
Qubes OS will ship pre-installed on Purism’s security-focused Librem 13 laptop - walterbell
http://arstechnica.com/gadgets/2015/12/qubes-os-will-ship-pre-installed-on-purisms-security-focused-librem-13-laptop/
======
INTPenis
Since I'm completely surprised by this project and very attracted to it I
thought it was best to google around for some perspective. Found this
[http://www.pcworld.com/article/2960524/laptop-
computers/why-...](http://www.pcworld.com/article/2960524/laptop-
computers/why-linux-enthusiasts-are-arguing-over-purisms-sleek-idealistic-
librem-laptops.html)

Among other things. My first question was, is the hardware open? Couldn't find
an answer to that.

Edit: Apparently revision 2 of Purism will possibly have Coreboot.

~~~
creshal
The CPU uses proprietary, binary microcode blobs.

The graphics chip needs proprietary, binary firmware blobs.

The ethernet chip needs proprietary, binary firmware blobs.

The BIOS is a proprietary, binary firmware blob.

"Respects your freedom" my ass. The only difference to a whitebox laptop is
marketing. Dell's or Lenovo's linux offerings are just as "free".

(And chromebooks with Coreboot are, technically, more free than both.)

~~~
nextos
Actually, a RockChip based Chromebook like C201 is completely free except for
the 3D acceleration. Not even CPU microcodes. And it's dirty cheap.

I wonder why Purism didn't simply commission such a machine with the right 3D
chip instead of going with a non-free and expensive option.

I would also love similar initiatives in the mobile space, but I reckon it is
more challenging. Neo900 and Pyra are kind of cool though. And I'm hoping
Jolla open sources Sailfish OS later this month or early new year.

~~~
creshal
> I wonder why Purism didn't simply commission such a machine with the right
> 3D chip instead of going with a non-free and expensive option.

Because they can sell the "expensive" option (which, for the OEM itself, isn't
even too expensive) at a much higher premium.

> I would also love similar initiatives in the mobile space, but I reckon it
> is more challenging.

In the mobile space it would be an even bigger exercise in futility: There is
no, and will never be, a baseband chip with a free firmware. The FCC made that
pretty clear back in the OpenMoko days – use our NSA-approved proprietary blob
or you'll never sell in the developed world.

~~~
rtpg
what's the story on OpenMoko? I have a hard time seeing the FCC directly
saying something like that, and google isn't showing anything...

~~~
ansible
That was an attempt at a Linux-based phone before Android. It is very old
(close to 10 years?).

~~~
rtpg
Was more wondering about the accusation that the FCC shot down the effort.
Google seems to show that it launched something, can't find any trace of
controversy

~~~
creshal
The project itself didn't fail because it – that was just due to Android being
more attractive by the time it was working –, but they never managed to
opensource the baseband firmware for that reason.

------
Create
_" We've proposed the business case to Intel and they are evaluating it. I
don't think it's likely it's going to happen anytime soon"_

Doctorow's Law: "Anytime someone puts a lock on something you own, against
your wishes, and doesn't give you the key, they're not doing it for your
benefit."

Bull Mountain, Bullrun, Bullsh _

------
j_s
Does this laptop include the (hardware?) modifications required to protect
from Intel Management Engine or not? That would be something novel that might
justify the higher price.

~~~
chadzawistowski
The CPU is fused to allow running unsigned binaries, but they’re "still
working on" creating FOSS firmware for the chip. They’ve done some good
breakdown and analysis of the different pieces, but nothing concrete has
shipped so far. [https://puri.sm/posts/bios-freedom-
status/](https://puri.sm/posts/bios-freedom-status/)

Until Purism has actually shipped a working alternative to the management
engine firmware, their laptop is hardly any better than most commercial
components. If you buy the laptop, you're purchasing hope.

You would be better off getting a Libreboot.
[http://minifree.org/product/libreboot-x200/](http://minifree.org/product/libreboot-x200/)

~~~
yuhong
Part of the point is to run Qubes though, and I and others already discussed
why this is not a good idea if you want to run Qubes in another thread below.
Not to mention hardware kill switches too.

------
clebio
Is this running multiple, heterogenous OS on one laptop, or multiple,
homogenous OS (e.g. linux a lá docker) on one laptop?

I've wanted for years to run Windows and Linux on one laptop simultaneously
via hypervisors -- not dual-booting, not not-OS-is-host, etc. -- but was of
the impression that hardware/IO would not be feasible.

~~~
transpute
This is made possible by a combination of Xen, laptops/desktops with CPU/BIOS
which support Intel VT-d, and software like Qubes which mediate among the
separated workloads. Non-interactve VMs are typically used to perform I/O,
e.g. NICs. If you don't need 3D graphics, guest VM graphics can be virtualized
into "windows" with colored borders. If you are on a desktop, discrete GPUs
can be dedicated to a VM via VT-d, which enables 3D graphics with near-native
performance.

With the right (supported) hardware and BIOS, it works. Hence the benefit of
this pre-validated bundle. Hopefully more OEMs move to support concurrent
Windows & Linux, since manufacturers can use the open-source software to
evaluate the compatibiilty of pre-release hardware like the upcoming Skylake
Xeon laptops.

Purism (and the vendors that preceded them) deserve credit for prioritizing
security and privacy, despite current opaqueness of Intel platform
implementations. Intel's customers are OEMs, not end-users. To influence
Intel's multi-year roadmaps, more OEMs will need to make similar
security/privacy requests to Intel. OEMs can benefit from upstream
contributions that integrated with their unique hardware improvements, like
kill switches for sensors.

~~~
jmnicolas
> If you are on a desktop, discrete GPUs can be dedicated to a VM via VT-d,
> which enables 3D graphics with near-native performance.

Well this is the theory. You'd better be a Unix guru if you want to make it
work, they have some questions about it on their Google group and it looks
shaky.

It widens the attack surface too.

~~~
transpute
Xen GPU passthrough works if the GPU vendor supports VT-d passthrough. Many
AMD discrete GPUs work in this configuration, from low end to high end
versions. Nvidia high end models may work, but low end models are unlikely to
work.

Yes, the attack surface is widened to include the GPU, with isolation
theoretically provided by the VT-d IOMMU. Some recent Intel CPUs support
hardware virtualization of the integrated GPU, which likely further widens the
attack surface, but enables multiple VMs to have hardware-accelerated
graphics. This supports KVM and Xen, but is not (yet?) supported by Qubes,
[https://01.org/igvt-g/blogs/wangbo85/2015/intel-gvt-g-
xengt-...](https://01.org/igvt-g/blogs/wangbo85/2015/intel-gvt-g-xengt-public-
release-q32015). If the guest workload is OpenGL,
[http://www.virtualgl.org/About/Introduction](http://www.virtualgl.org/About/Introduction)
could be an alternative.

~~~
creshal
It "works", but have you ever deployed that in production? Kernel updates
frequently break it, and the setups tends to be extremely flimsy.

------
feld
How is Qubes immune to Xen security issues? Slimmed down, only using PVHVM?
I'm sure there have still been some CVEs that apply...

~~~
j_s
The reality appears to be as you have stated ( _some CVEs that apply_ ).

[https://news.ycombinator.com/item?id=10471912](https://news.ycombinator.com/item?id=10471912)

[https://raw.githubusercontent.com/QubesOS/qubes-
secpack/mast...](https://raw.githubusercontent.com/QubesOS/qubes-
secpack/master/QSBs/qsb-022-2015.txt)

 _Because there have been, of course, many more security bugs found in Xen
over the last years (as the numbering of this XSA suggests). True, majority of
these didn 't affect Qubes OS, sometimes by pure luck, sometimes because of
the extra prudence we applied, many other times because of the architectural
decisions we made._

~~~
nickpsecurity
I warned them Xen was a bad foundation versus extended more secure microkernel
designs. Some already had Linux in user-mode. Joanna ranted a ton then to
defend her decision. Funny to see her ranting at Xen now on their mailing list
and writing crap like that about what bullets they dodged.

Fortunately, GenodeOS is improving nicely and follows right principles much
like what I suggested for Qubes.

------
lamby
Congratulations to the Qubes project - not sure if they had any input/contact
with Purism, but it's a coup either way.

~~~
woju
Oh yes, we had: [https://www.qubes-os.org/news/2015/12/09/purism-
partnership/](https://www.qubes-os.org/news/2015/12/09/purism-partnership/)

------
jkot
> _Running a dozen VMs or more, as many Qubes users do, can be resource-
> intensive, so plenty of RAM and a fast processor are essential._

I hoped it would support 32GB RAM in 13" laptop, but maximum is 16GB RAM. Only
option seems to be Portege R30 Skylake version (not yet announced), which has
two DDR slots.

~~~
mtgx
I think that's mostly Intel's fault. They're keeping mainstream notebook chips
limited to 16GB of RAM so they can upsell you the (more expensive) "Xeon for
notebooks" chips.

~~~
analognoise
Is that bad? I mean how many people are willing to spring for 32GB of memory,
but won't spring for a more expensive processor?

I think the 32GB in a laptop is a power user type group, and that kind of
market segmentation makes sense.

~~~
nickpsecurity
I mostly agree but there's flexibility, safety, and security benefits if
enough RAM is in system. All kinds of tricks to use even if target is a casual
user.

Most don't so your analysis fits majority of time. ;)

------
bechampion
the base model is 1600 usd? for an i5? It looks pretty neat but i feel like
it's over priced right?

~~~
TuringTest
Where else can you get a security-focused preinstalled laptop with higher
specs for less money?

~~~
dogma1138
This is security theater marketed for a steep markup.

Until they can get get an oss version of all the firmware it's just as secure
as any off the shelf laptop with a clean install of the OS of your choosing.

If you want more security get an old Lenovo/IBM think pad mod the bios chip
and get libreboot.

The cpu, graphics card, hdd, Ethernet and more have more lines of code in them
than your OS kernel most likely and that code rarely gets audited even
internally.

~~~
throwaway7767
> If you want more security get an old Lenovo/IBM think pad mod the bios chip
> and get libreboot.

It's a tradeoff, it depends on what you're protecting against. AFAIK none of
the libreboot-supported boards have VT-d, so you lose a lot of qubes's
isolation features.

It'll be a great day when we can have a fully free machine (firmware-wise)
with IOMMU and some auditable form of DRTM. But we're a long way from that
still.

EDIT: I also doubt the markup is steep. Software people always underestimate
the cost of making hardware in small quantities. These guys don't have economy
of scale on their side. You could say it's expensive compared to the
competition, and you'd be right, but it's not because of greedy businessmen at
purism.

~~~
stcredzero
_It 'll be a great day when we can have a fully free machine (firmware-wise)
with IOMMU and some auditable form of DRTM._

DRTM?

~~~
dogma1138
Dynamic Root of Trust Measurement It's part of Intel's Trust Execution
Technology
[https://en.wikipedia.org/wiki/Trusted_Execution_Technology](https://en.wikipedia.org/wiki/Trusted_Execution_Technology)
This is basically what allows the hardware to verify that the OS which is
being booted is "trusted".

Intel's TXT framework is quite nifty not fully utilized and I'm still it's not
sure if it's as good as ARM's trust zone approach. The problem is that this
is/will be a very important factor in any trusted computing in the future and
currently it's utterly unaudited at least publicly (and from hearsay also
wasn't internally audited).

Intel is pretty much mandating AMI/AMT support within the UEFI, support for
TXT/TPM/NGSCB will be also mandatory soon unless Intel open sources all of
this there will never be an open source UEFI BIOS which will functional with
Intel going forward. Coreboot is shipped with proprietary parts which cover
it, you can use Libre but then you are stuck with a decade old hardware and
there is very little hope for it to ever support modern hardware the skill set
way too demanding for an OSS project without a major corporate support and
without full cooperation with Intel this wont be supported. If AMD was smart
they would jump on this train, but as BIOS is quite a tricky business these
days (probably even more complicated than OS internals with the exception of
maybe really low level kernel stuff) I just don't think they want to take that
risk considering their financial state.

~~~
stcredzero
Yes. Trusted execution that's audited and worthy of the name ("trusted") is
sorely needed! This, despite the fact that people associate it with DRM and
knee-jerk against it.

~~~
dogma1138
Well it can also serve as DRM it can be made so it locks your OS to only the
one that your device came with out of the box and any modification would be
impossible.

I wonder if MSFT would ever let OEM's lock the devices to their bloatware spec
and if so how long until we get laws similar to SIM unlocks passed to give us
customers some control back.

~~~
stcredzero
_Well it can also serve as DRM it can be made so it locks your OS to only the
one that your device came with out of the box and any modification would be
impossible._

Not the sort of behavior I would classify as "trustworthy".

