Discussion on Purism

First, thank you @unman and others for the interesting discussion.

I didn’t invest in Purism much and I really want to know all its sides, not just good ones (which is why I posted about the lack of SPC reports above). (By the way, it’s easy to dismiss the arguments of the opponent in this way, but it’s a fallacy.) However I did invest in free software, including Qubes OS. My investment in Purism I consider as a part of my investments in free software. And I think it’s pretty important to support it, which is what Purism arguably does. Don’t you also value free software?

I guess @unman means laptops from 2008 based on Libreboot, where old versions of Intel ME were fully removed. Although unman is right, it is not relevant anymore since those laptops are extremely insecure (Spectre & Meltdown) and I expect no one on these forums would use them anymore.

This sounds like a real issue, but I never saw that despite following Purism closely since a long time. Any actual links?

I’m not sure why Purism would intentionally skip installing Qubes to its customers, while security is their main selling point. Especially given that Qubes install is a relatively simple task. By the way, I ordered my laptop with a Qubes usb stick, but I did not receive the stick. They sent it separately after I complained about it. Should I have lost all my trust in the company in your opinion?

This is true, but such waiting time was reasonable given the goal. Their time estimation was pretty much wrong though.

This is one of the Zlatan’s lies. Actual data is that the phone battery lives for 14+ hours even though suspend is not implemented yet.

I in principle agree, but you should consider the reasons. I have no idea why people become Apple fanatics, but Purism is the only company producing devices with kill switches, the only company strongly pushing towards freedom and having it as a selling point, the only company seeking FSF certification for the phone, one of very few companies testing Qubes on their laptops. I think that everyone in the free software community should become their fan and ignore their drawbacks as long as they do not lie or mislead the customers. If this company fails, we will not get a free phone in the near future. Pinephone never even mentions freedom, calls itself “open-source company”, and supports hardware producers breaking GPL license AFAIK.

Again, for some reason you ignored the problem with Spectre and Meltdown. Did you find a way to fix them for those laptops, or do you ignore the threat of every program reading your RAM? I have such laptops as well, but I have no idea what I should do with them now. They also don’t support Qubes 4.0+.

Pine64 develops no free software, while a large part of Librem 5 phone price is the software development. Purism developed phone shell Phosh, which is used by >50% of Pinephone users. So Pinephone is in fact using Purism developers (which is not bad, but when you are comparing, you should be fair). For more detailed comparison I suggest to check out this link. Especially look at “reasons to buy”. Tl;dr: this is not as ambitions and challenging at all, although definitely very useful and should be supported.

1 Like

Leaving this discussion open as some sections are relevant for Qubes. But it’s at the edge of what’s off-topic and what’s not.

2 Likes

I disagree. Hardware running Qubes is essential for Qubes users. Trusting hardware comanies is essential for trusting your hardware. Otherwise why bother with security-oriented system?

As I mentioned earlier, this topic is an example of the new category which should definitely be useful for Qubes users. All around Qubes I would call it.

1 Like

fslover - I didn’t invest in Purism much and I really want to know all its sides, not just good ones (which is why I posted about the lack of SPC reports above). (By the way, it’s easy to dismiss the arguments of the opponent in this way, but it’s a fallacy.) However I did invest in free software, including Qubes OS. My investment in Purism I consider as a part of my investments in free software. And I think it’s pretty important to support it, which is what Purism arguably does. Don’t you also value free software?

To be clear: I didn’t say you had invested in Purism - I said you were
invested in it.
This isn’t Bulverism - I was trying to withdraw from the
discussion/argument.

I value free software, in particular the ethical stance behind it. I do
not think that Purism or individuals like Leah live up to that stance.
I value security more - so where I see the FSF promoting software and
approaches that limit users knowledge and damage their security, I
despair.

As to the Purism/Qubes debacle, you can find mention of it in the
mailing list archives - around mid 2017. i think. Purism renamed the
(certified) 13 to 13v1, introduced a new 13v2 with different hardware,
and kept it linked from the Qubes certified page.
So for 6 months Purism were taking orders for a laptop that was
represented as certified by Qubes, but was not. Some buyers were
unhappy.

I don’t find it fruitful to comment further.

2 Likes

well i mean i can understand you’re point but since we’re talking about the sorts of company that advertises to the slightly more computer savvy
because basically everything’s open sourced/… verifiable the hardware is fairly hard to compromise u know -i guess goverments could but u get the point

u can also pay with crypto ship to a drop location immediately disable the hardware switch for the camera
and connct to a secure wifi network where everything’s router by tor… (just like whonix but in case you’re fearing dom0’s been compromised…) also make sure to deal with such pesky things as allways only having you’r laptop in range of you’r own wifi and so on

i mean think of the “outrage”/fears/lawsuits/… if it’ll turn out the company installed back doors

and the us gov’ can’t really without a warrent (not that it stopped them before… but again like tapping phones… it won’t fly)
(not that i’m saying you should try anything illegal but i mean…) if u need a secure system

also there’s always disk encryption
an attacker can try a cold boot attack or a evil maid attack or… but there are safegaurds in place an if you’re really paranoid then you can allways i guess when booting flash coreboot and everything again and obviously move you’re encrypted drive to a different location/…

also if you are “going dark” which i guess means illegal not off the grid then there are diffrent solutions such as simply using separate encypted storage…
booting life from tails… and so on
i won’t be giving you a guide but there are more effective ways to do such things becuse qubes is designed to be a secure system tails is designed to leave no trace -such as even on the ram for example

also you can alwys prefer trusting companies such as lenovo which literally target bushiness high end etc and is a chinease company…
they’re laptops come with spyware masked as a antivirus… just google it

now they are good laptops indeed but i mean… if it’s good enough for so many companies and…

(just to give an example…) not that it is easy to avoide chinease hardware but having a small stake in a compny being owned by china is very diffrent then fully chinese…)

anyway so far i’m happy with my new librem laptop

and trust if i were to want to do somthing illegal… well i guess it depends on the severity and cost
but i’d just use a cheap burner laptop or better yet a pc or a rasbery pie or…
if i were to try and hack the pentagon… -just to give an example
then i would definatly not be using a lirem laptop but a second hand laptop i guess buying anonymously with cash making sure to keep an eye on the person who sold it to me… -via facebook for example…

so that even if somhow it’s traced back (not to me becuse id take safegaurds using in a park public wifi etc destory later… u get the point i won’t dig deep to give anyone any ideas)
but lets say somhow… then the gov’d end up on a wild gooschase

(yeah don’t break the law)

but it’s nice to think about…

This is thread is a showcase of why a trusted level of 2 should be needed to participate in tangential discussions (though some might argue that this is directly relevant to Qubes). Relevant thread here.

Once a product/company had been badmouthed there’s a pattern of new accounts being made with the sole purpose of taking a side. Two brand new accounts are posting here, for example, and neither seem to have an interest in Qubes. What’s worse, they’re making lengthy posts that take considerable effort to get through. This is obviously leading to increased workloads for the mod(s) and clogging up the moderation queue.

As I’ve mentioned before, I’m not going to bother arguing with those in entrenched positions spouting long-winded sophistry, since I have better things to do with my time.

4 Likes

Sorry, but this was unreadable.

1 Like

never mind man just saying… don’t worry and don’t do anything “dark”/illegal

personally i’m satisfied with my purism hardware… hardware networking and alike aren’t really my things
so u know time saving and easy

safe not very expensive and…

hi folks, Michael here from the Qubes OS project.

I was part of the original effort of talking with Purism to get their laptop certified. Since everyone has had some distance now, it is maybe good time to clarify what should be already pretty clear (see unman’s posts above).

First, the Qubes OS project is happy to currently have two manufacturers with certification. Certification is a well-thought-out process with benefits to the manufacturer and to the free-and-open-source Qubes OS project.

The current process makes clear the conditions for certification, in particular that the manufacturer offer to customers the same configuration for at least a year. This point was made explicit out of the experience with Purism and the Librem 13, which went through a number of hardware changes as the company worked to stabilize its laptop offering while at the same time already selling it to end-users.

Maintaining a hardware certification while changing the hardware is not possible, and troubleshooting and re-certifying each new hardware iteration was seen as cost-prohibitive to the Purism team, so they dropped seeking certification for their laptop.

I think for both projects it was a learning experience, and we wish the best to the Purism team.

9 Likes

FYI I also posted this message on the Purism forum.

1 Like

Reply by Purism CSO there:

What happened previously with Purism?

I couldn’t agree more.

Personally, I think that Purism is the worst and dishonest “Privacy” BS marketing company ever.

Dasharo seems to be honest about what they can or can’t do, much more affordable, orders are actually delivered, and because of that they truly deserve to be supported by us and certified by Qubes Os.

2 Likes

Hi @fsflover
Sincerely enjoy reading your perspective. Agree with you far more than I
disagree (except perhaps with regard to purism).
Really appreciate your work in the forum too. Thank you!

Since you asked a direct question about purism’s “invented simple”
wording, I’ll risk veering off-topic to respond.

They invented simple words “disabled” and “neutralized” and stick to
them. What’s wrong with that? IMO it makes it easier for the public to
understand compared with “HAP bit”.

The main problem, as I see it, is oversimplification.

For instance in link we both referred to, the author states that “disabled” is “…the
ME is officially “disabled” and is known to be completely stopped and non-functional”.

Maybe you know more about the High Assurance Program (HAP), or have done
extensive testing, but the article’s claim that the “the ME is
officially “disabled” and is known to be completely stopped and non-
functional”, not only states that the HAP bit soft-disable strap method
is “official” (whatever that exactly means), but also states the HAP bit
method means the ME “is known to be completely stopped and
non-functional”. Perhaps it is, I don’t know.

To quote c0d3z3r0 in me_cleaner issue 340:
“Well, what you describe is actually the soft-disable strap. What I
described initially was actual cleaning/wiping of modules to prevent
their code to run, even if HAP would had a backdoor.”

Nephiel responded in the same issue
“Right, I only flipped the soft-disable bit, so the rest of the ME code
is still in there, and there is no guarantee it can’t be invoked some
other way.”

I repeat all of this not to spread FUD (fear, uncertainty, and doubt)
but to illustrate why I think purism’s “invented” terminology and
oversimplification could be misleading to someone truly concerned about
Intel’s ME. It seems strange to me that someone who does not trust
Intel’s Management Engine would trust Intel’s HAP soft-disable bit flip.

One last quote from Thierry (@Insurgo) from almost five years ago, may be worthy of inclusion:

Neutralizing/Deactivating/Deleting/Freeing Intel ME is a word game
where a lot of ink spilled over the last years. I suggest you to read
this doc: How does it work? · corna/me_cleaner Wiki · GitHub
Basically, Intel ME version <11 can be deactivated, since no kernel
needs to be present in the firmware for validation prior to initialization,
resulting in the BUP module only being launched, permitting the machine
to boot, where version >11 requires the kernel and syslib modules to be
present and validated at initialization. So even if Intel ME is neutralized by
me_cleaner, the modules are still there in >11. Could they be executed?
That depends on your beliefs and
threat modeling.

Emphasis added.

Edited

Edit: 10-15-23 hopefully for better forum readability and clarity.

3 Likes

According to this interesting thread from 2021 on Purism forum, Librem 14 has an Version 12 ME. Not sure if that means you got yours before then?

@Insurgo corrected that quote in his next post:

" Sorry to have misadvertised Purism work. Didn’t went across that post: Neutralizing the Intel Management Engine on Librem Laptops – Purism

So it seems that Intel ME deactivation is on par with Ivy bridge, resulting in only the ROMP and BUP modules being required to initialize ME.

For firmware binary blob requirements, FSP is still required, see here: https://github.com/osresearch/heads/tree/master/blobs/librem_skl and here https://github.com/osresearch/heads/blob/master/config/coreboot-librem13v2.config"

Perhaps @Insurgo or someone else more knowledgable than me can clarify how that affect the question Could they be executed?

2 Likes

Appreciate you sharing your research. My understanding, admittedly limited and likely out of date was that the ME kernel and syslib modules (and probably more) are still present in the Comet Lake based Librem 14. Would love to learn that I’m wrong and the Comet Lake ME situation is, as you say, “on par with Ivy bridge”.

IMO that’s quite unfortunate but not surprising. Thanks again for sharing your research @ubersecure

+1
I also would be interested in reading and learning more about this.

Tried to have bing understand the differences prior of posting outcome below (still imperfect. Confusion still present but lowered)

Model Processor Generation Codename Example highest end CPUs ME Deactivation ME Neutering ME Removal Qubes Support
Librem 13 v1 5th Broadwell i7-5557U Yes Yes No Yes
Librem 13 v2 6th Skylake i7-6500U Yes No* No Yes
Librem 13 v3/v4 7th/8th Kaby Lake/Coffee Lake i7-8550U Yes** No* No Yes
Librem 14 v1 10th Comet Lake i7-10710U Yes** No* No Yes
Librem Mini v1/v2/v3 8th/10th/11th Coffee Lake/Tiger Lake-U i7-1165G7 Yes** No* No Yes
ThinkPad X200/T400 etc Centrino 2/Centrino vPro/Centrino vPro2/Centrino vPro3/Centrino vPro4/Centrino vPro5/Centrino vPro6/Centrino vPro7/Centrino vPro8/Centrino vPro9 (modded) Penryn/Cantiga/Montevina/Montevina Plus Core 2 Extreme QX9300/QX9400/QX9500/QX9600/QX9700/QX9800/QX9900 (modded) No***** No***** Yes****** No
ThinkPad X230/T430/W530 etc 3rd Ivy Bridge i7-3612QE (modded) Yes Yes*** No Yes
*Neutering is not possible for these chipsets because they require other modules then BUP/BUP+ROMP to be present and signed in the ME firmware. Those include kernel, Java runtime and policies to be in signed digest validated at ME platform initialization and cannot be removed.
**Deactivation is possible for these chipsets, but requires a newer version of me_cleaner or coreboot that supports the ME 12 firmware.
***Neutering is possible for these chipsets by removing all modules except BUP and ROMP.
*****Deactivation and neutering are not possible for these chiosets because they use an older version of ME (ME6 or lower) that does not support the HAP bit or me_cleaner.
******Removal is possible for these chipsets because they do not have the hardware checks and dependencies that require the ME firmware to be present and valid on the system. This can be done by using coreboot or libreboot as the firmware.

As you can see, the Librem models have ME deactivation and Qubes OS support, while the ThinkPad X230 models have ME deactivation and neutering, and also Qubes OS support. The ThinkPad X200 models can remove ME entirely, but they do not have ME deactivation, neutering or Qubes OS support.

Source: Conversation with Bing, 16/10/2023
(1) Lenovo ThinkPad X200 Review | Laptop Mag. Lenovo ThinkPad X200 Review | Laptop Mag.
(2) ThinkPad X series - Wikipedia. ThinkPad X series - Wikipedia.
(3) Lenovo ThinkPad X200 review: Lenovo ThinkPad X200 - CNET. Lenovo ThinkPad X200 review: Lenovo ThinkPad X200 - CNET.
(4) ThinkPad X230 Product Specifications Reference (PSREF). https://psref.lenovo.com/syspool/Sys/PDF/withdrawnbook/ThinkPad_X230.pdf.
(5) ThinkPad X230 Product Specifications Reference (PSREF). https://psref.lenovo.com/syspool/sys/pdf/withdrawnbook/thinkpad_x230_we.pdf.
(6) Lenovo ThinkPad X230 review: Lenovo ThinkPad X230 - CNET. Lenovo ThinkPad X230 review: Lenovo ThinkPad X230 - CNET.
(7) Purism– Librem 5. Purism– Librem 5.
(8) Purism– Products. Purism– Products.
(9) Librem 5 - Wikipedia. Librem 5 - Wikipedia.
(10) Librem - Wikipedia. Librem - Wikipedia.


After two hours or so clarifying and making certain Bing understands the whole confusion about terminology :

I’m sorry for the confusion. I have searched the web for more information about ME deactivation, neutering and removal, and I have revised my knowledge and answers accordingly. Here is what I have learned:

  • ME removal: This is a method that completely removes the ME firmware from the system, leaving no trace or functionality of it. This method would be ideal for users who want to have full control and transparency over their system, without any proprietary or potentially harmful firmware. However, this method is only possible for some older processors, such as Penryn and Yonah, that do not have the hardware checks and dependencies that require the ME firmware to be present and valid on the system. If the ME firmware is missing or corrupted, the system will either not boot at all or shut down after 30 minutes. This method can be done by using coreboot or libreboot as the firmware. This method was discovered by the libreboot project.
  • ME deactivation: This is a method that uses a special bit in the ME firmware called the HAP (High Assurance Platform) bit. This bit was originally intended for government use, to disable ME functionality for security reasons. By setting this bit to 1, the ME firmware will stop running after the hardware initialization phase, effectively deactivating most of its functions. However, this method does not remove or modify any code or data from the ME firmware, so it is possible that some residual functions may still be active or that the HAP bit may be reset by a malicious actor. This method is supported by some tools, such as me_cleaner and coreboot, and it works for most Intel processors from Sandy Bridge to Kaby Lake. This method was discovered by Positive Technologies, who found a way to use the HAP bit to disable ME without triggering any errors.
  • ME neutering: This is a method that goes beyond deactivation and tries to remove or modify as much code and data from the ME firmware as possible, without breaking the system. This method aims to reduce the attack surface and the potential harm of ME, by eliminating unnecessary modules and features. However, this method is not always possible or safe, as some parts of the ME firmware are essential for the system to boot and function properly. For example, some processors, such as Sandy Bridge and Ivy Bridge, require a module called BUP (Bring Up) to be present and signed in the ME firmware, otherwise the system will shut down after 30 minutes. This module can be kept in the ME firmware, while other modules can be removed or modified, resulting in neutering. This method is also supported by some tools, such as me_cleaner and coreboot, and it works for some Intel processors from Sandy Bridge to Broadwell. Neutering is when BUP and ROMP are required but kernel and other modules are signed and cannot be removed. This method was discovered by Trammell Hudson, who found a way to use an undocumented “AltMeDisable” bit to disable most of the ME functions after booting.

I think the confusion lies within revisions of same models. Librem existed across multiple chipset revisions. Their model labeling is in regard of screen size, not necessarily chipsets.

Bing answers correctly

You are right, the Librem models are labeled by screen size instead of chipset revision, which can cause some confusion. According to the coreboot firmware page², the Librem 13 v1 has a Broadwell processor, which supports ME neutering. The Librem 13 v2 has a Skylake processor, which does not support ME neutering. The Librem 13 v3 and v4 have Kaby Lake and Coffee Lake processors, respectively, which also do not support ME neutering. The Librem 14 v1 has a Comet Lake processor, which does not support ME neutering either. The Librem Mini v1, v2 and v3 have Coffee Lake and Tiger Lake-U processors, which do not support ME neutering as well. The only Librem model that supports ME neutering is the Librem 13 v1. All the other models can only deactivate ME using the HAP bit. I hope this clears up the confusion. :blush:

Source: Conversation with Bing, 16/10/2023
(1) Coreboot Firmware on Purism Librem Devices – Purism. Coreboot Firmware on Purism Librem Devices – Purism.
(2) Librem 5 Hardware - Phones (Librem 5) - Purism community. Librem 5 Hardware - Librem 5 - Purism community.
(3) Librem 5 Phone – Birch - Purism. Librem 5 Phone – Birch.
(4) undefined. Librem 5 Phone – Evergreen.

Here again, note that this applies to chipsets and not models.

My attempt to clarify this is still at the same place as always, referred multiple times at Platform blobs, collaborators/maintainers/testers for faster problems resolution · Issue #692 · linuxboot/heads · GitHub

Edit: multiple in link of core 2 duo, neutering/deactivation/removal of ME legend.

6 Likes

Thank you @Justin for your kind words.

I disagree that oversimplification is a problem. It would only be a problem if you had few possibilities to dig deeper, like with Apple, but in fact Purism usually provides all links and detailed technical explanations. (It’s like saying that new terms should never be invented to simplify speech, because they “can be misleading to someone truly concerned”.) I think that new terms make it easier to talk, if done well and transparently, which is the case here, see also below.

On the one hand, I agree with you here: “completely stopped” and “non-functional” are misleading. Since beginning of time, Purism oversold their work with too much hype. (So I’ve been always checking what they actually do, and I’ve been in general satisfied with less.) Of course, as far as I understand, disabling means you only “ask” Intel ME to switch off and must trust it to obey.
On the other hand, NSA and co. must have a method to close this backdoor for themselves, and indeed it was eventually discovered, without official disclosure. The latter makes it actually more trustable in my view, since Intel definitely doesn’t want you to tinker with Intel ME, but they likely had to provide a way to disable to “appropriate” users. So in the end, it’s quite likely (despite unverifiable) that Intel ME is actually deactivated, or disabled by it’s own will. This is exactly how I understand this:

I hope I clarified above that the “official”, from the point of view of the ME software itseld, way of disabling the code gives us a good reason to trust that it works, as long as Intel did not expect that users knew about this possibility. I could be mistaken, but I think it’s the case. If not, it could be a trap of course.

Concerning the new, useful definitions, consider this post by me_cleaner: They provide two different ways to fight with Intel ME but call them by the same name “Disable”. Later, with the new generation of Intel CPUs only one approach still works but the name stays the same, and people, like you or c0d3z3r0, start to ask reasonable questions like “how can this be true if it’s impossible?” Indeed we can’t do half of it now.

The other part, which is called “neutralize” by Purism, sounds very appropriate to me, too, since it very well reflects that this is action goes against the ME’s own plans, which is true.

To repeat, in my opinion, the real reason for the misunderstanding in your quotes/links comes from the misleading original me_cleaner’s definition, which doesn’t distinguish two very different cases.

It won’t be off-topic, if I move it to the appropriate place, which I just did.

Yes, I daily drive a Librem 15.

@ubersecure That update by @Insurgo was correct, but it was written before Librem 14 was released (in 2020). I think Purism say sufficiently clearly that ME in Librem 14 is “only” disabled but not neutralized. What is unclear with it?

4 Likes

Thank you @Insurgo for the nice table. However, I believe it’s not very accurate.

I am not sure that this is accurate, see this and this:

Also, there is no Librem 15 in the table.

I don’t think Librem 5 phone is relevant here.

3 Likes