I know these questions have been asked and answered in various places all over the internet, but for some reason half the answers I have found just contradict the other half and I just end up more confused than when I started.
I would really appreciate some clarification on these questions, and if the answers I have found below are correct or not…
What are the differences between a Librem laptop and a Libreboot laptop, in terms of privacy and security?
From what I understand after reading several very long flamewars, there are two differences:
First, the Librem has the ME “neutralized”, but not removed, while the libreboot laptops have it completely removed. This means the ME is still capable of executing code, but the code is removed before bootup. (edit: Not exactly. It’s not entirely removed in either system, since both require the ME to startup. In the Libreboot the code comes from the internal ROM on the chip, in the Librem it’s externally stored)
Second, the FSP is still present on the Librem but is not present on the Libreboot. I couldn’t find the FSP mentioned in the Coreboot wiki so I don’t know how important that is or what the FSP is used for. The only resource I have found describing what the FSP does comes from the Intel website. (Edit: Now that the ME is disabled, the FSP is next)
Third, the Librem has an IOMMU (edit #3: incorrect, does not have an IOMMU… Thank you kakaroto)
I don’t know if the VBIOS or EC are freed or not. I would assume the EC at least would be rather easy, because it’s just a microcontroller that Purism would need to program from scratch anyway, but I could be mistaken.
(edit: VBIOS is freed for Broadwell-era CPUs, Skylake is still in-progress. EC non-free but has low security/privacy implications)
Why isn’t the Librem RYF-certified?
- Never seen this explained anywhere, but I’m guessing it’s because of the FSP, unless the VBIOS and EC are closed as well.
(edit: The Librem probably won’t get certified in the near future at least because of the ME issue. Although the ME is currently both “neutralized” [meaning that about 85% of the code is removed] and “disabled” [meaning that the remaining code has the “HAP” flag set which causes it to deactivate itself], this doesn’t change the fact that the ME core still runs some binary blobs at bootup)
Why isn’t the Librem Qubes-certified?
- I think it’s because Qubes demanded excessive royalties.
(edit: Yes, sadly. Also Qubes 4.x requires the IOMMU to be enabled, but this can be done by the end-user on a Librem)
Although I have read The Purism FAQ, it doesn’t give any overview of the differences between Purism and your “competitors” in the privacy market. I’ve personally been looking for a long time to find a private/secure laptop, and I haven’t bought one yet simply because I am still trying to find an unbiased list of differences between the options. For example, what are the remaining binaries in the Librem? What do they do?
The Freedom Roadmap says in one spot that you still need to liberate the VBIOS, FSP and EC, but in another spot says "Purism laptops are completely free from the BIOS (see the history of our coreboot involvement) to the bootloader through the kernel (with no mystery code, binary blobs, or firmware blobs), including the operating system and all software." Which is it?
So, I apologize for asking these questions yet again, as I’m sure the Purism staff is tired of them… But then, could you maybe add these sort of questions to your FAQ?
I know I’m not the only one with these questions, and I’m sure there are others continually discovering the different privacy options available who would appreciate such a comparison.
Thank you again Purism for your dedication to privacy and security, and Happy Thanksgiving if you happen to be in the US!