Discussion on Purism

Not having Intel Boot Guard isn’t that big of a deal, lots of system don’t use Boot Guard

Boot Guard is the industry standard. The vast majority of laptops have it, even consumer laptops.

I don’t think it’s unreasonable to claim that a Linux laptop with Heads firmware is a secure laptop, even if Fortune 500 companies don’t use it

Purism claims high security while being worse than the industry standard. They are selling a security product at a premium while having poorer security properties than the standard computers produced by Dell and Lenovo which you can buy for much cheaper. It is unreasonable to recommend it as a security solution over Dell Latitutde/Precision and Lenovo Thinkpad.

Purism doesn’t promise you the world’s most secure laptop

They do: The Most Secure Laptop: Librem 14 – Purism. This is right in their marketing material. They went out of their way to be worse than the standard then claim that they are the most secure.

They even claim it protects against firmware tampering when it does not:

They say that the key will warn you even after an attacker has flashed malicious firmware that will lie to you on the screen, conveniently ignoring the part where the firmware can also lie to the TPM to fool the key. They also pretended like other vendors did not already have protections against this.

They crossed every ethical line there is to be crossed.

2 Likes

I came up with a quick heuristic for figuring out how secure a piece of hardware/software is without having to dig into its technical details, and I want to get some feedback

The ultra-short version: Find out how much value it’s protecting.

Based on that approach, the most secure combination is Windows running on proprietary hardware. That’s what I see on every computer in every bank :slight_smile:

BTW, what is the goal of the current thread? Is there an actual question to be answered?

1 Like

Honestly I think it might be good to show how Purism is a scam even at the technical level and not just the whole “not shipping stuff people ordered” issue.

People keep being like “Oh they sucks at delivering but I still believe in their mission and their product actually works” all the time which is very sad :slightly_frowning_face:. They are less secure than commodity hardware they rail against.

2 Likes

Honestly I think it might be good to show how Purism is a scam even at the technical level and not just the whole “not shipping stuff people ordered” issue.

Does it actually work? Some say “there is no such thing as bad publicity”, so the effect may be the opposite.

1 Like

What compelled you to order a Librem 14?

I was young and stupid and got scammed :sweat_smile:

This was way back when it was in preorder and I thought I was getting a secure product. I did get the product like a year after it was supposed to be shipped but it turned out that the $2000 was completely wasted on something way less secure than what I could get on eBay for less than $1000. Sooo yeah :sob:

I sure don’t want other people to waste their money like I did. Even if you do get the product, it doesn’t do what they tell you it does. In hindsight, I should have read through the Heads documentation before making my purchase decision and realize it was complete theatre from the beginning. But instead I just browsed this very forum and saw people shilling Purism, so I fell for it.

2 Likes

Do you still have the Librem 14?

I gave it to my friend as a novelty item :sweat_smile:

1 Like

Yes, it is absolutely true that free software only allows for the potential for these things to happen. We still have to follow up on it as a society. With proprietary software, not even the potential exists.

Defending against this problem is described in this paper. I’ll admit that I don’t know how widely this solution has been deployed, but that’s how security research works: people find problems and describe them, industry takes some time to catch up. Most of the time it works out because newly described problems are generally expensive to exploit and once they become cheap industry has generally caught up.

Yes, they can do that. This is why I replaced the GPG key on my librem key with my own and reflashed the firmware I downloaded using a different device.

The librem key checks a HOTP with the TPM before the key is used. The PGP key is used only for files on the boot partition, not for checking the firmware.

I agree that the attitude that the FSF has towards firmware is unhelpful. I do want my firmware to be free software but that’s not something that we can fix at the level of package management. We need to manufacture Wifi cards that are supported with free software. I am hopeful that Purism will do this at some point because they have already demonstrated a willingness to work with hardware manufacturers with their work on the librem key. Personally, I keep the bluetooth/wifi hardware kill switch on “off” unless I absolutely need to turn it on for some reason - which has only happened once since I started using it.

No, you’re misunderstanding how it works. The librem key only checks a HOTP with the TPM during boot. It also happens to operate as a smart card, so it is common to use it to sign the boot file hashes which are checked by the firmware which is verified by the TPM. But you could sign the hashes with a YubiKey just as easily.

1 Like

Yes, it is absolutely true that free software only allows for the potential for these things to happen. We still have to follow up on it as a society. With proprietary software, not even the potential exists.

No, this is not how anything remotely works. People can still do security research on proprietary firmware as usual. What do you think Binarly does?

Defending against this problem is described in this paper. I’ll admit that I don’t know how widely this solution has been deployed, but that’s how security research works: people find problems and describe them, industry takes some time to catch up.

No, this is not how anything works. You are misrepresenting what it is saying. You cannot fix the problem without Boot Guard. SRTM relies on having an immutable root of trust, and Boot Guard provides that.

The research paper explicitly spelled it out for you: TPM is a passive chip, it receives measurements given to it - it doesn’t do measurements on its own.

The solution to the problem outlined in there is literally Boot Guard. And yes, it is widely deployed.

I do want my firmware to be free software but that’s not something that we can fix at the level of package management.

Why not? Just load the firmware in with the linux-firmware package.

Personally, I keep the bluetooth/wifi hardware kill switch on “off” unless I absolutely need to turn it on for some reason - which has only happened once since I started using it.

This doesn’t achieve anything.

No, you’re misunderstanding how it works. The librem key only checks a HOTP with the TPM during boot. It also happens to operate as a smart card, so it is common to use it to sign the boot file hashes which are checked by the firmware which is verified by the TPM. But you could sign the hashes with a YubiKey just as easily.

The key doesn’t do verification. This is not how Heads even work. A piece of malicious firmware can just lie about the PGP verification. Himeno understood this correctly - this cannot be achieve with a TPM and a USB connected device. It’s impossible.

1 Like