Questions and concerns about hardware, firmware, and supply chains (Librem 14)

I apologize in advance if some of these questions have already been asked or if they seem silly. I skimmed through the forums and Purism’s blog posts which answered some of my questions, but I still want clarification on a few things.

1. How vulnerable is Purism to a hardware supply chain attack? Are there any steps they take to mitigate that threat? I ask because (as many have pointed out before) a company like Purism likely has a target on their back. I’m not too concerned with my specific laptop being tampered with, but rather I’m concerned that Purism’s supply chain (or even just supply chains in general) might be compromised on a hardware level. Before someone points it out, I know it would be expensive and difficult to do. But when we’re dealing with agencies who have billions of dollars, legal authority over manufacturers, and the most skilled technologists, I think it could be a plausible threat.

2. Would I receive security updates including any proprietary code if I’m using Pureboot? I’ve heard Libreboot and Linux-libre distributions miss out on security updates because some of the code is proprietary, and I assume this is the case with PureOS. Does Purism take the same approach when it comes to firmware? If so, is there any way to opt-in to receive all security updates (be it microcode, firmware, whatever) even if they are proprietary?

3. Would Heads alert me if the firmware or boot sector had been infected? If so, shouldn’t it be safe for me to dual boot Linux and Qubes without much fear of my Linux OS compromising my entire machine?

4. I’ve heard rumours that Heads and Anti Evil Maid can be bypassed. To what extent is this true? Does Heads have any known vulnerabilities or weaknesses? Has it ever been audited?

5. Would dual booting Qubes and Linux affect Heads or require me to do set something up manually? Or would it work completely independent of the operating systems I use?

6. Do the components in Librem laptops only use free software drivers? Or is it just optional? For example, if I replace PureOS with Qubes and Linux, would I have to make sure they’re only using the free software drivers in case they try to use some proprietary alternative by default?

7. Realistically, what threat could proprietary microcode and proprietary firmware blobs in Pureboot/Coreboot pose? I know there isn’t really any way around this yet so I’m still planning on getting a Librem 14, I just want to know about the weak links we’ve been unable to mitigate.

Potentially, it can compromise the whole system:

Yes, all software in the OS is free, with free drivers and firmware. Qubes OS is an open-source OS based on Fedora. It should have the necessary drivers as well. It already works out of the box on Librem 14.

Perhaps this could be helpful:

Never heard that. Qubes OS community does not seem to have any knowledge about such weaknesses.

Yes, it will alert you (but it won’t fix the problem if it appears). Yes, it should be safe to dual boot with Anti-Evil-Made.

There are no proprietary blobs in Linux kernel which are necessary to run Librem 14. Linux-libre may miss them, but it does not matter. Microcode updates depend on Intel and AFAIK Purism introduces them quickly into their Coreboot/Pureboot updates.

You have to ask how many heads of state, terrorists, drug lords, business tycoons, etc. are using Librem laptops, that an agency like the NSA (or the equivalent in the Chinese government) wants to spy on. My guess is that not that many high value targets are using Librem laptops, and an agency that wants to spy on key people is going to target the supply chain of companies like Apple and Lenovo, before it wastes time on a laptop maker that only sells a couple thousand laptops per year where there is a high probability of its spying efforts being discovered and publicly reported.

At any rate, the L14 is being built by a new OEM, so if some agency had compromised the supply chain and figured out how to insert spy chips in the L13 or L15, it will have to start over from scratch with the L14. It has never been reported exactly how the inserted spy chips work, but it took the Chinese government years to target the Supermicro servers, and they had strategic value (if we can believe the veracity of Bloomberg’s Supermicro story).

The L14 has a hardware switch on its motherboard that prevents any changes to the firmware or BIOS/UEFI. (I doubt that this switch would prevent firmware changes to isolated components, like the M.2 Atheros ATH9K WiFi/Bluetooth card or the SSD.)

You can detect whether anyone has opened the case (and potentially flipped that hardware switch) by painting glitter nail polish over the screws in the case and taking photos of the glitter patterns on the screws. It the nail polish is broken or the glitter patterns have changed, someone has opened the case.

If you fear tampering in transit from Purism to you, you should pay for anti-interdiction services. The NSA reportedly tampered with Cisco routing equipment when it was shipped from Cisco to customers.

Purism selects components that have free software drivers, and most Linux distros will automatically install the free driver instead of a proprietary driver, if a free driver is available. (By the way, proprietary firmware is far more likely than proprietary drivers.)

You can always run vrms to find out if you have any proprietary blobs on your system. For example, it is installed on Debian-based systems with this command:
sudo apt install vrms

There was a problem with linux-libre kernels not getting security updates, but the Debian kernels used by PureOS have never been linux-libre kernels and they get the standard Linux kernel security updates. Librem laptops are based on Coreboot, and unlike Libreboot, Coreboot is incorporating Intel’s recent security updates. (Google has a strong interest in keeping Coreboot up-to-date and secure since it is used in Chromebooks and Intel employees contribute to Coreboot.)

The only proprietary bits in PureBoot+Heads and Coreboot+SeaBIOS for the L14 is the Intel Management Engine (which is disabled), FSP (Firmware Support Package) and Intel’s microcode. (The proprietary VGA BIOS has been eliminated.)
I don’t know what is Purism’s policy regarding security updates to those blobs, but I do know that Librem laptops get the latest Coreboot images very quickly after they are released by Coreboot and Coreboot releases come with the most recent blobs from Intel, so as long as you keep updating PureBoot/Coreboot, you should have the recent blobs from Intel. For info on updating PureBoot/Coreboot, see:
https://docs.puri.sm/PureBoot/GettingStarted.html#updating-pureboot-firmware

The hardware switch on the L14 motherboard should stop unauthorized changes to the firmware.

If you have PureBoot + the Librem Key, then if the Librem Key flashes green while booting, then the TPM and BIOS haven’t been changed. If it flashes red, then something has been changed, and they have potentially been “infected”. These articles provide a good overview of how Heads and the Librem Key work:
https://www.linuxjournal.com/content/tamper-evident-boot-heads
https://www.linuxjournal.com/content/purism-librem-key

I don’t get this argument. Purism specifically advertises to people for whom security is important/critical. This automatically makes them high-value targets for interested parties. You can say that it’s just 2k laptops a year, but it’s 2k people who are the most interesting to target. Why would you compromise 100k laptops of which 1% are your target (and loose 99% of resources in vain) instead of 2k laptops of which ~100% are your target?

Because that figure (~100%) is wildly wrong?

Purism may well attract customers for whom security is important/critical, but Purism also attracts customers for whom privacy is important/critical (while still being profoundly uninteresting to the NSA or any other TLA, or similar), and Purism also attracts customers for whom (software) freedom is important/critical (while ditto).

Your line of reasoning starts to look like the old “if you have nothing to hide, …” when in fact “I have nothing to share”.

That figure is certainly wrong, but it’s not the point. Purism is the only company I know which offers anti-interdiction services. If you are sensitive to targeting then you, with a very high probability, will order from them. Therefore, the percentage of interesting targets will be very high (although probably not 100%, it was just an exaggeration). Note that typical public haven’t even heard of Purism. You probably know it because you are interested in security/privacy.

I know it because I have a Librem 5.

I am interested in all of: security, privacy, freedom.

If a malicious entity could target only the anti-interdiction customers then your percentage might be much closer to reality.

As soon as your percentage of the total number of Purism laptops drops below 50% then the payoff in “number of target laptops compromised” is better if the malicious entity goes after the mainstream.

You may find that Purism customers are “more boring” than you think.

1. Any examples of hardware supply chain attacks that are backed by evidence to this point have been targeted to individuals or entities under surveillance (I’m referring to things revealed in Snowden disclosures, so far the Bloomberg implant stories don’t seem to be backed by physical evidence, but hearsay). Performing hardware supply chain attacks across an entire product line is certainly possible but also unlikely, due to the larger threat of being discovered. These same well-resourced entities that would be able to do such a thing, also are intelligent enough to know that the far safer way to achieve the same goal as a hardware implant, is through software implants, as they are much easier to explain away as a mistaken debug mode left into firmware. There are also plenty of examples in the wild of this exact type of backdoor, compared to hardware implants. I talk more about that here.

2. We try to reduce the amount of proprietary code in our products to a minimum, however there are still some blobs left in PureBoot including CPU microcode updates (although we’ve been able to reduce the number of blobs over time with a goal to reduce it to zero). We supply a firmware update tool that provides you with the latest version of either PureBoot or coreboot depending on what you use.

3. Yes Heads is specifically designed to alert you to that kind of tampering. That would make it safer to dual boot Qubes with something else but it’s still not ideal because you would be relying on the strength of your LUKS password protecting dom0 at that point (as a remote attacker who could compromise your other OS could start attempting to attack your encrypted Qubes file system, even if their attempts to attack the kernel in /boot would be detected).

4. So far anything along those lines (that I’m aware of) is in the realm of the hypothetical without a functional proof of concept.

5. If you do choose to dual boot (which I don’t recommend if you use Qubes) you would end up sharing the /boot partition between Qubes and PureOS. Ideally if you do it correctly, GRUB updates on either end would do the “right thing” when you get new kernels. I’ve done such a thing in the past based on a guide Micah Lee has published, but if you are concerned about the complexity of Qubes, maintaining a dual boot situation in my opinion would add to that complexity.

6. If you were to use something other than PureOS, which had proprietary drivers, you might see it attempt to inject CPU microcode updates, which other OSes ship with. You may also see proprietary modules in place to extend the Intel graphics driver, and might see proprietary drivers that enable the Bluetooth device on the WiFi card.

7. The problem with proprietary code is that you can’t see inside it to answer that question. So it’s all hypothetical conjecture. The best you can do is try to compartmentalize and reduce proprietary code as much as possible (ultimately to zero), which has been our approach.

Are you suggesting that the percentage of interesting targets is higher for the mainstream producers? Did you consider that it’s harder to compromise them due to the amount of devices?

Just going off the numbers that you put up, which I understand were only for discussion and not intended to be accurate.

A good supply chain compromise (e.g. compromised chip on mobo) means that it really doesn’t matter whether it’s 1000 laptops or 100,000 laptops. They all get compromised.

Where the number of devices matters is in

• risk of detection
• management of noise

As we saw with the SolarWinds (software) supply chain compromise, the attacker went to some lengths to have the compromised software assess the level of interest in each site and, if uninteresting, to deactivate the compromise.