Librem key for phone?

What is the bootloader/BIOS/firmware of Librem 5?
Could the phone supporting anti-tampering like the laptop and use Librem key for verification?
If there is a usb to usb-c adaptor, will it work?


I believe that the Librem 5 is supposed to have USB-C OTG support, so if you have an adapter I don’t see why it wouldn’t work since the OS is essentially the same underneath and only has visual differences.

TL;DR: Librem 5 most likely will support Librem Key.

You can install Pure OS on a non-Librem laptop, but that doesn’t mean it supports the tamper-evident features provided by HEADS. If I’m not mistaken, HEADS runs in the BIOS, which is very specific to the motherboard and processor in question. Since Librem 5 doesn’t even share processor architecture with the laptops, this answer is unfortunately insufficient for the first two questions.

Furthermore, if I understand correctly, HEADS relies on the TPM component of the laptops. So the question becomes two questions: “Will the Librem 5 have a TPM?” and “will the Librem 5 have free/libre BIOS?” The answer to those questions can be either true or false. If I understand correctly, Librem 5’s support of Librem key is possible if and only if they are both true.

Suppose Librem 5 does not have libre BIOS. That would be in violation of their social purpose, in particular:

  • The Corporation will prioritize privacy, security, and freedom for its customers. The Corporation will place respecting users’ rights to privacy, security, and freedom at the forefront of its mission.

If Purism can build a phone with libre/free BIOS then it will because that maximizes the users’ rights to privacy, security, and freedom.

Suppose Librem does not have TPM. In what scenario would that be a violation of the social purpose?

  • The Corporation will source, and manufacture the highest quality hardware. The Corporation will endeavor to source the best component parts that operate using free/libre and open source software. When considering the selection of parts, The Corporation will weigh such issues as privacy, security, freedom, ethical working conditions, environmental impact, and performance, among other factors.

Including TPM would increse privacy, security, and freedom. If including TPM was a major impediment on ethical working conditions, environmental impact, or performance, Purism would not include it in their laptops. So if TPM can work with Librem 5, it will most likely be included.

My inductive conclusion based completely on public knowledge is that Librem 5 will most likely support Librem Key if you have an adapter. The only reason I can think for not including support in the phone’s firmware at manufacture time is the lack of USB type A ports, which as @johan-bjareholt pointed out can be provided with an adapter. Purism can also make Librem keys with USB type C instead of type A.

If I am incorrect in any of this, I welcome a friendly correction.

1 Like

A bit of reading revealed that Librem 5’s bootloader is U-Boot, which is split between two processors to fit the “Respects Your Freedom” standard.

For the mission statement, the first two version of Librem laptop is using proprietary BIOS. It only states prioritize free software, but not necessarily delivery, so not violating the mission statement. However, I can see Purism are going toward free software, so I could accept a proprietary BIOS for first generation of the phone. After all, proprietary BIOS is always the norm. But the free operating system and isolation of baseband does increase some privacy.

After some reading and your comment, I could see the only hardware factor for this to work, is to have a TPM on the phone. Other than that, is a software problem, i.e. porting HEAD to U-Boot. QubesOS’s anti evil maid module could possibly work, but not sure if it could work with a system without keyboard.

That is actually addressed in the mission statement.

The Corporation will design and manufacture hardware that respects users’ rights to privacy, security, and freedom. The Corporation will use hardware and software that respects users’ rights. Non-free, or proprietary, chipsets that require installable firmware binaries into the kernel will be strictly prohibited within the Corporation. If a suitable component part that fully respects these rights is not available in the marketplace, the Corporation may use a part in its products that does not meet this standard if it is necessary for the product to be fit for purpose, in which case the Corporation will: (1) provide purchasers of the product, in writing, with strong evidence that a free version of the part with equivalent specifications is not available and that developing a free version of such would not be feasible at that point in time; and (2) actively pursue the development of a free version of the part for its future products. (emphasis added)

Intel, AMD, and ARM are all very secretive in their firmware. CoreBoot for the laptops isn’t free software according to the FSF standard because it uses blobs. Yet Purism aims to make Librem 5 RYF certified, which requires a libre BIOS. Do the devkits have a libre BIOS?

You posted a link earlier which contains the answer to your question:

Yes, the BIOS is U-Boot and the firmware will be loaded by a secondary Cortex-M4 processor on the i.MX8 which is isolated from the rest of the system which is why it is able to be RYF certified.

I wish to avoid confusing bootloader and BIOS. The post I linked references this page, which explains the boot process for embedded systems. My understanding is the “ROM code” is the BIOS, whereas U-Boot is the bootloader, and the SPL is in this case the bootstrap for U-Boot.

The boot model referenced is not necessarily the exact model used in Librem 5. The FSF explains that BIOS can be either “burned into ROM” as the model indicates and thus be considered hardware by FSF for certification purposes, or loaded from non-volatile memory as is common in modern computers.

This brings us back to the issue of if HEADS is supported on Librem 5. I am not familiar enough with how HEADS works to answer this question, but I suppose it can be included in U-Boot. Now for the other question: will Librem 5 include a TPM?