Librem 14 firmware security

I’m not sure if this is the right place to discuss this. But since Librem 14 is supposed to be the most secure laptop, while I found that it may lack some common firmware security features, I think it may be worth mentioning these issues so that users know to mitigate these risks. And eventually, I hope the issues will get fixed or improved.

First I think Pureboot does a good job at detecting tampering against the operating system. But attacks against the firmware may render its protection useless. The following is based on my understanding of how things work. Please correct me if I am wrong.

  1. Unimplemented SPI write protection:
    Based on how EC and Pureboot are updated, it’s possible to modify the firmware from the operating system. As a result, malwares in operating system can infect the firmware. Measured boot can also be bypassed because the code for measured boot resides on SPI flash too.

  2. Some firmware security feature is not enabled
    For example, Early Boot DMA Protection is available from coreboot but is not enabled. There’s an option to enable this in Dasharo. I think it’s worth mentioning the users what features are enabled.

  3. Documents on security features and security tests:
    Without these documents, users are not aware of what is not protected and the risks. For example, based on 1), booting a malicious operating system bears the risk of infecting the firmware with malwares. It would be greate if Purism can also provide test results from security testing tools, for example Chipsec.

In short, Pureboot is as secure as the root account in the operating system. Once malware gains root access, it can get higher privilege and persistency by infecting the Pureboot firmware.

Even malware with root privileges can’t infect the Pureboot firmware if you flip the BIOS and EC write protection switch on the motherboard.

Edit: apparently this switch doesn’t work, and needs to be implemented in the firmware? Ouch.

At the moment, PureBoot is used for tamper protection. It is assumed that you already have formulated a plan if there is a successful sophisticated attack against it.

Love this laptop, but Purism promised and implemented an EC/BIOS write protection switch explicitly to protect against this kind of attack. I don’t think it’s too much to ask that they follow through with making the switch work!

2 Likes