Librem 14 firmware security

I’m not sure if this is the right place to discuss this. But since Librem 14 is supposed to be the most secure laptop, while I found that it may lack some common firmware security features, I think it may be worth mentioning these issues so that users know to mitigate these risks. And eventually, I hope the issues will get fixed or improved.

First I think Pureboot does a good job at detecting tampering against the operating system. But attacks against the firmware may render its protection useless. The following is based on my understanding of how things work. Please correct me if I am wrong.

  1. Unimplemented SPI write protection:
    Based on how EC and Pureboot are updated, it’s possible to modify the firmware from the operating system. As a result, malwares in operating system can infect the firmware. Measured boot can also be bypassed because the code for measured boot resides on SPI flash too.

  2. Some firmware security feature is not enabled
    For example, Early Boot DMA Protection is available from coreboot but is not enabled. There’s an option to enable this in Dasharo. I think it’s worth mentioning the users what features are enabled.

  3. Documents on security features and security tests:
    Without these documents, users are not aware of what is not protected and the risks. For example, based on 1), booting a malicious operating system bears the risk of infecting the firmware with malwares. It would be greate if Purism can also provide test results from security testing tools, for example Chipsec.


In short, Pureboot is as secure as the root account in the operating system. Once malware gains root access, it can get higher privilege and persistency by infecting the Pureboot firmware.

1 Like

Even malware with root privileges can’t infect the Pureboot firmware if you flip the BIOS and EC write protection switch on the motherboard.

Edit: apparently this switch doesn’t work, and needs to be implemented in the firmware? Ouch.


At the moment, PureBoot is used for tamper protection. It is assumed that you already have formulated a plan if there is a successful sophisticated attack against it.

Love this laptop, but Purism promised and implemented an EC/BIOS write protection switch explicitly to protect against this kind of attack. I don’t think it’s too much to ask that they follow through with making the switch work!



What do you think about these points?


Does the scope of that tamper detection include the detection of tampering with the firmware?

1 Like

Yes, see these resources for further details:

Note that I assume your definition of firmware in this case refers to Coreboot + Heads, which is the two-step boot firmware.

1 Like

Looks like you do need a librem key for this though right?

1 Like

Yes, at least in PureBoot’s current implementation, as it indicates firmware tampering using either a green or red LED from the Librem Key. Alternatively, a six digit pin can also be displayed using TOTP, but PureBoot does not utilize it.

1 Like

Can Heads be used instead?

1 Like

PureBoot is based off Heads, with various changes made by Purism.

1 Like