While our phone team is of course busy with the Librem 5, we happen to have other employees and engineers here (like me!) that work on other products! In this case we’ve been approached by enterprise customers over the years to provide a server product. So while it’s been available behind the scenes for enterprise customers for some time, today Librem Server is public: https://puri.sm/posts/librem-server/
One feature in particular that people have been interested in is the combination of a rackmount server with our PureBoot tamper-evident firmware. If you happen to own our original Librem Key as well as the Made in USA version, you might notice that the new Librem Keys have a more translucent case. One reason for this was to make the green and red LEDs glow brighter so you could see them from a distance–in particular so that they would be visible from a security camera in a data center aimed at a rack full of Librem Servers. This way you can test for tampering remotely.
As some people already started commenting this announcement (they are highlighting that since it’s impossible to disable ME completely all your neutralizing efforts are just marketing) it should be beneficial to launch in parallel awareness campaign of what exactly is disabled and what are remaining attack vectors (and how those could be mitigated). Just to remain translucent
We’ve written a lot on the subject already. This page has links to much deeper dives: https://puri.sm/learn/intel-me/ and has been on our site for a very long time. I usually link to it whenever I write a post that mentions the ME.
The perfect is the enemy of the good here. We already bypass most of the issues people would have by starting with an ME that doesn’t have AMT. In some cases people who talk about disabling the ME only trigger that HAP bit that tells it to disable itself. In our case the reason we discuss disabling and neutralizing is that we go a step further to zero out as much of the ME as we can and still boot. This leaves the following modules:
KERNEL: The ME kernel
RBE: The equivalent of the “bootloader” for the ME, verifies the signature of the KERNEL, SYSLIB, and BUP modules and loads them into RAM
SYSLIB: The basic memcpy, strcmp and other essential library functions for the kernel
BUP: The “bring up” module which initializes the hardware
So then you are left with people arguing (without evidence of course) that the above four modules are a place where there is additional remote administration backdoors, among other conspiracies. Technically possible? Maybe? Is that what they are doing? Unlikely. The problem is that paranoia alone does not make for good security–I’ve often found that paranoid folks come up with the most convoluted and overly-complex security measures–and complexity is the enemy of good security. So while it would be great to completely remove/replace the ME, in the mean time I think what we have is much safer than the default and a large step in the right direction.
Also, with PureBoot, this section of firmware is something that gets measured at each boot so there’s no opportunity to store additional state in this code at a later date.
Yeah it’s an enterprise product so for now you get to talk to our enterprise sales team to help figure out what solution works best but we also want to have a self-service option on the store soon.
I figured that. At a quick read, a customer would need to know what additional parts are needed to be supplied by the customer, known compatible parts, what config options are available at order time from Purism, more detailed info on some of the specs, … so actually talking to someone is good.
If you are adding dimensions, you might want to add in the weight too, particularly for international customers. I understand that the weight will increase as parts are added but at least the starting weight.
Yeah, my 1U server has 8 of the noctua fans in it and you can only hear the CPU fan when it ramps up so I’m not worried about that. My question on dimensions, is primarily about depth since the 1U height is pretty well defined, and rack width is also pretty standard. The enclosure I use is a short depth enclosure so I am very limited on server options. BTW do calculate your specific thermal requirements before switching out the fans in your server as insufficient airflow can cause major problems.
I am curious where you got that it is a blade server as I didn’t read anything about that nor does it look like a blade server. Everything I’ve seen is that it is a 1U rackmount and I’ve not yet encountered a 1U blade as blades are normally mounted in a special chassis and have a fairly unique IO setup.
As far as the sound goes, I would expect it to be capable of getting loud but spend most of it’s time at a more general thrumm since the fans should support variable speeds and spend the majority of their time at the lower RPM.
Of course sound is typically the least of my worries in a data center/server room.
@Kyle_Rankin,
What does the Purism Manufacturer Warranty cover and for how long?
Aside from the Xeon CPU, are binary blobs needed for any of the other hardware components?
for the moment, we’ll be shipping with the BMC (and thus IPMI) disabled. We hope to offer these with OpenBMC or u-BMC eventually.
the only binary components in the firmware are the ME firmware (neutered and disabled) and Intel FSP blob. There’s CPU microcode as well, but I don’t consider that a blob (it’s not executable code).
I would buy a Purism home NAS with RYF and a robust file system (mdraid1, zfs, btrfs, …) to protect my massive audio and video collection, as well as an email and document archive. Secure boot with a Librem key would also be a great selling factor.
It would be the ultimate way to de-google my life. Laptop, phone, and my-cloud.
Would you have a solution to control the fan speed of my librem server (bought in july 2021) ? It is only working at full speed… Because of that i am not using it at the moment. Through coreboot, coretemp driver, updating the EC, the bios ?