Sourced components and manufacturing security


#1

Hi! A colleague of mine wondered that if you have a contract with an outside manufacturer instead of manufacturing everything yourselves on site in CA, what exactly is the process for making sure that the manufacturer doesn’t add anything evil to the system, “chip by chip”. I tried to find an exact page to refer them to, but couldn’t. Could you help? Thanks!


Waste of resources to ship your own OS?
#3
Hi! A colleague of mine wondered that if you have a contract with an outside manufacturer instead of manufacturing everything yourselves on site in CA, what exactly is the process for making sure that the manufacturer doesn’t add anything evil to the system, “chip by chip”. I tried to find an exact page to refer them to, but couldn’t. Could you help? Thanks!

While this is a fair question, it’s very difficult to lock down the entire supply chain in a meaningful way. Even if you did the assembly in the US, the US government could mandate Purism to backdoor the hardware or interdict the computer via UPS. But hardware backdoors are a very expensive attack vector and any realistic threat analysis would prioritize traditional attacks such as software backdoors. These more pedestrian attacks are what hardware kill switches and end-to-end free software is designed to mitigate.

That’s not to say that there aren’t things Purism can do to mitigate this and I would love to see them take this on. But even the processors themselves can be backdoored and it’s really expensive to setup a split manufacturing process to ensure that everything coming is stock.


#4

This is a tremendous concern for us, and is the reason we do the final assembly of Librems from our facility in the San Francisco Bay Area. This is a trustworthy, secure facility. (In other words, you could not enter it easily because it’s a small team, like family, and everyone knows everyone there.) The CEO of Purism has a long, trusted relationship with this facility – going back to previous companies he has worked with.

We source components Internationally and inspect the firmware (which is open source) for any “binary blobs” or “mystery code.”

We manufacture our own motherboard.

Shipping happens almost immediately after assembly, as we’re located literally next to San Francisco International Airport.

We cannot vouch for what could possibly happen DURING shipping, and for that reason if you are very security conscious, we can arrange “anti-Interdiction service” by request.

Also, we recommend that you ship your Librem to your office or a place where you will be there to pick up the package–not where it will just be dropped on the doorstep.


#5

What would this look like? @zlatan-todoric mentions it too: https://puri.sm/posts/purism-store/


#6

Specifically what firmware are you referring to?

A modern computer has a LOT of firmware in a LOT of components. More than even most technical people realize. Everything from drives to usb controllers have firmware that is outside of and invisible to even the firmware recognized as the ‘BIOS’ covered by Coreboot (which is itself not blob-free of course).


#7

I’m surprised this link was not pasted here before, but this might answer the original question : https://puri.sm/about/manufacturing-and-sourcing/

@M12321: I believe gisele was referring to all the drivers and firmwares in the linux kernel to make the system work, making sure they are not using any binary blobs. For example, the wifi card uses an open source firmware, but it’s a wifi+bluetooth combo card and the bluetooth portion of it requires a binary blob which is why bluetooth is not supported in PureOS and not promoted either as a feature of the hardware since it depends on a binary firmware.
Anything else that is an ASIC does not count as a “binary firmware”.


#8

@ArloJamesBarnes let’s not resurrect super old threads all over the place please :slight_smile: I think that in this case here, one could consider that the “Preventing shipment interception, providing hardware integrity verification” thread to the better-suited successor.

Anyway, for “anti-interdiction”, the idea back then is that we would provide an optional service where customers could request (for an additional fee) to get a photo of the motherboard before it gets shipped out to them. But we haven’t implemented that yet (as of mid-2017), and if people actually expect x-ray photos (instead of regular photos) then that’s a whole other game, we don’t currently have that (ridiculously expensive) equipment.

@M12321: sorry about that, I think that statement about firmware was inaccurate; Giselle, who was the press relations person back then, had very little technical understanding of these things, so back then (this post is over a year old) she probably meant something closer to the OS-level drivers as @kakaroto points out… I don’t imagine it was referring to the super-deep hardware-side things like the FSP, or SSD firmware (when applicable), which are still on the roadmap but not currently freed at the time I’m writing this.


#9

Apologies, I keep forgetting not to reply when going through old threads I have not yet read. I know it often warns you but I missed it this time. Maybe I should disconnect my keyboard while forumming…:stuck_out_tongue:


#10

Wow Jeff… perhaps time you go get another job as you obviously dont like this one. I have been polite and respectful from my first post to now, but this is ridiculous. So you DONT want us (clients who give you money) to re-ask questions that were NOT completely resolved to our satisfaction? Was there any German tone in your voice as you typed this? The short of it is you claim to be offering a secure computer and when we try to politely clarify, you tell us to stop asking the questions. Dont worry about cancelling my user account, I wont be coming back here anymore as I no longer take Purism seriously… Missed opportunity :frowning:


#11

No, I was just politely pointing out that there was a newer and (I thought) more relevant thread for the shipping “anti-interdiction” question, and that I didn’t see much point in posting onto an old thread that hadn’t seen activity in well over a year which would lead to spreading the focus that was so interesting with the other, newer thread. I never said to stop asking questions (notice how I never closed the discussion thread, because I don’t believe in such things?), I asked to be careful about resurrecting super ancient threads, and I actually answered the new questions.

I don’t think I’ve been offensive by doing so—and certainly not to you. Your reply just now, however, depicting me as somehow “german” and unfit for the job, is pretty close to offensive. I don’t understand why you’d suddenly be reacting like that. I wouldn’t consider the act of making occasional suggestions on forums best practices to be fascism.


#12

@bit first of all, why are you getting offended, considering that jeff’s message was not directed to you? You hadn’t even posted anything in this thread so far. Secondly, @jeff has been very polite too, and I can’t find any way to stretch my imagination thin enough to see his post as anything offensive, so I don’t know where you’ve found offense in it!

Also, I find it extremely offensive of you to be telling him that he should get another job—for you to judge him on his job, his skills, or his motivation to work for Purism—but what takes the crown is how you’re somehow attributing a “German tone” to his sentence? Besides being snarky, it’s racist and extremely offensive to Germans.

As for him supposedly saying to stop asking questions, I don’t see where you’ve ever seen him say something like that. What he said is to stop necroposting, which @ArloJamesBarnes has been doing a lot of recently (if not him, someone else, but I’ve noticed it a lot recently in the forums, multiple 1 or 2 years old threads being resurected every day).

If you want to know, then maybe read this stack exchange thread which explains why necroposting (which means resurecting old threads) is frowned upon and is quite often prohibited (I’ve seen some forums with ban warnings if you ever do it). Nobody is saying “don’t post the question” but the concept of no-necroposting is “create a new thread for your question if the existing thread is too old”.

From an innocent and polite reminder from @jeff, you interpreted it as some sort of vendetta against users and decided to personally attack @jeff. You became the agressor in this, you’ve become the “nazi” that you were depicting. Even if you didn’t understand the concept of necroposting, you could have asked something like “Why are you telling us not to post questions?” instead of personally attacking @jeff and critizing his work ethics.

Personal attacks, as well as racist comments are not allowed in this forum, and this is your only warning.


#13

I believe the point is now made that there was no malice intended, and further discussion (if any) should be kept civil and courteous.

I have now moved this topic to the newly created “general security and privacy discussions” category, because it’s not a technical support or hardware question specifically about the Librem, but is really a more general discussion on how the world works.

  • Let us put this topic to rest for now (and set emotions aside to restore Dalmascan peace).
  • I’m keeping this discussion topic open in case new constructive and on-topic ideas come, as this discussion here is really about the “manufacturing and sourcing”, vs the other thread being more about shipping interception prevention.

So for those reading this: if you have to post here and resurrect this thread, do so with new (and realistic) ideas concerning sourcing & manufacturing security.*

*: I don’t foresee us being in a position to make everything down to the last transistor and creating our own silicon from sand buckets on the beach! Nor can we just buy an island and create a secluded anarcho-syndicalist commune


#14

i noticed that the default manufacturer for ssds both m2(nvme) and 2.5(sata3) is Samsung.
just write an email to Samsung and ask them to publish the schematics and to open up the firmware code. will they say no quickly or will they offer a longer explanation ?


#15

Vasilios Mavroudis and Dan Cvrcek published some work last year on a methodology for device manufacturers to reduce the risk of this happening undetectably. See their talk from DEF CON 25, Trojan-tolerant Hardware + Supply Chain Security in Practice (2017).


#16

Hi guys, first post.

After reading that China has been implanting imperceptible chips onto Apple and Amazon’s motherboards, designed to give the PLAN a hardware backdoor into servers, I’m more conscious than ever about Chinese manufacturing.

I’ve heard that 90% of all electronics are at least partially built in Shenzhen. Curious to know how attacks like this are overcome by Purism and how much of the supply chain in general passes through China?