Maybe manufacturers aren't sure what they should be building in order to genuinely and honestly be able to market as 'Respects Your Privacy'. It sounds simple but when you look at the ultimate level of privacy protection then you are talking about open source hardware, software and manufacturing processes and proper auditing of all of these. For a company to manufacture and market a device under these conditions is likely to be hideously expensive and have a very small customer base who are willing to pay such a large price in cash terms. What might be a good idea is for a community such as this one to create some sort of scale which describes the methods, materials and processes to achieve some sort of scoring which would range from 'NSA Spying Device' (0 out of 10) to 'Complete Privacy Protection' (10 out of 10). This would then allow manufacturers to work to a specific score and advertise as such. cheers, oshwm. On 14/09/15 17:09, Blibbet wrote:
Librem isn't perfect, and its BIOS isn't fully free. But it's free-er than almost any other laptop being sold that's worth owning, and it even comes with a hardware switch for some key sensors. If a product markets itself as 'privacy respecting' (is the Librem *actually* marketed this way) then it had better back up it's claims. Regardless of the way the marketing team is spinning things, they supposedly have 3 firmware developers trying to make a difference. Outside Bunnie Studios, I don't know of another OEM that is trying to help with this niche market with new hardware (not including refurbished Thinkpads). So I respect that effort. Not sure they'll fully succeed in this model, but perhaps a few models later they will have some decent boxes.
It sounds like they have a source license to Intel's Firmware Support Package (FSP), and are modifying it to disable some silicon/firmware features. The results will still be closed-source.
Today, nearly all Intel systems are 100% closed-source firmware, via IBVs (Phoenix, AMI, Insyde, and OEMs). Some AMD and ARM systems could provide blob-free firmware. If used in conjunction with fully open source OS/app stack, then you might be able to trust it.
Today, I don't see how you can trust any keys/certs in any of the Trusted/Verified/Measured/etc boots, most of the solutions don't seem to have any way for the owner/user to verify, eg, no CRL/OSCP keys. My reading of NIST SP80-147's seems to imply that sysadmins need to be able to verify things, but that doesn't seem viable today.
While Purism's marketing may be a bit overboard, I'm hopeful that they're trying. Maybe their next model will use the new RISC-V Raven3 chip, with U-Boot Verified Boot, and ship with full source to CPU/firmware/enclosure, firmware, OS, and apps. To get to that point, we'll probably need to help them fund this current Intel model, to keep Purism alive....
I am not sure why they they need to create yet-another privacy-centric OS, PureOS, and focus on improving and using Qubes/TAILs/Trisqel/Mempo/etc.
They're apparently working on a Free Software fork of FSP. I wish this was a shared effort with many more free software developers, perhaps managed by FSF or Linux Foundation, not just a single OEM. More than one Linux OEM could benefit from such an effort, most of them still use COTS 100% closed-source IBVs.
Can the current Intel-based solution get certified by the FSF RespectYourFreedom program? I'm not sure.
Whatever happens with what they do to the FSP and Intel silicon, if the result is less secure to attackers, that'll be an issue. Many who care about personal freedom and detest blobs seem to ignore security. But Purism cares about privacy and security, so they have to try and deal with both issues. Disabling BootGuard in updated FSP may make it more configurable, but less secure, it seems. Their web site has fancy graphics and tables. I hope they create a list of FSP modifications so we can see what security holes the system may have.
I like the kill switch. I'd go further: since many firmware attacks come through suspend/resume, I'd rather just disable that at the HW/FW/OS levels. I'd like to have a fully-lockable enclosure in a laptop, which can cover exposed ports, with a good quality lock, in a metal enclosure. Of course, it would't be able to make it through TSA customs, so probably not commercially viable. :-(
If I worked there, I'd tone down the marketing a bit (they have blobs in their firmware, and they're based on an Intel system, they'll never satisfy some of their potential market), perhaps focus on hardware that can be built with blob-free firmware for their next model. And I'd hire LegbaCore to evaluate the hardware before they ship it, for security issues. :-)
Looking forward to their next model!