I apologize in advance if some of these questions have already been asked or if they seem silly. I skimmed through the forums and Purism’s blog posts which answered some of my questions, but I still want clarification on a few things.
-
How vulnerable is Purism to a hardware supply chain attack? Are there any steps they take to mitigate that threat? I ask because (as many have pointed out before) a company like Purism likely has a target on their back. I’m not too concerned with my specific laptop being tampered with, but rather I’m concerned that Purism’s supply chain (or even just supply chains in general) might be compromised on a hardware level. Before someone points it out, I know it would be expensive and difficult to do. But when we’re dealing with agencies who have billions of dollars, legal authority over manufacturers, and the most skilled technologists, I think it could be a plausible threat.
-
Would I receive security updates including any proprietary code if I’m using Pureboot? I’ve heard Libreboot and Linux-libre distributions miss out on security updates because some of the code is proprietary, and I assume this is the case with PureOS. Does Purism take the same approach when it comes to firmware? If so, is there any way to opt-in to receive all security updates (be it microcode, firmware, whatever) even if they are proprietary?
-
Would Heads alert me if the firmware or boot sector had been infected? If so, shouldn’t it be safe for me to dual boot Linux and Qubes without much fear of my Linux OS compromising my entire machine?
-
I’ve heard rumours that Heads and Anti Evil Maid can be bypassed. To what extent is this true? Does Heads have any known vulnerabilities or weaknesses? Has it ever been audited?
-
Would dual booting Qubes and Linux affect Heads or require me to do set something up manually? Or would it work completely independent of the operating systems I use?
-
Do the components in Librem laptops only use free software drivers? Or is it just optional? For example, if I replace PureOS with Qubes and Linux, would I have to make sure they’re only using the free software drivers in case they try to use some proprietary alternative by default?
-
Realistically, what threat could proprietary microcode and proprietary firmware blobs in Pureboot/Coreboot pose? I know there isn’t really any way around this yet so I’m still planning on getting a Librem 14, I just want to know about the weak links we’ve been unable to mitigate.