IIUC there’s no GPS on that tablet? Isn’t that odd?
Purism do not put any efforts to neutralize/disable Intel ME to be honest, Purism just used Russian technologies for that.
What reverse-engineering? can you tell me one?
I really nervous with Purism, why? seems that Purism is falling in the Evil-Opensource, why? opensource it use at user commercially, why? Money, why? Evil
See post 16 above.
Interesting to note that they just announced a significant price drop for Evergreen. (I don’t know what that might do for expectations regarding the price of Fir.)
As much as I appreciate your taking the time to copy that info into the forum … I really think Purism should be providing this information on the product page and/or the shop page and/or the FAQ.
One reason why I asked what the capacity of the built-in battery is.
That’s a question that I asked also.
Due to the absence of a cellular modem in the Librem 11, I can imagine using the Librem 11 in conjunction with the Librem 5 (via hotspot). So now I just need a “(local) network GPS” service. At an admittedly quick look, that doesn’t seem to be an option in geoclue. This is probably a niche idea.
No, they do put in effort, as explained in this post and the Librem 11’s disabled Intel ME status.
The post above hints at various articles, but if you want to feel overwhelmed like I did many years ago, here is a technical post from Youness Alaoui/kakaroto, who no longer works at Purism. Note that the article I am linking is from the Wayback Machine, because soon after it was posted, Intel politely contacted Purism to remove it.
If you read the article you linked, the “neutralization of the IME” was attributed to the me_cleaner project and that it was disabled via the HAP bit (which is not a big deal and, these days, is the least you can do). I hope you’re aware that, despite early announcements, Purism was actually not able to neutralize the IME in the Librem 14 (it’s only disabled via that HAP bit). You should also be aware that ever since Matt DeVillier quit, Purism does not have a firmware expert. Also, in regard to coreboot on the Jasper Lake chipset (in the Librem 11), you should thank Intel as the primary contributor not anyone from Purism AFAIK.
To be clear, almost all employees who work for Purism don’t work at Purism. They are almost all employed as independent contractors (Form 990) who work remotely.
I also want to note that a lot of the issues with the Librem 14 have been due to the fact that EC firmware is tricky. Should they be applauded for developing their own EC firmware (from a base begun by System76)? Maybe. But one could argue that they are using customers as beta testers ([librem 14] how to update EC firmware to ec-2021-06-04_ef9fd3c - #3 by NineX )… and now that Matt is gone they are struggling to support that choice. Update on Librem-EC 1.12 – Purism .
P.S. Did anyone else note that Purism has deprecated their “Core Team” page??? The Core Team – Purism
Yes, although I argue it is still a big deal considering the lack of other modern examples outside of Purism; I do agree it is the least Purism can do.
I was aware when I purchased mine a few years ago: my justification then was that it uses a relatively modern CPU; better quality control of the hinges (compared to reviews of the Librem 13v4/15v4); revised hardware kill switches design; and liberated EC firmware (as you mentioned) in spite of some regression with the boot firmware status.
That depends on your definition of a firmware expert: I am grateful for @jonathon.hall continuing work on Coreboot, PureBoot, and the EC firmware.
Do you have a citation for that? I would love to read about what Intel has done for Coreboot on Jasper Lake.
I will reflect that change into my dialogue next time - thank you for pointing it out.
@NineX chose to attempt to flash the EC firmware on their own when there was no official procedure set; Purism did not ask them to become a beta tester.
That being said, I have no issues with those outside of Purism who have interest in contributing to test out firmware, such as the recent PureBoot “Restricted Boot” hotfix.
Yes, I made a very recent post about it, among other deprecated pages.
Assuming it will be done through a USB A female to USB C male adapter.
Possibly, but I prefer not to assume or speculate anything; when it comes to security, especially regarding root of trust, I want clarity.
Lack of other modern examples outside Purism? I thought that all of the Linux HW vendors offer to disable the IME via the HAP bit. On some systems it’s not default because it limits some of the power savings features … but the vendor supplies the tools for their users along with the appropriate warning.
I thought you would have known after reading the link from Youness Alaoui since it was about FSP == Intel’s Firmware Support Package … which is exactly the infrastructure needed for coreboot. In any case, in regard to Jasper Lake in particular you can see this Coreboot Seeing Tigerlake + Jasperlake Activity, Experimental Razer Icelake Laptop Support - Phoronix (there’s also a 2021 article) … or simply look at the coreboot contributions like https://review.coreboot.org/c/coreboot/+/42471 from Intel devs. Also, here is an early video of a talk from System76 devs about their work with Intel on Coreboot on Icelake ( https://www.youtube.com/watch?v=YbKSkPVz89o) … which was what Intel continued for their work on Jasper Lake. Also, here’s an article about the Intel engineers work for coreboot on alder lake.
My intent was to show that everyone who bought a Librem 14 was a beta tester. i.e. The links were there to show that the original EC firmware had lots of issues and that fixes were necessary for even basic functioning of the fan, etc.
It’s why it’s hard to even know who Jonathon Hall is and what job he’s contracted for.
I should be more specific: Intel 10th generation and later. I do know the Dasharo FidelisGuard Z690, NovaCustom NV41 series, and NitroPC Pro have options to disable the Intel ME with HAP and/or HECI, but I have not thoroughly researched any of the other Linux vendors outside of Qubes-certified devices, let alone other manufacturers.
Thank you for the links, I did happily read them all except for the YouTube one, since I no longer use it anymore; it also looks like you meant to share an article about Intel’s contributions to Coreboot on Alder Lake, do you still have the reference?
I did not have any issues with my Librem 14 ever since I got it, so at the very minimum my experience is an exception to your broad claim. I even mention about my (hardly notable) experience on the Qubes OS Forum with my own HCL report.
With the Wayback Machine, you can learn that they are a Firmware Developer, but you can always look at their GitLab contributions and/or ask/verify them yourself in the Matrix chat rooms; I was made aware of them from their forum and blog posts regarding firmware support/development.
Yeah i do not have any issue with my Librem 14 either. Librem 14 is amazing!
Thank you Purism for make the best Gnu+Lnx laptop to date, however there is one laptop on the horizon that could replace the L14, i will not say name, but is coming.
Purism HKS & GNU
The Librem 16, of course.
One should not have any problem with the HAP bit on the low power chipsets of 10th generation and later. I think System76 has a Raptor Lake laptop with coreboot and the HAP bit set. System76's Coreboot Open Firmware Manages To Disable Intel ME For Raptor Lake - Phoronix (from the article it looks like System76’s HAP bit works for Alder Lake and possibly earlier chipsets) . All the Linux vendors are doing this because Intel is enabling this on their low power line. The speculation is that the reason Intel is doing this for the low power line is because this is the Chromebook space. Intel Prepares Raptor Lake Code For Coreboot - Phoronix .
In addition to getting Intel’s Alder Lake hybrid processors ready for the Linux kernel and other areas of the operating system stack, Intel’s open-source engineers have continued their trend in recent weeks of upstreaming more Alder Lake work into Coreboot.
Here’s a link non-Youtube link to the talk I linked in. System76 + Intel - A Production Laptop for Open Firmware Hacking - OSFC
Nice find, here is the relevant blog article from System76. All of their Intel 10th and 13th generation laptops have disabled Intel ME, but not any of their other generations in between, based on this firmware matrix.
Fascinating. I am also very confident in that line of reasoning too, since there has been very little economic incentive to work on Coreboot otherwise.
Perfect, thank you for that; I will review it on my own time.
I think that matrix is out of date. Everything they sell with coreboot can set the HAP bit. The issue is that on some setups, it breaks the suspend, so setting the HAP bit isn’t supported. See What is the Intel Management Engine? - System76 Support
For Open Firmware systems, the IME is typically disabled by default unless doing so would break functionality (such as suspend/resume). System76 maintains a list of machines that ship with Open Firmware in this article.
The matrix you had must be a bit old because they fixed the HAP bit + suspend in Alder Lake (12th gen) in June Major Updates for System76 Open Firmware! - System76 Blog . I guess it’s still an issue for the Tiger Lake (11th gen) … but, again, if you don’t want to suspend and are capable of turning off automatic system suspends, you can set the HAP bit yourself (one command; nvramtool) on the Tiger Lake systems.
We prefer to disable the Intel Management Engine wherever possible to reduce the amount of closed firmware running on System76 hardware. We’ve resolved a coreboot bug that allows the Intel ME (Management Engine) to once again be disabled.
This bug was a buffer overflow which caused coreboot firmware memory to be overwritten by the TPM measurement log, keeping the S3 suspend method from working properly. As a result of this, we had to switch from S3 to S0ix suspend, which required use of the Intel ME in order for OS-level drivers to function.
By fixing this bug, we were able to move back to S3 and re-disable the Intel ME on most platforms. (However, S3 suspend is not functional in the silicon we received for 11th Gen (Tiger Lake) U-class CPUs.) This fix was submitted upstream to coreboot as well.
Frankly, I was surprised by how many of the systems they have that run coreboot and openEC System76 Open Firmware Models - System76 Support
Your link is old and see:
Like a plus System76 it working on a GPL x86 Laptop.
So yeah Purism need to put all the manpower now, to survive like a good strategy is stick with free software, why? is Purely and real Libertad!
To be honest, I don’t have strong confidence in Purism’s future because their reputation is really bad right now. They might have a customer base that trusts them for now but convincing potential new customers appears nearly impossible based on what people are saying in other areas. This L11 might be dead on arrival because it doesn’t offer enough competitive differences for the price.
A recent Linux news video briefly mentions the Librem 11: ANOTHER Linux tablet, HDR gaming & GNOME 45 RC: Linux & Open Source News - Invidious
I am not concerned about the future of Purism; we will learn how the perception of the Librem 11 will be once it reaches the hands of consumers and reviewers.
Despite my comment, I am still considering a Librem 11. I want to believe in Purism’s stated mission. We will see how this and the upcoming Librem 16(?) will pan out.