Purism BIOS efforts

September 10, 2015 ~ hucktech ~ Leave a comment

Purism mentioned in a Tweet that they have 3 developers working on Intel Management Engine:

@stepansmith @viniciusreisc Purism has 3 devs working on freeing the ME https://t.co/sep7yaze4H

— Purism (@Puri_sm) September 10, 2015

They have one document, from the summer, talking about how they’re trying to free the BIOS:

https://puri.sm/posts/freeing-the-bios-the-memory-init-stage/

And another more recently-updated status page:

https://puri.sm/road-to-fsf-ryf-endorsement-and-beyond/

Purism offers the first high-end privacy and freedom-respecting laptops by manufacturing the motherboard and sourcing daughter cards, where all chips are designed to run free software. Purism laptops are completely free from the bootloader through the kernel (with no mystery code, binary blobs, or firmware blobs), including the operating system and all software. We have yet to free the Intel FSP binary and ME binary from within the coreboot BIOS to move us toward FSF RYF endorsement. We are working diligently to free the BIOS, but our goal is to go further than that: Purism also intends to free the firmware within HDDs and SSDs.

I’m still unclear how this will result. I’m of two minds on this: I love the idea of having a system I can trust, so am happy to see projects like Novena and Purism. On the other hand, Purism is fighting Intel’s security mechanisms, and I’m a little concerned the result will remove some Intel defensive technology that makes the system more easily attackable.

Their current model has a kill switch, which is a nice feature. [I’d also like a case that closes access to the ports when closed, and has a LOCK, with a good quality lock, that can’t be easily picked. That’d be an issue for TSA checkpoints, though.] I might also consider getting ride of Suspend/Resume, a lot of attacks happen there, and systems are fast enough these days to live without this feature.

I wish other OEMs would compete with Purism, it would be nice to have more options than a handful of ancient refurbished Thinkpads and a handful of remaining Novenas. The current Purism model is nearly done with funding, only a few days left:

95% funded! YES! Just 9 days to go. Preorder the Librem 13 #privacy respecting notebook: http://t.co/cw22Uld8yq pic.twitter.com/hkdcx3SApD

— Purism (@Puri_sm) September 8, 2015

Open Hardware updates

September 3, 2015 ~ hucktech ~ Leave a comment

One problem with being a small hardware vendor is keeping supply in stock. Bunnie Studios’s Novena, or Purism’s Librem, or Inverse Path’s USB Amoury, all IMO 3 leaders of the Open Hardware movement, are all currently in stock, or are restocking, or have a few left. Novena has a handful of laptops remaining, Librem v2 has a few days remaining for current funding program, and USB Armory is getting restocked. To paraphrase an open source term, for open hardware use: “Buy early, buy often.” 🙂

A limited # of @novenakosagi laptops by @bunniestudios are now available http://t.co/SHsXkzzXCk #openhardware pic.twitter.com/QGoZuZ3NYT

— Crowd Supply (@crowd_supply) September 2, 2015

The Librem 15 #privacy laptop keeps on raising funds! $510K! 16 more days to order: http://t.co/utSfskzkqg … … pic.twitter.com/RniD9esiUu

— Purism (@Puri_sm) September 1, 2015

The USB armory is back for pre-order! A new batch will be available November 2015.https://t.co/q2sLLQkFTF pic.twitter.com/y9WwEbirmU

— Andrea Barisani (@AndreaBarisani) September 3, 2015

Purism coreboot update

August 25, 2015 ~ hucktech ~ Leave a comment

Purism is a new OEM trying to build hardware for consumers that care about personal privacy and security, and are concerned about any closed-source code that controls their systems, including OS-level and firmware-level “blobs”. They’ve chosen an Intel-based platform for their laptop, so they’re busy fighting to disable all of the silicon-level security protections that Intel has been adding to their products. This is more ambitious than other Intel-based “Linux OEMs”, which use stock BIOS, 100% firmware blobs. If Purism is able to accomplish what they want, I then wonder how insecure their new systems will be, from the pragmatic POV of an attacker (who cares less about if a system was built with closed-source blobs or not).

Read the update here:

http://blogs.coreboot.org/blog/2015/08/24/2015-08-21-librem-13-weekly-progress-update/

Excerpting from the summary of their blog post:

BIOS development is hard. One of the major challenges facing BIOS developers is a lack of accurate, comprehensive documentation for all the hardware coreboot interacts with. The “elephant in the room,” for an Intel-based laptop, is the Management Engine.

I’m wiling to bet a buck that Purism’s their 3rd model will not be based on Intel, but ARM or AMD systems. where they can more easily have zero firmware blobs, and have to fight fewer pink elephants, and can use U-Boot or Libreboot. Recent libreboot efforts with some Chromebook models is also very encouraging. I would almost rather focus on COTS Intel/ARM dev boards for the next few years, until RISC-V boards (like Raven3) are available for Purism to use. A thick laptop with room to fit a Beagle or Panda or Minnow or RPI — or two — would be nice to see.

It is nice to see Purism, like Bunnie’s Novena, trying to build a system that people want, not just a system that the industry trade groups want for enterprises. I hope they’re able to manage to deal with the various silicon and firmware issues that they face.

Purism laptops and FSP blobs

August 11, 2015August 11, 2015 ~ hucktech ~ Leave a comment

Purism is getting some slack about it’s firmware:

http://www.phoronix.com/scan.php?page=news_item&px=Purism-Librem-Still-Blobbed
https://www.phoronix.com/scan.php?page=news_item&px=Librem-15-Rev-2-Coreboot
http://www.phoronix.com/scan.php?page=news_item&px=coreboot-dev-purism
http://www.pcworld.com/article/2960524/laptop-computers/why-linux-enthusiasts-are-arguing-over-purisms-sleek-idealistic-librem-laptops.html
http://www.phoronix.com/forums/forum/software/mobile-linux/813274-purism-librem-laptops-remain-blobbed-up-less-than-interesting

The first one had a stock UEFI BIOS, the second one will apparently have a coreboot BIOS with a Purism-customized FSP.
It’s not too hard to fork a new Debian OS (PureOS), there’re many to emulate. But being a micro-sized OEM means you have to deal with COTS hardware, which have blobs.

You can’t build a modern computer w/o using it’s hardware. The firmware enables this. Open source projects like Tianocore or coreboot don’t have all the necessary firmware to enable this hardware. On Intel systems, they need the Intel Firmware Support Package (FSP), all the “blobs” needed to enable the hardware. OEMs and IBVs take Intel’s FSP blobs and combine them with the tianocore UEFI code or the coreboot code, and build a firmware image for their system. Some IBVs create their own firmware from spec, w/o FSP, but that is going to take a lot of work, and the NDA’ed material probably means no open source version.

http://www.intel.com/content/www/us/en/intelligent-systems/intel-firmware-support-package/intel-fsp-overview.html

Purism apparently is a licensee of the Intel FSP source code, so they can edit the FSP source and recompile them. I presume this means Purism is under NDA with Intel, and can’t give some details of what they’re doing.

There will always be blobs in current Intel systems. Purism may reduce the number of FSP blobs, but can’t eliminate them. Perhaps Purism should focus on AMD systems, if ASEGA(sp) is open source? Perhaps Purism should focus on ARM systems, where — if sufficiently funded, they could build a chip with just the parts they want; still there are ARM Ltd NDAs. I don’t think Purism — or any similar Linux OEM — will be able to create anything useful until RISV-V is an alternative to the mainstream chips, in a few years. 😦

I hope Purism checks CHIPSEC results before they ship their product. 🙂
I wish Intel would open source FSP. I presume that can’t be done due to NDA issues. I wonder if the open source community would sponsor an FSP alternative, if they could accomplish it w/o the NDA’ed data?

RMS blesses Crowd Supply for Open Hardware OEM use

July 25, 2015 ~ hucktech ~ Leave a comment

Crowd Supply, the crowfunding platform for Open Hardware OEMs, was blessed this week by RMS and the FSF. Crowd Supply has helped new hardware startups and “Micro OEMs” like Bunnie Studios’ Novena, Purism’s Librem, and Inverse Path’s USB Armory.

“The FSF has selected Crowd Supply as its preferred crowdfunding platform, and will recommend Crowd Supply to hardware and software creators looking to crowdfund, sell or purchase products online. And third, Crowd Supply and the FSF will work together to promote and launch new software and hardware products that adhere to FSF’s guiding principles, with the first project to be announced soon.”

I am *VERY* eager to see more startups creating Open Hardware-based systems! I am looking forward to a few years from now when RISC-V-based devices start showing up on CrowdSupply…!

Going further, the FSF and Linux Foundation need to proactively start building the missing components, not waiting for Intel/ARM and OEMs to create Open Hardware, there’s little motivation for them to change their ways and their IP policies. The FSF needs to — first define, then… — fund Free Hardware, if they’re going in a separate direction from OSHWA’s Open Hardware. Personally, I wish the FSF would partner with OSHWA and focus on Open Hardware, instead of splintering the few non-closed hardware resources/efforts/funds.

More Information:
https://www.crowdsupply.com/free-software-foundation-endorses-crowd-supply-for-respecting-users-software-freedom
http://www.fsf.org/news/fsf-endorses-embedded-gnu-linux-distro-proteanos-as-fully-free
http://arstechnica.com/information-technology/2015/07/founder-of-gnu-bestows-blessing-upon-open-source-crowdfunding-site/