New Post: Hardware Encrypted COMSEC Bundle by Purism

Given that PureBoot (and the related use of the Librem Key) is not available on the Librem 5 - unless I missed the big announcement - lines may be getting crossed here.

That’s true - I think there is room for improvement as to how this works.

Again though

not applicable to the Librem 5.

This is more complex. The normal apt interface allows updates to be signed and in certain cases will complain if updates are not signed (or are signed but the signature does not validate) but the security guarantees are different.

If a user just wants authentic updates then the user should not use PureBoot / Librem Key.

The Librem Key is a smart card adapter, with a smart card inside, is not different than a Smart Card in a Librem 5. While PureBoot is not support on the Librem 5 as a bootloarder, you can still use the smart card to do encryption.

@Kyle_Rankin did mention about PureBoot on the Librem 5:

@jonathon.hall

Is there a need for this? From my understanding, there is no CPU microcode or TPM (PCRs) on the Librem 5.

I do think there is a use case for tamper evidence on Librem 5 just as there is on Librem 14 and our other products.

How exactly we provide that tamper evidence is still an open question though.

@jonathon.hall

Any ETA for Purism Librem 14 EC driver mainlined in LNX?

Thank you of advance.

Is the openPGP card from Purism needed (to be used in the L5)?
Or will a third party openPGP card also do the trick, as long as it is a compatible ISO/IEC 7816-4, -8 card?

@carlosgonz Thanks for bringing this to my attention, I hadn’t looked into this as the EC driver has not needed any work from me yet. I don’t have an ETA yet but it is on my TODO list to check out.

Compatible third party cards should work; bottom line if it works with gpg from the terminal it should work.

Thank you.