Thanks for sharing. One question, does the use of Clevo as an ODM vs. custom or in-house design/developed like Purism does, have significance for you?
I have used qubes on my desktop and have been searching for a laptop that can handle qubes reasonably well. I distilled my search down to Purism, NovaCustom, NitroKey and StarLabs. I realized novacustom and nitrokey both use clevo. where as Purism and StarLabs design and build in-house (or at least don’t rely on clevo). In my mind, the fact that they are designed and built in-house seems better. But, I can’t honestly say why I think that. I just tend to have more concern with mass-produced, or companies that focus on mass-production as it could be a potential vector for introducing vulnerabilities.
Along these lines I thought of going with starlabs, but they seem to be in the process of redesigning their Star Fighter laptop, so I’m waiting to see what they come up with.
No, because my main concern for hardware is strictly focused on boot firmware root of trust. This means Coreboot with Heads is the bare minimum criteria for any potential x86 product consideration, therefore Star Labs is excluded due to only using Coreboot with TianoCore.
While Purism (likely) doesn’t use clevo, they still have/use a Chinese ODM. Purism has not revealed who that ODM is. Clearly that ODM allows (and/or helps with?) more customization (e.g. the Hardware Kill Switches).
I thought you and FranklyFlawless were discussing laptops. That was the topic of my comment. For other devices:
Laptops. They have a Chinese ODM and Purism does small customizations (HKSs, etc.).
Mini and Librem 11. They have a Chinese ODM and don’t do any HW customizations (except possibly the choice of Wifi modem on assembly).
Librem 5. The mainboard and case design is completely custom. The standard Librem 5’s mainboard is assembled + soldered in China and there is some assembly (antenna, cellular modem installed, etc.) in the US. For the Librem 5 USA or Liberty, the mainboard is assembled + soldered in the US.
My apologies. You are right. I was conflating a couple of thoughts going through my mind as I responded to your post.
Thanks for your info though.
To bring this back to the topic of this thread, I approach my support of Purism, this forum, etc from my interests in privacy. But, privacy is not derived from any one single act. As many of mentioned every person’s situation is different so you really need to look at your own threat model or vulnerabilities. Simply buying a particular piece of hardware won’t bring desired privacy.
So, as I anxiously await the release of Crimson, and what i can or cannot do to help, I also focus on things such as firmware, supply chains, laws in countries that companies might have to comply with, operating systems, lifestyle habits, evolving trends in software and hardware, corporate relationships that evolve daily, hardware specs, the ever advancing state of technology, etc.
Needless to say that list can be very long, and as I keep trying to educate myself on the different aspects I should be thinking of, I can see how it can be overwhelming for people. And they just stay with a status quo, of hardware, software, lifestyle, and habits that is compromising their privacy and security.
I wish I had more skills to help deliver Crimson directly. I also, know this will just be one very small piece of a large complex set of challenges. So, I appreciate everyone’s input into this discussion and effort.
I think it is important to figure out if Purism laptops fit your Qubes OS criteria, as that could potentially lead to a future purchase to indirectly fund Crimson. Here is the latest HCL report for my Librem 14:
Thanks, I was leaning towards the larger screen size of the L16. That is why I was looking at the StarFighter, NovaCustom v56 or NitroPad v56. I learned something about the whole coreboot + heads from you @FranklyFlawless, so thanks. It is easy to get confused when all the companies tout ME disabling, coreboot, etc. I didn’t understand the subtle distinction of EDKII (tianocore) in the StarFigher vs Heads. I assumed if it was coreboot it was using Heads?!
so, now I am leaning towards L16 or NovaCustom v56 as you mentioned. and since the coreboot+heads is still in work at NovaCustom, I can give it time to see how that plays out. Who knows, maybe StarLabs will come through with coreboot+heads also. Or a new player appears
TianoCore is a payload for an open-source UEFI-compatible implementation, whereas Coreboot is the first-stage bootloader that passes responsibly to a payload after hardware initialization. You can contact Star Labs about using Coreboot with Heads on their products:
I have two laptops from starlabs, running their coreboot version. I always asked myself how they manage to make the battery last much longer than dasharo coreboot version, on their github page you don’t find the code and on LVFS it’s classifed as proprietary: LVFS: StarLite MkV coreboot
I have asked them directly about it being proprietary and they say it’s open source, but as they created they are the owners of the code. It’s very strange to me. Then the fact that the battery lasts much longer, something like 14 hours on last devices, compared to 8 hours on novacustom last devices is very odd. If starlabs coreboot if really fully open source then why dasharo would not be copying them to have 6h more on battery life?
Anyway I am just a freedom tech enthusiast, not an expert in anything.
Maybe ask them for the source code and build instructions and make sure you can built it yourself and flash it, try making tyour own modifications and make sure you really can build and use your modified version?
The fact that there are binary blobs is why, when they bundle the whole thing for distribution by LVFS it is classified as proprietary.
From your description, it’s hard to know what the exact interaction is. What you mentioned above has no contradictions. Some facts that might help:
All code has a copyright owner (or “owner”).
Copyright owners can license their code for others to use. There are tons of different FOSS (Free or Open Source Software) licenses. There are also proprietary licenses.
Most of coreboot is licensed as GPLv2 which requires that contributed code to be offered with the GPLv2 license. That said coreboot can be distributed with proprietary binary firmware payloads (blobs) that coreboot loads at boot time.
If Starlabs incorporates a modified coreboot into their laptop, they are distributing that when they sell it … and, since, coreboot has a GPLv2 license they must make their modifications available (see 3). It think they do make that available (see the above link). Do you have any reason to believe they don’t?
Thak you, you clarify a lot of things to me that they could not. I have another question tough, do you know if the dasharo coreboot version has fwer blobs than the starlabs one?
