Flashing From/Interacting With Non-Free Hardware

I think you’ve got the wrong end of the stick here.

There are many places that peripheral firmware could be stored:

• embedded within the peripheral that needs it itself - and no action by the operating system is required at boot time (the peripheral firmware is already where it needs to be)
• on a separate, dedicated flash chip that exists largely or solely for the purposes of holding firmware (aka firmware jail) - and the peripheral firmware is copied by the operating system from the flash chip to the peripheral at boot time
• on the operating system disk - and the peripheral firmware is copied by the operating system from the disk to the peripheral at boot time

The primary goal of Purism’s design is to avoid specifically the third of those options i.e. no peripheral firmware on the disk.

It is also noted that for peripheral firmware that relates to the boot disk, it is difficult or impossible to have the firmware on the disk anyway (chicken and egg problem). So most storage devices opt for the first of those options.

The approach taken will differ from peripheral to peripheral, and from product to product.

Also note that, regarding the first option, it may or may not be possible to update the firmware at all. It is assumed that there is some way of updating the firmware with the second option. It is obvious that the firmware can be updated with the third option.

That’s definitely not right. In any modern computer, there are a heap of blobs, although some of them may be invisible and some of them may not in practice be able to be updated (for a variety of reasons).

At a minimum, the WiFi card has a blob (but the source of the blob differs between the original WiFi card - blob is embedded - and the more recent WiFi card - blob is in firmware jail) - but also the power delivery controller has firmware, the touchscreen controller has firmware, the GPS module has firmware, the smartcard reader has firmware, and of course the cellular modem has firmware. And as discussed the eMMC drive would have firmware. Maybe I missed some.

With all these blobs, and all these potentially hostile peripherals, different strategies are employed to manage that. One of the main strategies is that the peripheral does not have direct access to memory - a communication bus can only be used where the host can only ever be the bus master etc.

Another strategy, as used with WiFi, is that ideally all traffic is encrypted by the host (so even if the hostile blob is snooping, the content is meaningless). The same strategy, as used with disk storage, is that ideally all content is encrypted by the host (so even if the hostile blob is snooping, the content is meaningless). In either case, ideally content is also integrity protected (so even if the hostile blob is maliciously altering content, the host can detect that). By default that does not occur with disk storage although theoretically LUKS has an option for the brave for that.

My understanding is that uboot resides on the eMMC drive. So it is more in the nature of a primary bootloader than firmware. Being on the disk, it can of course be written to.

The terms “flash” and “reflash” are confusing here - because noone ever talks about reflashing a USB flash drive, we just talking about writing to it - even though all of the following are in fact flash storage: NVMe disk, SATA SSD, USB flash drive, USB portable SSD, eMMC drive, SD card, flash chip. There are great differences in how they are accessed but ultimately they are all flash storage.

This is getting to be a very interesting conversation!

Part of my issue here is, Im a software person, the firmware, the chips, etc. to some extent are a scary black box too me. To an extent I dont know the limits, or how really to evaluate their capabilities. I have been able to piece together most of your information here, but it is very helpful that you have laid it all out and explained that its normal to have a combination of these things, thank you.

Does this mean its on the blob is still on the perhipheral in the most recent version? Im not really familiar with firmware jails.

So perphirals with propreitary firmware hosted on them (or with just proprietary firmware) on the Librem 5 dont have direct access to memory? Thats so cool actually.

That’s actually awesome.

Thank you for explaining, but there is a bootloader on ROM to load u-boot?

One thing I dont understand about the verified boot here, is it all self signed? What am I confirming the integrity of exactly or comparing it too (last boot? what about after flashing?)?

Suppose the u-boot on disk was an evil maid, how would I know? Is there a way to detect if the u-boot I would write to disk I flashed the phone is “tampered” with respect to the u-boot that was on there before?

Also, if I wanted too, is there a way to sign an image such that it can be checked using the pgp card?

It is a bit vague too me, does any firmware (from the first two types you mentioned) actually get written when we “flash” with jumpdrive (is it even really possible on the L5?)? Or are we just writing files to disk? Also since the USB controller has a proprietary blob, does that mean that it does not have direct access to memory? If so, in turn, does that mean a connected computer does not have direct memory access?

From what your saying it seems: so long as the integrity of the OS image and bootloader are secured, even if there are malicious blobs on (or sent too) the L5, they cant really do anything because of the steps taken to frustrate anything evil they might do?

Also is all the free firmware contained in the OS image? Or is it also on a flash chip (or ROM)?

My understanding is “no”. The blob is in the firmware jail with the most recent (second) WiFi card.

I guess though even peripherals that operate like that must have some mini-blob embedded in the peripheral and the mini-blob is capable of handling the blob that is sent by the operating system to the peripheral.

It does of course come at a performance cost. That probably doesn’t matter on the Librem 5 where shifting GB of data 24x7 isn’t a goal.

That is my understanding.

This is a major area that Librem 5 (right now) departs from the bigger Purism devices. What is your reason to believe that that functionality exists?? Documentation link?

One reason that it is less critical as far as the Evil Maid goes is that you can keep a phone on your person for much more of the time than you can keep a laptop.

You wouldn’t normally (re)flash with Jumpdrive. You might image the disk with dd using Jumpdrive and then later on therefore you might restore the entire disk with dd using Jumpdrive, if you stuffed something up badly - which is a kind of reflash.

But let’s rewrite the question as: does any firmware get written when we reflash a Librem 5? My answer would be ‘no’. It just rewrites the contents of the disk. So it’s more like a wipe-and-reinstall-the-operating-system.

Most of the peripherals have embedded firmware - except the 2nd kind of WiFi card where the firmware is in the firmware jail. So reflashing won’t change any firmware either way - which is a good thing and a bad thing i.e. a design trade-off.

A connected computer most definitely does not have direct memory access. All it can do is send and receive packets over USB. However, were you to put your phone in serial download mode (in preparation for using Jumpdrive or reflashing or other things), the effect of sending and receiving packets might well be to alter the contents of memory (as well as to alter the contents of the disk). So I guess you shouldn’t connect your phone, when the phone is in serial download mode, to an untrusted host computer.

I don’t know. There isn’t a lot of free firmware around though for mainstream peripherals - and even less that would be relevant to the Librem 5. All I can say is that if the firmware is open source then it is within Purism’s principles to include it within the operating system disk image.

Thank you for the reply!

Interesting okay, so the “firmware jail” is that second flash chip I mentioned earlier (so this is effectively the “second kind” of firmware from your list)?

Figured as much, but the L5 is more about privacy/security and less about raw computational power. Wortwhile tradoff as far as Im concerned.

For some reason I thought it did and that was part of cryptsetup, also posts like this discuses secure boot related topics and how the pgp card is an alternative to a secure enclave/tpm. The post specifically mentions firmware and software verification, and discuses using the pgp card for disk unlocking as well (which in my mind is related). I think I took this to mean that the smart card was used as purism’s version of a tpm for verified boot, but your right, it never actually that it is used for secure boot specifically. Though that would be cool (and a feature I really would want)!

Yes. I think I mentioned it however thinking that the bootloader did verified boot, so it could load a malicious OS if you can just write the bootloader to disk (assuming its out after the OS loads and doesn’t do anything malicious beyond that point).

It would be nice if I could do something like: create a key pair and extract the public key, then sign the desired OS image with it, write it to disk using a computer (or SD card or USB stick as previously discussed), then unplug it and verify the image once its actually on the device before booting from the image. Or if purism pre-installed a key I could optionally use to verify their images. Or even store a hash for a checksum.

But what your saying is: there is no way to verify the image once its on the device (except by perhapse using another image on an SD card, or using the booting image and having it check itself on disk)?

Thats good to know, so basically a zero-day (or something very advanced, which was my guess) would be required to attack most of the peripheral firmware from the computer? We have already discussed the L5’s resilience to malicious firmware. Though if both the on-disk bootloader, OS and the firmware can be compromised that would be an issue

Thank you. It would be nice to be able to verify the full disk image (nothing hidden in the OS). I suppose you could verify that only what you wanted written was written by monitoring the current/voltage in the USB cable

Okay, so is this is what is required to “flash” the OS to the disk using uuu right?

Thanks for answering that.

P.s do you happen to know if using an x86 computer with jump-drive is a hard requirement? And if so why?

Jumpdrive is not a hard requirement at all. I certainly would recommend it as a good tool to have though. Jumpdrive is the easiest way of doing backup and restore in a reliable way and almost all computers should have some kind of backup strategy - and the onus is on you to decide whether to have a backup strategy, what that strategy is, and to execute that strategy.

I would say that being able to reflash the phone is (close to) a hard requirement.

Reportedly you can reflash from an ARM computer - so x86 is not a hard requirement. Reflash from ARM (e.g. Raspberry Pi or another phone) is not something that I have done though.

The key requirements for reflashing are a computer that has available: a working git command, a working uuu command, working Python3, and obviously an internet connection. It is unlikely that many people would want to attempt to achieve that on any computer that does not run Linux.

The exact boundaries of how adventurous you can get in trying to meet those requirements are unknown. I’m happy for someone to use WSL under Windows combined with brute force and hackery - and demonstrate that you can reflash under Windows.

Do you want your life to be simple? Do you want to be able to focus on more productive challenges?

The actual files that get downloaded and then written onto the phone can basically be treated as opaque data.

If you can’t reflash your phone then you have to guarantee that you will not break your phone (it has happened e.g. through tinkering) and you have to guarantee that a Purism update will not break your phone (that has happened too although I would say that as the product matures that will become less likely).

If you can’t reflash your phone then you will find it more difficult or even impossible to perform a major version update (e.g. amber → byzantium → crimson). Again, as the product matures it is likely that in-place major version updates will become more straightforward.

Yes, serial download mode on the phone is necessary in order to reflash the phone and is necessary in order to boot Jumpdrive on the phone and is necessary for some other low level operations.

Fair enough. I can see why that text could be confusing. It’s not wrong. You can certainly use the OpenPGP card for verification and authentication - but not for the boot path, not for the operating system itself - because it would be too late. The Librem 5 simply does not work the same as the bigger computers at the current time as far as Evil Maid goes.

Reportedly it is possible to use the OpenPGP card to unlock the LUKS container, although that is not something that I am currently doing.

However it is important to note that the default LUKS configuration (on any Linux computer) does not contain integrity functionality, regardless of whether a card or a passphrase will be used to unlock. So someone with physical access to your computer could alter your encrypted file system. There is a high likelihood that they would just corrupt some file or corrupt the file system and the alteration would likely be being done blind. However only the corruption would alert you to the alteration. The alteration would not itself trigger any failure.

I can understand from the phrasing of the question and the context, why you thought if I was asking if jumpdrive itself was a hard requirment, I meant only to ask if it was a hard requirement to use an x86 computer with jumpdrive. You answered that as well so thank you.

The answer to the last is yes haha

Is this the normal update mechanism

So it is required for all operations concerning jump-drive?

I struggle when reading this to shake free of the notion that even on the Librem 5, at some low technological level, humanity loses.

After Purism announced the Firmware Jail coming to Librem 14 (Intel AX200 Wi-Fi/Bluetooth Shipping for New Orders – Purism) they endorsed the idea that it’s a good thing if the user is “free” to replace the firmware of their WiFi with a new blob, even though none of us users have the source code of these firmware blobs.

So, everyone is free to replace their firmware, but some people are more free than others if they are government 3-letter agencies with the blob sourcecode.

The Librem 5 is fun because it usually philosophically tries to be better than the grotesque of Android and iOS that we are all jedi mind tricked into thinking we should use.

But at the end of the day, it’s unlikely for users who want the privacy necessary to sleep at night to win the information war against governments who make it their active goal to secretly treat every living human like a criminal in case they might become one.

What makes you think you can win? I learned enough software to believe that at the hardware level I probably already lost, so all I can really do is take solace in winning the imaginary battles in the simulated software space that I was trained to understand. How can we verify hardware? How do we know it’s not all calling home to its creators in China? It’s fun to use a Liberty Phone and aspire to believe that maybe the mostly-for-show made “mostly” in USA branding will protect me. But whenever I open the back, it says Zhonshan manufacturing because the batteries are cheap China junk. If I were China, I would probably but some cellular call home machine into there. Why not? There are so many possible vectors.

At the current time, yes.

There’s no intrinsic reason for that. Booting Jumpdrive on the phone is just booting something other than the normal operating system. However

• Jumpdrive wants to expose the disks as USB mass storage class devices, therefore however you boot Jumpdrive, the running software must have completely finished using the disks. An advanced user might well be able to package up Jumpdrive to boot from the eMMC drive or boot from the µSD drive.
• Users might not want Jumpdrive occupying space on the eMMC drive if they aren’t using it.
• Booting via uuu covers cases where you have more comprehensively borked your phone.

Whether the blob is in the firmware jail or the blob is in the WiFi card … the blob is still there, the blob is still blackbox, and the blob may still be able to be replaced. And in the case of being in the WiFi card, three-letter agencies may have a better shot at that than you do. (Whereas in the firmware jail you have the same shot at replacing the firmware - it’s just that you can’t get new firmware to use as the replacement, whereas the manufacturer and the government may be able to do so.)

That’s why you need: hardware kill switch, isolation and encrypted traffic only (regardless of where the blob is).

Personally, I don’t buy the “it’s a good thing” argument. I buy the “it’s a necessary thing” argument. The old WiFi card simply didn’t work ideally, and getting further behind as WiFi standards move onwards and upwards. (You can argue that on a phone you may not need the fastest possible WiFi and you aren’t going to get it anyway - but on a laptop where you can shift serious amounts of data it becomes harder to support the idea of using older WiFi standards.)

jail it is nothing and moreover wlan controller may have microcode too.

this is ridiculous, as the slave it depend on master so high speed wireless no make sense either where freedom and security it mandatory via Gnu System.

Digressing onto future hypothetical possibilities … because the boot disk is eMMC, it could be possible for the boot path to be fully secured against the Evil Maid … using the RPMB area of the eMMC drive. This area is protected by a one-time programmable, write-only secret key, which key is used to sign any content that is written to that area - and you simply can’t write the RPMB without possessing the secret key. So if uboot were written to the RPMB area (it does appear to fit comfortably) then it could not be altered by the maid - and then because uboot has integrity it could in principle verify the integrity of the /boot partition using more conventional verification.

Note that in that case, the eMMC drive ought to arrive from the supplier with the secret key not programmed - and you must then generate a random secret key and arrange the above. So it’s self-signed, which is exactly what you want (rather than Big Tech-signed or Purism-signed). However that means that Anti-Interdiction would require some other mechanism.

There are no doubt gaps in this but it’s food for thought.

Thanks for the response!

That is so cool, a whole new thing to learn about! Thanks for bringing this up! Its so interesting hardware devices literally have spaces in them we just have no idea about (for better or worse) or are more or less invisible too us even as programmers.

I wonder what a good channel for learning this kind of thing about hardware is, or how it might be discovered by your OS.

I like the idea of self signing in particular also if I can verify the software from the vendor. I actually would like the ability to (perhaps optionally) store additional keys in there say from purism or I have noticed purism seems to have some support for Quobes OS. Self signing would at least confirm however that data-integrity was preserved after write, and would help detect tampering.

That would require some work

A couple I things that came to mind:

• I did read this uses symmetric encryption which may be a bit tricker because this would be a highly sensitive key , but at the same time if its long enough that makes it quantum resistant (not that I am that concerned about a relevant quantum computer at present, but good to plan for the future).
• Weather the encryption is symmetric or a public key (which in theory could be extracted given encrypted data) you would not want to use the key with an un-trusted device, when it has the key, it can flash whatever it wants, this may be a good reason to be able to use vendor keys, perhaps with the hashes encrypted by the vendor (but that would require public key-cryptography)
• I think there is some marginal benefit to using public key cryptography: the public key is less sensitive and be safely exported/viewed (for example, I guess private keys generally cant [unless perhaps you have a lab where you dissect it or something] be exported), and the boot part of the disk is read proof (if the private key never leaves the device for instance)

ls -l /dev

on your phone would reveal the 4 distinct areas of the eMMC drive (only one of which, the normal data area, is currently being used). NB: I am using the term ‘area’ here as distinct from ‘partition’. The normal data area is itself split into two partitions but that is different and more vanilla.

Ah, well, being quantum resistant may go beyond the scope of this topic. The key is 32 bytes (256 bits). It’s not an encryption key though. It’s a signing key. The readable content of the RPMB is in plaintext (unless of course the actual original content that you wrote to the RPMB were first encrypted).

The goal of the RPMB is integrity, not confidentiality.

Yes, you must protect this key (keep it secret) for this functionality to be useful. However you don’t need the key to reside anywhere on the phone except when you are actually updating e.g. uboot, which would be infrequent. (So you could e.g. keep it on a flash drive and just plug the flash drive in on the rare occasions that you would use it. Of course it is also essential to keep some kind of backup copy of the key if you intend to use the key.)

I think I am right in saying that Jumpdrive does not (yet) support the RPMB area. The area is not exposed and probably the necessary specialised read and write commands are not supported. So this would mean that you can’t delegate maintenance of the RPMB area to the host computer.

As a hypothetical, you could make the RPMB completely and irrevocably read-only by generating the key, sending the key to the eMMC drive, writing the RPMB area once, and then throwing away the key. For some threat models that would be good.

Vendor keys are, well perhaps I won’t say anathema but, not a good thing. It opens you up to having to trust the vendor. It opens you up to situations where the vendor gets taken over, goes out of business, obsoletes the product. It opens you and the vendor up to situations where the vendor is compromised, either by a hacker or by government coercion.

I lately have limited options for immediately available devices, so I wondered whether it would be possible for me to upgrade to Crimson with an SD card.

I started by looking at the contents of librem5-flash-image script that the reflashing guide in the wiki refers to. The script uses a hardcoded URL for the images repository at https://storage.puri.sm/librem5/images/. After inspecting the repository, I downloaded the latest image with wget and unarchived it. Having the image, I powered off Librem 5 to insert a spare SD card, unmounted it after booting, and copied the uncompressed image to it. It is similar to creating a bootable USB flash drive for desktop distribution. To boot from the SD card, hold the volume down button, press the power button, and then release the volume down button when the LED glows green. The green LED indicates that the U-Boot is booting. The partition is resized automatically during the first boot to occupy the free space available on the media, which is the SD card here.

Now, when operating from that SD card, I expect to be able to repeat the same trick and write an image to the eMMC. That is something I am going to try when Crimson is declared stable.

I would have to learn to interpret it a bit more but its interesting, ty

Yes your right, I think I misread and article and I thought it encrypted the volume

That works if you only plug it the key into the phone and update the phone from the phone (perhpase using the sd card, or from the flash drive itself). In such a case it could be some sort of trusted flash drive like what you mentioned before that comes with the larger purism devices. Maybe the pgp card on the phone could be used to confirm its integrity, or decrypy RPMB key (using a Key Encryption Key) on it. That way you could load signed images onto it and boot off it without risking the RPMB key.

Not exposed via hardware or just software?

A decent option. Especially if you could some how detect tampering. I think the “trusted flash drive” option might eliminate its necessity though.

To be clear, I don’t necessarily mean the root key (or something like that, the one that generates all the other keys in a typical TPM say from micro$oft).

In the manner I propose, the key is revocable and optional, and perhaps you could have multiple (multiboot for instance), and I propose from either (or both) an OS vendor or a hardware vendor. You can purge it from the pgp card if you feel the need (you no longer trust the vendor), and or re sign your image with another key (so you can boot an old trusted version of the OS but not a new version).

If I wanted to, say, load postmarketOS or Qubes instead of pure os, I could get a key from postmarketOS or Qubes and install it and use it to verify what I am booting.

One probably should trust the key at least as much as the OS you are loading from that vendor. They key may require an additional level of trust, and I understand what your saying there (which is where the optional/revokable part comes in). I think it might be the best way to ensure the software your running on the device is actually from the vendor (who’s software you choose to use) you want it to be from. It helps ensures integrity, not trusting the vendor. Sort of like, how I could have a pgp encrypted chat with someone I dont trust, but pgp helps to ensure that I am actually chatting with who I think I am chatting with (though cryptographic mutation is possible its difficult so to some extent I can affirm that they are saying what I think they said).

Not exposed by software.

In other words, if you boot normal PureOS on the Librem 5, you can see that the specialised areas exist on the eMMC drive but when you boot Jumpdrive on the Librem 5, the Librem 5 does not make those areas accessible to the host computer.

So it could be exposed in the future, thats good news.

I can attest to this working, I have done it several times and it is a lot easier than having to do all the ‘flashing procedure’ with a compatible device.
It even works if there is no image on the eMMC. So if one has a bricked L5, you can just boot from an SD and, voila.

It’s not clear to me what “repeat the same trick” means.

Is it scp an uncompressed image to the eMMC of a Librem 5 booted from its SD card, copying a compressed image to the bootable file system on the SD card and uncompress that to the eMMC while booted from the SD card, or something else?

Yes, you can use the booted SD card to flash an image to the eMMC