Librem 5 schematics - kill switches do not "kill", but "ask"?

Recently I took a glance at L5 schematics and was a bit surprised to see how kill switches are implemented. I don’t have any questions about microphone switch - it seems to be a pretty straightforward solution. However, I was suprised by WWAN implementation: the kill switch works essentially by driving the W_DISABLE pin low instead of cutting the power from the wireless module. By mPCIe specification,

In normal operation, the card should disassociate with the wireless network and cease any further operations (transmit/receive) as soon as possible after the W_DISABLE# signal is asserted. Given that a graceful disassociation with the wireless network fails to complete in a timely manner, the Mini Card shall discontinue any communications with the network and assure that its radio operation has ceased no later than 30 seconds following the initial assertion of the W_DISABLE# signal.

So, even if the card respects the specification, it may stay active up to 30 seconds, which is probably not what expected by the end user from the “kill switch”. But if the card hardware/software is not trusted (i.e. it may violate the spec in some very special conditions like if (asked_to_spy_by_nsa) { ... } and stay active even when W_DISABLE is low), nothing prevents it physically from continuing its operation. It still stays powered and connected to the system.

WLAN seems to use the same approach.

So, the question is: why it is considered reliable to ask the wireless cards “could you please be so kind and stop working?” instead of just cutting the power from these cards or, at least, disconnecting the antennas from the cards in addition to lowering the W_DISABLE pins?

3 Likes

Caliga, please make a note about this in the delivered feature table;

Puri.sm, please comment on this.

1 Like

Simplest answer would be “it’s the devkit”.
Interested to know.

1 Like

Yes. @licryco i am assuming that you looked at the schematics of the devkit. Considering that we have not yet released the final schematics of the Librem 5.

The Hardware Kill Switches in the Librem 5 work in a different way from the devkit. The HSK do cut the power to the wifi and other items in the Librem 5. So it’s not just “asking kindly”.

We will release the schematics of the Librem 5 as well.

16 Likes

@joao.azevedo, correct, that was the schematics for the devkit. Glad to know that my question is irrelevant for the real device! :slight_smile:

3 Likes

There is an issue related to this for the devkit:

2 Likes

If it has to ask, quote the phrase “Killlll meeee …” from Alien Resurrection.

4 Likes

And this has happened:

10 Likes

I’ve question about kill switches: using PureOS, a Debian derivative, that we can manage/check/modify “easily” throw source code, why to implement physical switches (that raise the price of the L5) instead of SW switches that’d have same effect?
L5 doesn’t use close software like Android or Apple.
Hope make sense for you my question :sweat_smile:

For the cell modem the reason is that the firmware is proprietary and thus we can’t be sure what it does when told nicely to turn off. For example the modem may still maintain a connection to the cell towers allowing the cell provider to track your location.

I believe wifi/bluetooth cards may also have a similar problem.

These also allow greater certainty that even if the phone is hacked into, these pieces still can’t be slealthily still on. Main concern being the mic/camera there.

Whether you consider those worth the extra protection is up to you and your individual threat profile.

6 Likes

Essentially Steve is saying a software switch can lie to you.

2 Likes

Consider malware that transmits your audio/video to some interested party. Just because your OS is OSS, that does not mean there can never be malicious software on your phone. And that is not to speak about the trust in the hardware components that live a life of their own in your device. Yes modem, I am looking at you!

1 Like