Supply chain attacks


#1

Hi everyone,

I’ve recently read about Chinese supply chain attack practices and find the topic quite worrying.

The article has been mentioned on other threads but I have not seen any replies regarding this topic from Purism team. Hence the dedicated topic…

I’d like to know what Purism thinks about the topic and if they are doing (or planning to do) something to mitigate such risks. (design validation on random samples which were produced in china etc.)

After all, although I admire what Purism is doing, I still think that if the final product deviates from the original design, it defeats the “purpose” of designing hardware with privacy in mind.

Then again, a “supply chain bugged” Librem laptop would still be more privacy respecting than a standard laptop (which would also be “bugged” and ME enabled) with a non-free operating system running on it. Therefore the topic did not let me stop ordering a Librem 15. I just hope that the laptop is as “pure” as it is designed to be.


#2

Purism has commented that at least as far as the Librem 5 goes, they are inspecting all components to verify the boards match the schematics. I think the boards (for the devkit at least?) were actually manufactured in the US even


#3

I wrote at length on this subject back in November: https://puri.sm/posts/protecting-the-digital-supply-chain/

Keep an eye out for another blog post on the topic from me in the next week or two…


#4

Thank you guys for your answers.

I’ve just read the article. I agree is indeed much easier and cheaper to attack via firmware. Looking forward for the next post about the topic…