Librem Mini has no TPM making it's verified boot (Heads) less secure

Interesting article in a German online magazine about why the Librem Mini is less secure than other Librem products regarding the secure (against evil maid attacks), verified boot via Heads, because of the missing TPM chip:

Eigentlich sind die Purism-PCs mit Pureboot besonders sicher, doch dem Librem Mini fehlt ein wichtiger Teil der Sicherheitskette.
https://www.golem.de/news/purism-sicherheit-zweiter-klasse-im-librem-mini-2103-155007.html

For everyone, who cannot read German, it’s basically about this discussion:

Though I wonder about one question: Why does not the Librem Mini even have a TPM in the first place? I really thought this would be standard nowadays…

2 Likes

The TPM is typically not under user control, while something TPM-like, such as the Librem Key, or Nitrokey, is. Also, as @Kyle_Rankin often mentions regarding benefits of the Librem Key, if the TPM fails, obtaining a replacement is not convenient and feasible for the customer, whereas having multiple backups of the Librem Key is.

A TPM isn’t necessarily a standard component, although for hardware that expects to run modern versions of Windows with SecureBoot enabled perhaps it is.

In any case it took a few revisions before we ended up including a TPM in the Librem 13 (which is why this TPM-less feature was created to begin with, so people using TPM-less Librem 13s could have some degree of additional security, even if it wasn’t as strong as with a TPM). We do want to have a TPM in the Mini in a future revision as well, the current versions just don’t have one, so you fall back to TPM-less mode if you choose PureBoot over the default coreboot firmware.

3 Likes

Can it be that I can’t consume some DRM media without TPM?

That would be new. To date, I’m unaware of any DRM protected media that requires a TPM to decrypt or to authenticate viewing of the media.

That said, I’m pretty sure that if media was being sold that had that requirement I’d probably steer clear of it.

And to add to this thread, I would say that the lack of a TPM in conjunction with heads and coreboot bundles seems a little misleading. Regardless, I would have bought a Mini if it had a TPM.

1 Like