Purism Librem15 fails CHIPSEC security tests

Current Purism Librem15 systems — based on Intel x64/coreboot/SeaBIOS tech — results in 3 FAILs and 1 WARNING from CHIPSEC:

The UEFI Forum recommends that OEMs pass CHIPSEC’s tests before shipping units to customers. I wish modern BIOS-based OEMs would also heed that advice… The default install is to use an MBR-based partition, so also be wary of all of the existing BIOS-centric, MBR-based rootkits. Adhere all ‘evil maid’ warning signs with this laptop. If you have corporate policies that require NIST 800-147/155/193 requirements, you might have to work hard to justify this device. I wish it were not true: configurable or secure, choose one.

In other computer review news: the trackpad did not work during initial install, had to be rebooted. I’m guessing trackpad drivers aren’t integrated? You’ll have to use external mouse if you need to click on something during install of Linux. Same with backlit key and display intensity features: only worked after OS setup. Firmware security pedantry aside, nice hardware. Fan rarely kicks in, unlike some OEMs. It is nice to see a Mac-style trackpad instead of a PC-style touchpad with 2 explicit button areas, I’ve grown to dislike those. Startup and poweroff are both very fast. Reminds me of what a modern non-UEFI system should be like. Great, except we’re no longer in a world where security can be ignored. If you want an insecure BIOS box, you’ll probably enjoy this system. If you care about security, this is a BIOS box….


European Coreboot Conference 2017: some presentations online

Multiple PDFs from the European Coreboot Conference 2017, are already online, linked off their individual event pages, eg:


And hopefully we can watch videos of the other presentations soon:

PS: The Coreboot event is happening in Europe nearly the same time the UEFI event is happening in Asia. I with those two firmware communities would sync their events and host them adjacently.


Agenda for ECC’17

The schedule for the European Coreboot Conference 2017 (ECC’17) is out:

* Keynote, Stefan Reinauer
* Run upstream coreboot on an ARM Chromebook. Paul Menzel
* DDR3 memory initialization basics on Intel Sandybrige platforms. Patrick Rudolph
* Booting UEFI-aware OS on coreboot enabled platform – “In God’s Name, Why?”. Piotr Król, Kamil Wcisło
* Reverse engineering MT8173 PCM firmwares and ISA for a fully free bootchain. Paul Kocialkowski
* Let’s move SMM out of firmware and into the kernel. Ron Minnich
* A Tale of six motherboards, two BSDs and coreboot. Piotr Kubaj
* Buying trustworthy hardware for federal agencies: How open source firmware saves the day. Carl-Daniel Hailfinger
* SINUMERIK 840D sl – step ahead with coreboot. Werner Zeh
* Enabling TPM 2.0 on coreboot based devices Piotr Król, Kamil Wcisło
* Reverse Engineering x86 Processor Microcode. Philipp Koppe, Benjamin Kollenda
* Porting coreboot to the HP ProLiant MicroServer Gen8. Alexander Couzens, Felix Held
* Implementing coreboot in a ground breaking secure system: ORWL. Wim Vervoorn , Gerard Duynisveld



European coreboot conference 2017: Call for Papers

Note the request for SECURITY talks!

We are particularly interested in advances in the application of technology in a particular discipline primarily around coreboot, hardware, firmware, and security. As a result, the conference will be structured around the following topics:
– Free and Open Source hardware and firmware.
– Attacks against current hardware and firmware, like side and covert channel attacks.
– Firmware and hardware reverse engineering.
– coreboot payloads, extensions, and features.
– Advances of coreboot and UEFI on the market.
– Applications of free and open source hardware/firmware in practice.
– State-of-the-art security in embedded devices.

Conference talks, lightning talks, and workshops will be video taped and published afterwards. If a recording is not desired by a speaker or workshop instructor, no recordings will be made (notification in advance of the talk / workshop requested)[…]



coreboot and Intel ME



A Life Without Vendors Binary Blobs, part1

This blogpost will be about my first steps with coreboot and libreboot and a life with as few proprietary firmware blobs as possible. My main motivation were the latest headlines about fancy firmware things like Intel ME, Computrace and UEFI backdoors. This post is not intended to be about a as much as possible hardened system or about coreboot/libreboot being more secure, but rather to be able to look into every part of software running on that system if you want to.[…]A followup will involve different payloads like SeaBios or Tiano Core (UEFI) to be tested, maybe I can get even more from this old piece of hardware! So look out for my next blog post about my journey into coreboot! -Jann