I’m not sure if this is the right place to discuss this. But since Librem 14 is supposed to be the most secure laptop, while I found that it may lack some common firmware security features, I think it may be worth mentioning these issues so that users know to mitigate these risks. And eventually, I hope the issues will get fixed or improved.
First I think Pureboot does a good job at detecting tampering against the operating system. But attacks against the firmware may render its protection useless. The following is based on my understanding of how things work. Please correct me if I am wrong.
-
Unimplemented SPI write protection:
Based on how EC and Pureboot are updated, it’s possible to modify the firmware from the operating system. As a result, malwares in operating system can infect the firmware. Measured boot can also be bypassed because the code for measured boot resides on SPI flash too. -
Some firmware security feature is not enabled
For example, Early Boot DMA Protection is available from coreboot but is not enabled. There’s an option to enable this in Dasharo. I think it’s worth mentioning the users what features are enabled. -
Documents on security features and security tests:
Without these documents, users are not aware of what is not protected and the risks. For example, based on 1), booting a malicious operating system bears the risk of infecting the firmware with malwares. It would be greate if Purism can also provide test results from security testing tools, for example Chipsec.