I’ve generally thought of the librem 5 as the same as a laptop from a security standpoint. I’m wondering if that’s valid. Do the attack vectors against this phone that differ from a laptop, and what can we do (or is purism doing) to mitigate those attack vectors?
One it has a cell modem, but also the usb-C thing seems to offer more functionality than my laptop’s offers. For example being able to flash the main drive over it. Which I suppose puts the /boot partition at risk of getting a malicious kernel/initrd should someone get a few minutes alone with the device.
There is no simple answer to your bigger picture question. Some attacks will be in common. Some won’t.
More precisely, you can boot the phone over USB-C and then the booted code can do basically anything.
However you have to ask yourself what parts of that would be different if you wanted to boot a laptop from USB-C?
(Technologically, this process is, I think, quite different. In the former case the phone goes into a mode where it expects to use the USB-C port for serial downloading of a boot program, whereas in the latter case the laptop expects just a vanilla USB mass storage class device. The result is the same though.)
Linux typically doesn’t use trusted boot path. So that doesn’t save you in either case.
On the laptop, Purism offers boot tamper detection (via Pureboot and a Librem Key) - but that isn’t available for the phone … yet.
Along the same lines, the WiFi cards are different. So if there are vulnerabilities that are specific to the WiFi then those vulnerabilities may be specific to the platform.
At the moment, the Librem 5 does not even supports basic Encryption
Means, at the Moment not even LUKS is available.
I assume it will come (sooner or) later.
So this is a very academic and future question at the moment.
At the moment the Librem 5 is much less secure than an average Laptop.
I suspect it does support encryption but maybe not out-of-the-box and maybe not on the root file system.
I believe that full support for LUKS is in the pipeline.
On the plus side, you can grab your Librem 5 and put it in your pocket when you walk away - so it is less hassle with the Librem 5 than with a laptop to avoid “someone get a few minutes alone with the device”. That of course doesn’t help if your threat model includes thuggish governments but at least you will know that you have lost custody of the device and hence that it is compromised.
It’s advertised as a feature of byzanium for encrypting the OS partition. Currently it’s suppose to support it for things like the sd card.
I mentioned the modem, as it has functionality the wi-fi card does not. Simple as that. The simple fact that the cell providers can track your location when it’s on is something new to consider.
For the USB-C thing, I could put a password lock on the bootloader for the bios, to protect against someone booting off of usb. Can you even access the bios on the librem 5? I also didn’t know it supported booting over USB.
I don’t know. A question before that is: are there any BIOS settings and if so is some kind of boot password one of them? (where the term BIOS is being used very loosely here)
Even so, there is usually some means of resetting or bypassing the BIOS password because otherwise you may permanently, irrevocably lock yourself out of your device. Is that what you would want? So an unbreakable BIOS password has a cost and a benefit (and a breakable one is more security theatre than much else).
I think Purism would look dimly on the idea of a bypass of the BIOS password. Some kind of backdoor password - such as exists on some x86 computers - is exactly what you don’t want.
I expect that rather than stop you booting random code Purism would look at the same kind of approach as with the laptops i.e. 1. detect tampering with /boot partition and 2. encryption of root file system (effectively tamper resistant since you are overwhelmingly likely just to corrupt it if you try to write to it and taking a copy of it is basically pointless).
It definitely works. I’ve booted over USB for two different purposes (upgrade USB-C PD firmware, boot Jumpdrive to make reliable image of eMMC drive).
You can replace it, so… I guess? Not sure what you mean.
U-boot supports scripting. The script is generated by flash-kernel from a template that can be modified. A password won’t help here, because the USB boot is the same interface as factory reset and acts in hardware directly on the CPU.
The CPU does support something like secure boot, but you only get to change the key 4 times, until it’s locked permanently. We decided not to put work into that, but work on PureBoot instead.
Basically I’m thinking of the options you get when booting a system and pressing F1 or whatever button it is for your system for bios configuration. Being able to access and modify the configuration of the bios(assuming it has any).
That implies some kind of non-volatile storage. Otherwise configuration is stored in the firmware itself.
Apart from a boot password, or some other means of restricting boot, what config changes did you want to make? (Boot order is a related issue but right now, AIUI, it can’t boot from uSD card anyway. So your boot choices are serial downloader via USB-C or eMMC - and there is already a “button” for that choice.)
You can do that from a booted OS. As I mentioned, u-boot is scriptable. Or modify u-boot itself. You can conceivably build a menu-based boot loader.
Strictly speaking, there’s no BIOS (I think that’s an x86 term). The startup goes roughly like this: CPU→u-boot→OS. All storage is on the eMMC chip, including u-boot and OS.
how secure is a BIOS password on an x86 motherboard/computer ?
you take the small pancake shaped battery out of it’s receptacle on the motherboard and voila, as soon as the BIOS/firmware chip that is used to store the settings/password is not powered on anymore (if the PC is also disconnected from OTHER power sources) you basically get a ‘blank-slate’ BIOS on the next boot.
this means that you have effectively ‘pwned’ whoever the original ‘enforcer’ of the BIOS-password was in the first place because you can now go through all the init phases in the boot-sequence (the so called ‘start-up’ ) without being prompted for the original-password. that is because the original password NO longer exists. it has been made ‘void’ by the absence of any electrical charge for a number of seconds.
we used to play pranks on each other when we were younger by taking out the battery just to see what would happen to the settings. we weren’t computer geniuses. we were just CURIOUS
