Discussion on Purism

Insurgo · August 11, 2024, 10:19pm

As I pointed before @TommyTran732 and to anyone thinking compromising measured boot is trivial, I layed down the tooling for anyone wanting to further protection / prove measured boot not enough to understand and break it once and for all under WiP: introspection - replicate TPM PCRs measurements directly from measured content (TCPA/TPM Event log) by tlaurion · Pull Request #1568 · linuxboot/heads · GitHub

Just use it for the bad to faster the development of something good/better.

Until then, it was proven non trivial. You refusing to read it, test it, prove you understand how a TPM extend/seal/unseal/quote ops work, extract/replay/tamper bootblock anchored measured boot is yet to be proven flawed beyond just theoretical attack by anyone/to everyone. Please just do it and like I said: you’ll get the world’s attention. Until then, you are in denial. And this echo chamber is not the place (not my place) to discuss this further.

EDIT: added repro notes directly at WiP: introspection - replicate TPM PCRs measurements directly from measured content (TCPA/TPM Event log) by tlaurion · Pull Request #1568 · linuxboot/heads · GitHub to entice Evil-Made PoC by anyone willing to take that challenge to move theoretical vuln into a practical, reproducible PoC. Up for the challenge with more than words but code? PLEASE DO IT.

Insurgo · August 15, 2024, 2:25pm

And again, for the sake of this thread, I already replied extensively with my own learnings and criticisms at "Maybe I messed up my qubes installation?" related support questions involving "some" Heads subtleties, aka "How to disable autostarting of service qubes at boot without Grub interface" - #8 by Insurgo

(tags: firmware, testing, security, Purism, QubeOS certification process, oem disk installation, salt, kick-start what should be the next steps, where collaboration is needed etc etc etc)

adrelanos · October 26, 2024, 11:04am

Do you have the corresponding video?

apparatus · October 26, 2024, 11:14am

FranklyFlawless · October 27, 2024, 10:29am

Direct video link:

FranklyFlawless · January 13, 2025, 11:21am

I moved this topic to the #all-around-qubes category due to these posts:

fiftyfourthparallel:

This is thread is a showcase of why a trusted level of 2 should be needed to participate in tangential discussions (though some might argue that this is directly relevant to Qubes). Relevant thread here.

Once a product/company had been badmouthed there’s a pattern of new accounts being made with the sole purpose of taking a side. Two brand new accounts are posting here, for example, and neither seem to have an interest in Qubes. What’s worse, they’re making lengthy posts that take considerable effort to get through. This is obviously leading to increased workloads for the mod(s) and clogging up the moderation queue.

As I’ve mentioned before, I’m not going to bother arguing with those in entrenched positions spouting long-winded sophistry, since I have better things to do with my time.

fiftyfourthparallel:

Thank you for this detailed and informative post.

“Not having some ancient piece of hardware” – Do you manually verify every piece of hardware in a laptop that you’re interested in? If so, what resources do you use?

Memory encryption – Pardon my naivete, but why is it important beyond the context of cold boot attacks; and if it’s that important, why would Apple choose to forgo it? Especially since it should be easy to implement given their other security features.

I’ve been using Dell for the last few years but I’ve personally experienced a rash of hardware defects and now I’m considering alternatives. What are your thoughts on HP?

I’m somewhat glad the mods haven’t shut it down this thread yet, but it’s snowballing into something that belongs in the restricted category (and this post doesn’t help).

If @moderators and/or trust level 3/Regular users would rather prefer the topic goes back into the General Discussion category, simply move it again.

barto · January 13, 2025, 2:22pm

access to category

Isn’t “All around Qubes” somehow access-restricted?
[After checking] → yes it is:

Sven · January 13, 2025, 3:24pm

Moved back to `General Discussion`.

It doesn’t seem appropriate to move this mega-thread after all this years. As @fsflover outlined: this is hardware specifically marketed towards Qubes OS users and their experiences and impressions with the vendor are on-topic.

FranklyFlawless · January 14, 2025, 7:14am

Sure, although Purism primarily targets PureOS, not Qubes OS.

capsizebacklog · January 15, 2025, 8:38am

How can I know if the glitter nail polish is acryllic or gel?
I’ve had a very bad experience trying to ask questions about glitter nail polish at local stores that sell glitter nail polish. They always answer “don’t know”.

FranklyFlawless · January 15, 2025, 9:54am

At a glance, thickness of the applied polish is a giveaway. Gel is thicker while acrylic is thinner.

barto · January 15, 2025, 3:56pm

Gel is thicker while acrylic is thinner.

As a straight guy, I wouldn’t know

Insurgo · January 16, 2025, 5:42pm

Trammel recommended this brand. Shipped all privacy beast with it. Worked awesome.

Crafts · July 16, 2025, 5:32am

Why are the Purism computers (for example Librem 14) still not certified for Qubes?
Do they not meet its requirements?

TheGardner · July 16, 2025, 6:57am

Assume nobody (from Librem) did start an active cert process together with the QubesOS staff, because none of the certifications for QubesOS were an “easy going” thing. Maybe it will happen one day, but I guess it must be first done through an active doing/inquiry/request from Librem team to Qubes…

Assume also, the Dasharo devices/hardware are very close to the Librem hardware, so nobody really bother about it yet. Librem sells their products rather in the US than overseas…

renehoj · July 16, 2025, 7:47am

You can search the forum, there are random posts talking about what happened with Purism.

I think they used to be certified, but they tried so sell models that wasn’t certified as certified, so certification was removed from all their models.

Edit:
This post mentions the issue
https://forum.qubes-os.org/t/discussion-on-purism/2627/21

fsflover · July 16, 2025, 11:25am

In my opinion, this is completely unfair and harming to Qubes, but:

They did.

Here’s a relevant post: Discussion on Purism - #26 by michael

Crafts · July 16, 2025, 12:08pm

So, company Purism business interests beat the certification interests? It is sad…

Are there any similar claims against PureOS?
For example, instead of Debian, which unfortunately uses blobs in the kernel and firmware, use PureOS.

michael · July 16, 2025, 9:52pm

we have a news page that announced the certification of the Purism Librem 13 in 2015, it was the first Qubes-certified device:

it’s strange to say us not partnering with Purism is harming Qubes, since the business relationship was… harming Qubes? consumers buying certified laptops with different hardware than what was advertised & certified – confusion, needing to troubleshoot, broken functionality… what is the benefit of a certification program that users can’t trust?

in 2021 when Purism offered again their interest in partnering, we discussed it internally and decided not to re-engage with them. our energies instead have gone towards building a more diverse ecosystem of certified hardware providers.

~~maybe this should be merged with the other thread?~~ was merged

fsflover · July 17, 2025, 3:40pm

You’re contradicting yourself:

In other words, your earlier experience with Purism allowed you to understand that a fixed configuration was important for the Qubes certification – which is perfectly reasonable and fair:

Now, are you saying that Purism refuses to accept this new, reasonable requirement for their next certified product? I don’t understand.

So is this about the non-fixed hardware configuration, or unwritten “ethical requirements”, or maybe because they

? (i. e., they intentionally design their hardware to work with Qubes – is this not a good thing?)

Are bad Internet reviews from haters influencing your decision on who should be certified? I read then all and most of them are mistaken concerning the intentions of the company and consequences for the users (saying this as a user).

So you decided to exclude some hardware providers in order to diversify the ecosystem? This doesn’t sound reasonable at all.