest in Qubes. What’s worse, they’re making lengthy posts that take considerable effort to get through. This is obviously leading to increased workloads for the mod(s) and clogging up the moderation queue.

As I’ve mentioned before, I’m not going to bother arguing with those in entrenched positions spouting long-winded sophistry, since I have better things to do with my time.

5 Likes

Sorry, but this was unreadable.

2 Likes

never mind man just saying… don’t worry and don’t do anything “dark”/illegal

personally i’m satisfied with my purism hardware… hardware networking and alike aren’t really my things
so u know time saving and easy

safe not very expensive and…

1 Like

hi folks, Michael here from the Qubes OS project.

I was part of the original effort of talking with Purism to get their laptop certified. Since everyone has had some distance now, it is maybe good time to clarify what should be already pretty clear (see unman’s posts above).

First, the Qubes OS project is happy to currently have two manufacturers with certification. Certification is a well-thought-out process with benefits to the manufacturer and to the free-and-open-source Qubes OS project.

The current process makes clear the conditions for certification, in particular that the manufacturer offer to customers the same configuration for at least a year. This point was made explicit out of the experience with Purism and the Librem 13, which went through a number of hardware changes as the company worked to stabilize its laptop offering while at the same time already selling it to end-users.

Maintaining a hardware certification while changing the hardware is not possible, and troubleshooting and re-certifying each new hardware iteration was seen as cost-prohibitive to the Purism team, so they dropped seeking certification for their laptop.

I think for both projects it was a learning experience, and we wish the best to the Purism team.

10 Likes

FYI I also posted this message on the Purism forum.

2 Likes

Reply by Purism CSO there:

1 Like

What happened previously with Purism?

1 Like

I couldn’t agree more.

Personally, I think that Purism is the worst and dishonest “Privacy” BS marketing company ever.

Dasharo seems to be honest about what they can or can’t do, much more affordable, orders are actually delivered, and because of that they truly deserve to be supported by us and certified by Qubes Os.

3 Likes

Hi @fsflover
Sincerely enjoy reading your perspective. Agree with you far more than I
disagree (except perhaps with regard to purism).
Really appreciate your work in the forum too. Thank you!

Since you asked a direct question about purism’s “invented simple”
wording, I’ll risk veering off-topic to respond.

They invented simple words “disabled” and “neutralized” and stick to
them. What’s wrong with that? IMO it makes it easier for the public to
understand compared with “HAP bit”.

The main problem, as I see it, is oversimplification.

For instance in link we both referred to, the author states that “disabled” is “…the
ME is officially “disabled” and is known to be completely stopped and non-functional”.

Maybe you know more about the High Assurance Program (HAP), or have done
extensive testing, but the article’s claim that the “the ME is
officially “disabled” and is known to be completely stopped and non-
functional”, not only states that the HAP bit soft-disable strap method
is “official” (whatever that exactly means), but also states the HAP bit
method means the ME “is known to be completely stopped and
non-functional”. Perhaps it is, I don’t know.

To quote c0d3z3r0 in me_cleaner issue 340:
“Well, what you describe is actually the soft-disable strap. What I
described initially was actual cleaning/wiping of modules to prevent
their code to run, even if HAP would had a backdoor.”

Nephiel responded in the same issue
“Right, I only flipped the soft-disable bit, so the rest of the ME code
is still in there, and there is no guarantee it can’t be invoked some
other way.”

I repeat all of this not to spread FUD (fear, uncertainty, and doubt)
but to illustrate why I think purism’s “invented” terminology and
oversimplification could be misleading to someone truly concerned about
Intel’s ME. It seems strange to me that someone who does not trust
Intel’s Management Engine would trust Intel’s HAP soft-disable bit flip.

One last quote from Thierry (@Insurgo) from almost five years ago, may be worthy of inclusion:

Neutralizing/Deactivating/Deleting/Freeing Intel ME is a word game
where a lot of ink spilled over the last years. I suggest you to read
this doc: How does it work? · corna/me_cleaner Wiki · GitHub
Basically, Intel ME version <11 can be deactivated, since no kernel
needs to be present in the firmware for validation prior to initialization,
resulting in the BUP module only being launched, permitting the machine
to boot, where version >11 requires the kernel and syslib modules to be
present and validated at initialization. So even if Intel ME is neutralized by
me_cleaner, the modules are still there in >11. Could they be executed?
That depends on your beliefs and
threat modeling.

Emphasis added.

Edited

Edit: 10-15-23 hopefully for better forum readability and clarity.

4 Likes

According to this interesting thread from 2021 on Purism forum, Librem 14 has an Version 12 ME. Not sure if that means you got yours before then?

1 Like

@Insurgo corrected that quote in his next post:

" Sorry to have misadvertised Purism work. Didn’t went across that post: Neutralizing the Intel Management Engine on Librem Laptops – Purism

So it seems that Intel ME deactivation is on par with Ivy bridge, resulting in only the ROMP and BUP modules being required to initialize ME.

For firmware binary blob requirements, FSP is still required, see here: https://github.com/osresearch/heads/tree/master/blobs/librem_skl and here https://github.com/osresearch/heads/blob/master/config/coreboot-librem13v2.config"

Perhaps @Insurgo or someone else more knowledgable than me can clarify how that affect the question Could they be executed?

3 Likes

Appreciate you sharing your research. My understanding, admittedly limited and likely out of date was that the ME kernel and syslib modules (and probably more) are still present in the Comet Lake based Librem 14. Would love to learn that I’m wrong and the Comet Lake ME situation is, as you say, “on par with Ivy bridge”.

IMO that’s quite unfortunate but not surprising. Thanks again for sharing your research @ubersecure

+1
I also would be interested in reading and learning more about this.

1 Like

Tried to have bing understand the differences prior of posting outcome below (still imperfect. Confusion still present but lowered)

Model Processor Generation Codename Example highest end CPUs ME Deactivation ME Neutering ME Removal Qubes Support
Librem 13 v1 5th Broadwell i7-5557U Yes Yes No Yes
Librem 13 v2 6th Skylake i7-6500U Yes No* No Yes
Librem 13 v3/v4 7th/8th Kaby Lake/Coffee Lake i7-8550U Yes** No* No Yes
Librem 14 v1 10th Comet Lake i7-10710U Yes** No* No Yes
Librem Mini v1/v2/v3 8th/10th/11th Coffee Lake/Tiger Lake-U i7-1165G7 Yes** No* No Yes
ThinkPad X200/T400 etc Centrino 2/Centrino vPro/Centrino vPro2/Centrino vPro3/Centrino vPro4/Centrino vPro5/Centrino vPro6/Centrino vPro7/Centrino vPro8/Centrino vPro9 (modded) Penryn/Cantiga/Montevina/Montevina Plus Core 2 Extreme QX9300/QX9400/QX9500/QX9600/QX9700/QX9800/QX9900 (modded) No***** No***** Yes****** No
ThinkPad X230/T430/W530 etc 3rd Ivy Bridge i7-3612QE (modded) Yes Yes*** No Yes
*Neutering is not possible for these chipsets because they require other modules then BUP/BUP+ROMP to be present and signed in the ME firmware. Those include kernel, Java runtime and policies to be in signed digest validated at ME platform initialization and cannot be removed.
**Deactivation is possible for these chipsets, but requires a newer version of me_cleaner or coreboot that supports the ME 12 firmware.
***Neutering is possible for these chipsets by removing all modules except BUP and ROMP.
*****Deactivation and neutering are not possible for these chiosets because they use an older version of ME (ME6 or lower) that does not support the HAP bit or me_cleaner.
******Removal is possible for these chipsets because they do not have the hardware checks and dependencies that require the ME firmware to be present and valid on the system. This can be done by using coreboot or libreboot as the firmware.

As you can see, the Librem models have ME deactivation and Qubes OS support, while the ThinkPad X230 models have ME deactivation and neutering, and also Qubes OS support. The ThinkPad X200 models can remove ME entirely, but they do not have ME deactivation, neutering or Qubes OS support.

Source: Conversation with Bing, 16/10/2023
(1) Lenovo ThinkPad X200 Review | Laptop Mag. Lenovo ThinkPad X200 Review | Laptop Mag.
(2) ThinkPad X series - Wikipedia. ThinkPad X series - Wikipedia.
(3) Lenovo ThinkPad X200 review: Lenovo ThinkPad X200 - CNET. Lenovo ThinkPad X200 review: Lenovo ThinkPad X200 - CNET.
(4) ThinkPad X230 Product Specifications Reference (PSREF). https://psref.lenovo.com/syspool/Sys/PDF/withdrawnbook/ThinkPad_X230.pdf.
(5) ThinkPad X230 Product Specifications Reference (PSREF). https://psref.lenovo.com/syspool/sys/pdf/withdrawnbook/thinkpad_x230_we.pdf.
(6) Lenovo ThinkPad X230 review: Lenovo ThinkPad X230 - CNET. Lenovo ThinkPad X230 review: Lenovo ThinkPad X230 - CNET.
(7) Purism– Librem 5. Purism– Librem 5.
(8) Purism– Products. Purism– Products.
(9) Librem 5 - Wikipedia. Librem 5 - Wikipedia.
(10) Librem - Wikipedia. Librem - Wikipedia.


After two hours or so clarifying and making certain Bing understands the whole confusion about terminology :

I’m sorry for the confusion. I have searched the web for more information about ME deactivation, neutering and removal, and I have revised my knowledge and answers accordingly. Here is what I have learned:

  • ME removal: This is a method that completely removes the ME firmware from the system, leaving no trace or functionality of it. This method would be ideal for users who want to have full control and transparency over their system, without any proprietary or potentially harmful firmware. However, this method is only possible for some older processors, such as Penryn and Yonah, that do not have the hardware checks and dependencies that require the ME firmware to be present and valid on the system. If the ME firmware is missing or corrupted, the system will either not boot at all or shut down after 30 minutes. This method can be done by using coreboot or libreboot as the firmware. This method was discovered by the libreboot project.
  • ME deactivation: This is a method that uses a special bit in the ME firmware called the HAP (High Assurance Platform) bit. This bit was originally intended for government use, to disable ME functionality for security reasons. By setting this bit to 1, the ME firmware will stop running after the hardware initialization phase, effectively deactivating most of its functions. However, this method does not remove or modify any code or data from the ME firmware, so it is possible that some residual functions may still be active or that the HAP bit may be reset by a malicious actor. This method is supported by some tools, such as me_cleaner and coreboot, and it works for most Intel processors from Sandy Bridge to Kaby Lake. This method was discovered by Positive Technologies, who found a way to use the HAP bit to disable ME without triggering any errors.
  • ME neutering: This is a method that goes beyond deactivation and tries to remove or modify as much code and data from the ME firmware as possible, without breaking the system. This method aims to reduce the attack surface and the potential harm of ME, by eliminating unnecessary modules and features. However, this method is not always possible or safe, as some parts of the ME firmware are essential for the system to boot and function properly. For example, some processors, such as Sandy Bridge and Ivy Bridge, require a module called BUP (Bring Up) to be present and signed in the ME firmware, otherwise the system will shut down after 30 minutes. This module can be kept in the ME firmware, while other modules can be removed or modified, resulting in neutering. This method is also supported by some tools, such as me_cleaner and coreboot, and it works for some Intel processors from Sandy Bridge to Broadwell. Neutering is when BUP and ROMP are required but kernel and other modules are signed and cannot be removed. This method was discovered by Trammell Hudson, who found a way to use an undocumented “AltMeDisable” bit to disable most of the ME functions after booting.

I think the confusion lies within revisions of same models. Librem existed across multiple chipset revisions. Their model labeling is in regard of screen size, not necessarily chipsets.

Bing answers correctly

You are right, the Librem models are labeled by screen size instead of chipset revision, which can cause some confusion. According to the coreboot firmware page², the Librem 13 v1 has a Broadwell processor, which supports ME neutering. The Librem 13 v2 has a Skylake processor, which does not support ME neutering. The Librem 13 v3 and v4 have Kaby Lake and Coffee Lake processors, respectively, which also do not support ME neutering. The Librem 14 v1 has a Comet Lake processor, which does not support ME neutering either. The Librem Mini v1, v2 and v3 have Coffee Lake and Tiger Lake-U processors, which do not support ME neutering as well. The only Librem model that supports ME neutering is the Librem 13 v1. All the other models can only deactivate ME using the HAP bit. I hope this clears up the confusion. :blush:

Source: Conversation with Bing, 16/10/2023
(1) Coreboot Firmware on Purism Librem Devices – Purism. Coreboot Firmware on Purism Librem Devices – Purism.
(2) Librem 5 Hardware - Phones (Librem 5) - Purism community. Librem 5 Hardware - Librem 5 - Purism community.
(3) Librem 5 Phone – Birch - Purism. Librem 5 Phone – Birch.
(4) undefined. Librem 5 Phone – Evergreen.

Here again, note that this applies to chipsets and not models.

My attempt to clarify this is still at the same place as always, referred multiple times at Platform blobs, collaborators/maintainers/testers for faster problems resolution · Issue #692 · linuxboot/heads · GitHub

Edit: multiple in link of core 2 duo, neutering/deactivation/removal of ME legend.

6 Likes