Librem Laptop Questions

Hardware
1

Some various questions:

  1. What development stage is the Pureboot Bundle in (will there be more GUI/usability changes, doc changes, etc coming)?

  2. This is my understanding of the process that should take place upon receipt:

First Boot:  Set passphrase etc
Reboot, resign
Change User and Admin Librem Key PIN
Change TPM Admin PIN; reset HOTP token
Replace GPG Keys; Reflash, reset HOTP token
Resign

Is that the correct info and order?

  1. From reading the forum, it seems Pureboot works with Qubes. Is the intention to try to maintain that?

  2. Last I checked, you can’t decrypt a LUKS-encrypted Drive with a Librem key on Fedora/Qubes - has there been any update on this?

  3. For supported OS’s, is there an option to require the Librem Key and the passphrase to unlock?

  4. The Librem Key and Librem 5 USA now have a more secure supply chain. Are there plans to have an option to assemble the laptop in the US?

  5. I know there’s been lot’s of great work on freeing components (VGA Bios, Intel ME, etc). System76’s laptops have the Embedded Controller freed as well. Can parts of that be reproduced in this project?

Thanks for all your work!

3 Likes
2

Bump

@Kyle_Rankin please/thank you!

3

Hi Robert!

  1. Currently a lot of the focus on PureBoot has been redirected to supporting new hardware like the Librem 14 and Librem Mini v2 instead of usability.

  2. This is better described in detail in our PureBoot Getting Started Guide: https://docs.puri.sm/PureBoot/GettingStarted.html

  3. Yes, we treat Qubes as a first-class citizen and test any new PureBoot or coreboot releases against it, as well as test any new hardware against it to ensure it runs. For instance, currently the “stable” Qubes release is a bit too old to support the newer CPU in the Librem 14 or Mini v2 but we have successfully gotten it working with their latest RC release.

  4. Yes, this is because we use Debian’s cryptsetup (specifically it’s openpgp-sc module) which integrates with generic OpenPGP smart cards. Fedora and Qubes use a different method to unlock LUKS volumes so someone would need to port/mimic the work the Debian team did in cryptsetup smart card support to Fedora (which would eventually make its way to Qubes dom0).

  5. If you mean require both the Librem Key + PIN and the traditional passphrase, no that is not currently an option. However if you pick a strong PIN for the Librem Key I would think that would be sufficient.

  6. It’s something we keep in mind and if you track our progression (Librem Key, Librem 5 devkit, Librem 5 USA) we are slowly increasing the complexity of the projects we are bringing to the US.

  7. We definitely would like a freed EC and that’s something we are looking into for the Librem 14.

2 Likes
4

Thanks so much for your time!

5

Or, alternatively, the Qubes team could replace Fedora with Debian in dom0.

1 Like