ELI5 bios write protection

I’ve read the article on this feature, but i did not understood how does it work.
Could someone explain what is this and how does it work in a easy way?

The idea of Purism’s BIOS write protection is that changing the BIOS (so the computer’s startup code) can only be done after flipping a physical switch, that is inside the laptop.

Protecting the BIOS is important because backdoors in the BIOS code work no matter how secure your operating system is, and stick around when you completely reinstall it.

Because physical access is needed to do this, this means that malware and remote exploits cannot infect your BIOS. Additionally, it makes it harder for someone who has temporary access to your laptop to change the BIOS, as it takes extra time to open the device and close it again.

It does make legit BIOS upgrades (for bugfixes) more work, but that’s a trade-off. As I understand it it’s an optional feature, in that you can leave the switch in the on position.

I hope that’s clear enough if not just ask.


Very clear, thank you

1 Like

more exactly - the switch is located DIRECTLY on the laptop motherboard INSIDE the chasis so it is a separate thingy from the hardware killswitches that can be accessed from the OUTSIDE …
why was this not included on the Librem-Mini ?

Yes, exactly, if it was on the side of the laptop it would offer less protection in the case of physical tampering. And I guess there’s an upper limit on the number of kill switches that can be usefully fit on the side of a laptop :smile:

No idea! They introduced the concept for the first time for the most recent product. Hopefully in the next generation.

+1 for a double BIOS switch as well. in case the first one gets corrupted or something you can easily flip to the second as a back-up and/or restore the first to a know working state. even better if they are isolated from each other in case of some security/privacy vulnerability discovered in the current active one …

1 Like

Yes, that would be useful. There’s not really a good way to recover from a failed coreboot flash right now, for example.