finofafish:
Realistically, what threat could proprietary microcode and proprietary firmware blobs in Pureboot/Coreboot pose? I know there isn’t really any way around this yet so I’m still planning on getting a Librem 14, I just want to know about the weak links we’ve been unable to mitigate.
Potentially, it can compromise the whole system:
The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. This issue can be mitigated with the deployment of a hardware device which is able to disconnect all con...
Intel ME is disabled in Librem 14, but who knows…
finofafish:
Do the components in Librem laptops only use free software drivers? Or is it just optional? For example, if I replace PureOS with Qubes and Linux, would I have to make sure they’re only using the free software drivers in case they try to use some proprietary alternative by default?
Yes, all software in the OS is free, with free drivers and firmware. Qubes OS is an open-source OS based on Fedora. It should have the necessary drivers as well. It already works out of the box on Librem 14.
finofafish:
Would dual booting Qubes and Linux affect Heads or require me to do set something up manually? Or would it work completely independent of the operating systems I use?
Perhaps this could be helpful:
I am interested in the functionality of the Librem key, especially the auto LUKS unlock. However, I don’t think these features work with Qubes (except the boot checking).
Am I understanding this correctly? Do you have any options for alternatives or ideas?
Thanks
finofafish:
I’ve heard rumours that Heads and Anti Evil Maid can be bypassed. To what extent is this true? Does Heads have any known vulnerabilities or weaknesses? Has it ever been audited?
Never heard that. Qubes OS community does not seem to have any knowledge about such weaknesses.
finofafish:
Would Heads alert me if the firmware or boot sector had been infected? If so, shouldn’t it be safe for me to dual boot Linux and Qubes without much fear of my Linux OS compromising my entire machine?
Yes, it will alert you (but it won’t fix the problem if it appears). Yes, it should be safe to dual boot with Anti-Evil-Made.
finofafish:
Would I receive security updates including any proprietary code if I’m using Pureboot? I’ve heard Libreboot and Linux-libre distributions miss out on security updates because some of the code is proprietary, and I assume this is the case with PureOS. Does Purism take the same approach when it comes to firmware? If so, is there any way to opt-in to receive all security updates (be it microcode, firmware, whatever) even if they are proprietary?
There are no proprietary blobs in Linux kernel which are necessary to run Librem 14. Linux-libre may miss them, but it does not matter. Microcode updates depend on Intel and AFAIK Purism introduces them quickly into their Coreboot/Pureboot updates.
3 Likes