Uncategorized

Purism replies on CHIPSEC failures, adds TPM add-on, starts Heads work

Re: https://firmwaresecurity.com/2017/11/15/purism-librem15-fails-chipsec-security-tests/

Purism responds to the CHIPSEC failures here:

https://forums.puri.sm/t/user-flashable-coreboot-vs-chipsec-security-test-cases/1918

They also point out in that forum, and here:

https://puri.sm/posts/tpm-addon-for-librem-laptops/

that Purism is getting ready to start using Heads payload. They’ve been talking about it for months, maybe it’ll be a real option for upcoming Librem customers? I’m very excited to see a Heads system available by an OEM, instead of DIY and not an easy task.

And they’re adding a TPM as an ‘add-on’ to existing Librem laptops. Heads needs TPM for it’s measurements. (Hmm, I thought TPMs were an integral and tamper-resistant part of the system, and something that could be added on for trust was called a smartcard, but ok. I guess you have to solder the HW to the system. I presume attackers will be ordering spare add-ons so they can swap out units.)

In the above Purism forum, there was this user comment:

“I like the idea of putting a demo Librem notebook to a BlackHat conf where they try to break into the devices. Would be a nice test and a good commercial for you.”

They cannot do that with current Librem models. 🙂 This will need to wait for TPMs to be pre-installed and Heads as the payload.

This response from the above Purism forum seems a bit invalid:

“So there’s no way to access a BIOS menu to change the boot sequence (boot from USB) or set a machine password etc?”

“No, there is no such thing. The BIOS boots into your machine in roughly 450 milliseconds, there is no support for a menu, there is no time even for the user to press a key on the keyboard to enter a menu. The idea of coreboot is to do the minimum hardware initialization and then go to a payload. In our case, we use SeaBIOS which itself will initialize the video card and show the splash screen logo, and wait for 2 seconds for you to press ESC to show you the boot menu and let you choose your device (otherwise, it just boots to the default one). The boot choice isn’t saved, it’s just a boot override. If you want to change an option in coreboot, you need to change the config in the source and recompile coreboot then reflash it. If you want to change the boot order, you need to change the boot order in a file embeded in the flash, then reflash the BIOS.”

Yes, there is thing, which the reply says does not exist then a few sentences later explains that it does exist. The BIOS menu to change the boot order is available to anyone with physical access to the system, and presses the ESC key within 2 seconds of poweron. The unprotected BIOS and MBR-based hard drive can be quickly overwritten with malware on the attacker’s boot thumbdrive. Attendees of ‘a BlackHat conf’ will have such skills. 🙂

Purism is spending all their time undoing Intel’s features — Intel ME, Intel FSP, and now re-embracing older features — Intel TPM. Intel SMM is still an issue, STM is not being used by Purism. Intel ME may be disabled, but it’s a black-box device, who knows when attackers will start reactivating it and putting their malware-based version of Minix on that chip? You’re going to need tools to detect if ME is really disabled. I hope Purism’s roadmap has a RISC-V chip-based laptop in it, so they can stop fighting Intel features and have a fully-open stack. If they keep fighting the Intel stack, I hope they add the ‘stateless laptop’ that Joanna has proposed to their roadmap:

https://blog.invisiblethings.org/2015/12/23/state_harmful.html

It might be useful to add coreboot Verified Boot to help secure their SeaBIOS payload, but that could probably only secure PureOS, and distro hoppers will have no benefit. But I don’t think Heads and Verified Boot are compatible? SeaBIOS also has TPM support, that’d be nice to see those measurements used, if they are embracing a TPM. And now that they have a TPM, they can start using Intel TXT too. 🙂

I am a little perplexed about Purims customer audience, who is concerned about privacy, and yet has so little concern for security, in exchange for the convenience feature of being easy to distro-hop. Anyway, if you want security, wait for the TPM and Heads to be integrated with future Librems.

https://trmm.net/Installing_Heads
https://trustedcomputinggroup.org/
https://puri.sm/products/librem-15/

Standard
Uncategorized

Purism Librem15 fails CHIPSEC security tests

Current Purism Librem15 systems — based on Intel x64/coreboot/SeaBIOS tech — results in 3 FAILs and 1 WARNING from CHIPSEC:

The UEFI Forum recommends that OEMs pass CHIPSEC’s tests before shipping units to customers. I wish modern BIOS-based OEMs would also heed that advice… The default install is to use an MBR-based partition, so also be wary of all of the existing BIOS-centric, MBR-based rootkits. Adhere all ‘evil maid’ warning signs with this laptop. If you have corporate policies that require NIST 800-147/155/193 requirements, you might have to work hard to justify this device. I wish it were not true: configurable or secure, choose one.

In other computer review news: the trackpad did not work during initial install, had to be rebooted. I’m guessing trackpad drivers aren’t integrated? You’ll have to use external mouse if you need to click on something during install of Linux. Same with backlit key and display intensity features: only worked after OS setup. Firmware security pedantry aside, nice hardware. Fan rarely kicks in, unlike some OEMs. It is nice to see a Mac-style trackpad instead of a PC-style touchpad with 2 explicit button areas, I’ve grown to dislike those. Startup and poweroff are both very fast. Reminds me of what a modern non-UEFI system should be like. Great, except we’re no longer in a world where security can be ignored. If you want an insecure BIOS box, you’ll probably enjoy this system. If you care about security, this is a BIOS box….

Standard
Uncategorized

PureOS joins Debian derivatives census

PureOS is the Debian-based Linux distribution by Purism for their laptops.  Jonas Smedegaard has apparently joined Purism to help with PureOS:

“I am long time Debian developer with a special interest in Pure Blends (a.k.a. friendly assimilation of derivatives into Debian). Since about a month ago I am hired by Purism to help develop PureOS – a Debian derivative for which I will act as Derivatives Census contact.”

https://wiki.debian.org/Derivatives/Census/PureOS

Hector Oron of Debian, who invited PureOS into the Debian Derivative census, made a few interesting initial comments evaluating PureOS, some things that need I hope Purism addresses:

“The page says that PureOS modifies Debian binary packages. It is quite rare that distributions modify Debian binary packages instead of modifying source packages and rebuilding them. Does PureOS actually do this? If so could you describe what kind of modifications you are making? If not I guess the page needs to be fixed. The apt repository for PureOS does not contain source packages [for the contrib and non-free section], including for packages licensed under the GNU GPL. This may or may not be a copyright violation depending on whether or not you distribute those elsewhere. In any case, please add source packages to your repository so that Debian can automatically create patches to be presented to Debian package maintainers.”

For more info, read the thread on the debian-derivatives@lists.debian.org mailing list.

https://puri.sm/?s=Debian

Standard
Uncategorized

QubesOS, Invisible Things Lab, and Purism

Purism ships Debian-derived PureOS, and used to ship QubesOS. Now, Qubes is not really an option. I don’t know the full story, below posts give some background.

https://groups.google.com/forum/#!topic/qubes-users/2GfyEz0eYCE

https://puri.sm/posts/2017-07-shipping-update-for-qubes-orders/

https://forums.puri.sm/t/no-longer-listed-on-the-qubes-websites-certification-page/1050/5

https://www.qubes-os.org/news/2015/12/09/purism-partnership/

https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptops

https://www.qubes-os.org/doc/system-requirements/

https://www.qubes-os.org/hcl/

https://web.archive.org/web/20170506112157/https://www.qubes-os.org/doc/certified-laptops/

 

Standard
Uncategorized

Linux OEMs/VARs: use FwUpd

If you build a Linux-based system, you should be putting your firmware updates on fwupd. Dell is the only vendor currently doing this.

What about: System76, ThinkPenguin, Purism, HP, etc??

Hmm, it looks like System76 might be working on it!

 

Standard
Uncategorized

Reversing Intel ME’s ROMP module

Reverse-engineering the Intel Management Engine’s ROMP module
Youness Alaoui, Hardware enablement developer

Last month, while I was waiting for hardware to arrive and undergo troubleshooting, I had some spare time to begin some Intel ME reverse engineering work. First, I need to give some shout out to Igor Skochinsky, a Hex-Rays developer, who had been working on reverse engineering the Intel ME for a while, and who has been very generous in sharing his notes and research on the ME with us, which is going to be a huge help and cut down months of reverse engineering and guesswork. Igor was very helpful in getting me to understand the bits that didn’t make sense to me. The first thing I wanted to try and reverse was the ROMP module. It is one of the two modules that me_cleaner doesn’t remove, and given how small it is (less than 1KB of code+data), I thought it would be a good starting point. Turns out my hunch was right, as I finished reverse engineering that module after only a couple of days.[…]

https://puri.sm/posts/reverse-engineering-the-intel-management-engine-romp-module/

https://github.com/kakaroto/purism-playground

Standard
Uncategorized

Purism and Trammell Hudson partnership

It looks like Purism is going to use Heads now! I hope other OEMs consider some of the features Heads offers.

http://www.marketwired.com/press-release/security-researcher-trammell-hudson-device-maker-purism-join-forces-set-new-standard-2209477.htm

http://finance.yahoo.com/news/security-researcher-trammell-hudson-device-160000558.html

https://puri.sm/posts/purism-collaborates-with-heads-project-to-co-develop-security-focused-laptops/

Standard