These guys won't be able to get the binary blobs from neither Intel nor Nvidia released, this have been pointed out many times before from several places.
They are even kind enough to mention it themself: https://puri.sm/posts/purism-software-freedom-deconstructed/
Laptops with libre operating systems have existed for
decades. The only real innovators in this area have been
Google and GluGlug. Google ships partially free
firmware, although insufficiently libre to be able to
provide the “respect your privacy” guarantee. GluGlug
can make this claim, and it ships laptops with fully
libre firmware. The downside of GluGlug is that it’s an
aftermarket add-on. GluGlug and Google have been in
business far longer than Purism. So, what has Purism
brought in that’s new and exciting and libre? Nothing.
Purism is actively working on porting coreboot to Librem15 with
some coreboot developer(s). @mrnuke is more than welcome to join
the effort :) There, that's the truth about Purism.
Purism’s Librem 15 will ship with an Intel CPU fused to **run unsigned BIOS** code
Original claim here: https://puri.sm/posts/pioneering-cpu-efforts-to-liberate-lap...
Since there are Haswell Chromebooks, there are devices on the market that also provide this feature.
The limitation for libreboot devices using recent Intel chips is the ME firmware which is always signed, but not on the CPU and not BIOS code. So the statement is technically correct - through some _very_ careful choice of words.
Edit: to be clear this is most likely an awesome product put out by people who care about security and privacy. I'm not trying to call this product out specifically. Privacy / security are really bold claims and without any specific regulations in the area that I'm aware of I feel extra cautious around anything claiming to provide those things. Like I said, I'm probably just being paranoid, but I like to think strategically, and if i were to be a spy agency of any sort and thought I could get away with it, selling a not-so-private privacy product would definitely be a move of mine.
What regulations, issued by which authority, would you trust?
The Purism claims are relevatively small (e.g. camera/microphone hardware switch can be verified by a motherboard inspection) and are an incremental move in a positive direction.
What we need are more competitors to Purism.
In contrast, on virtually every mainstream laptop with VT-d, you are forced to use a CPU which includes Intel ME/vPro support.
IMHO "support" has become a bit of a weasel-word today, meaning everything from "it's physically impossible because the hardware doesn't even have the circuitry" to "it's all there and functional, but we just don't want you to use it". In between are things like disabled via undocumented hardware jumpers or software settings (remember how certain AMD CPUs could have extra cores "unlocked"? Same principle.) The older models without ME are the former, but I'm almost willing to bet that the latter is the case of the newer CPUs and chipsets.
It will be good to run some tests against the Purism 15 motherboard, at least to evaluate the dormancy/presence of the Intel ME via publicly known interfaces.
It's still a step in the right direction to be able to buy a laptop with a CPU that "does not support" the Intel ME, because it will permit some testing of the Intel claim. It also helps that Purism is using non-Intel components for wired and wifi networks, since Intel ME/AMT/vPro requires Intel networking.
The ME is required to be able to boot contemporary Intel devices. It's required to do power management for years. There is no way they ship a device with Intel CPUs and no ME.
What they can do is ship a system without the AMT/vPro features that are implemented in ME firmware. The difference being if the firmware for that part of the chipset is 2MB or 6MB. If you want to know what Intel requires 2MB of firmware for a chip that isn't supposed to be very active, I have no idea either.
But given that the 6MB firmware supports intercepting USB (for keyboard and mouse) and the GPU to route them over the network interface for the soft-KVM feature, be aware that the chip has these capabilities in hardware, no matter the firmware. It just doesn't use them (or so Intel claims).
New (and also old) privacy focused companies remind me of homeopathic medicine.
EDIT: Can anyone explain how they manage to max the memory to 32GB when the intel ark page for that processor says that the maximum it supports is 16GB?
Somewhere on their blog, they noted that the new layouts "didn't take too long to get used to". In other words, they were changing things purely to satisfy some poor design sense, not to benefit customers.
I spent over 2 grand on the X201, yet a new X250 is about $1000 with a reasonable config. I wonder if they're leaving money on the table by not offering better options, or if people like me are just a strange anomaly that's worth ignoring.
> After our last update regarding Intel’s physical 16GB memory maximum for 5th Generation CPUs, we heard from a backer that Intelligent Memory can run 32GB even though the specification states 16GB! This was corroborated by both PCWorld (...) and our direct contact at Intelligent Memory this morning.
Doing anything extra, in low volume, will raise the price a lot.
It mainly offers privacy, I'd assume. Besides, target customers may be commercial intelligence agencies, those who can conduct "detective" work for commercial companies. It sometimes implies discrediting a competitor's work, enquiring about their products, etc. It's plain gray-zone job, but there are thousands of employees in this domain.
The only company I know of which sells considerably more open laptops than the competition is Minifree Ltd. They have the RYF certification from the FSF. Still, there is non-free code running in the devices as a system — think hdd firmware — but the advances they’ve made are substantial.
I'm not aware of any major commercial computer with a FOSS BIOS or a hardware RF killer for the wireless parts.
The Librem PCH X99 uses [the Intel Management Engine blob]
and the board will not boot without the blob.
Fun fact: Purism even links to me.bios.io, which contains this little gem
there is a little man inside your pc... and his thing is bigger
than yours. Your wife knows this.
I dislike Purism in that they say things like "Purism OS" rather than Linux / Trisequel, but if they do ship a coreboot bios laptop running Trisequel (Trisequel is just Ubuntu stripped of non free kernel components) then I believe it will be the most free Intel laptop with a modern chipset available.
it will be the most free Intel laptop with a modern chipset available.
Any modern Intel computer needs the Intel ME.
I remain with the conclusion that Purisms marketing is deceptive, borderline lying.
About the same time they also stopped releasing source code for hardware initialization.
So along that axis they're not significantly better or worse than Intel nowadays. (I guess you can get by with a smaller firmware, and they allow redistribution, which are both nice, but not very relevant for freedom or security purposes)
I would happily buy a laptop with a good hardware spec that came with Windows without the junkware and with physical switches to disable all the sensors and transmitters. That would be a significant improvement on the things available to me today, and I would be willing to pay a modest premium for it. (These devices do already look quite expensive given their specs.)
However, by taking this pure stance on the software side as well, it runs headlong into the same thing that keeps most people out of FSF world: you buy a computer for the software you can run on it, and the software you get that way simply isn't as good in many cases as what you can get on Windows or OS X.
Here's an obvious example. I can buy a new Windows PC and probably watch the Blu-Ray I bought while I was out by (a) inserting the disc, and (b) pressing play. In contrast, the site here explains in great detail how installing software on Linux to watch a DVD is likely to be illegal in many places and they aren't going to supply the software themselves for that reason. Which of these is going to give a better user experience?
I wish them luck, because their goal is a noble one even if I'm not personally willing to give up the useful capabilities of mainstream software to go as far as they do. I hope they at least inspire more hardware companies to install physical switches to prevent abuse of the ever-increasing numbers of sensors and transmitters on these mobile devices, and inspire the likes of Microsoft to provide better controls over what software running on their platform can do.
I've been running Linux for over fifteen years, and I beg to differ: free software is almost always preferable.
> In contrast, the site here explains in great detail how installing software on Linux to watch a DVD is likely to be illegal in many places
That's simply an unfortunate fact of living under repressive regimes which try to forbid one from playing the DVDs one has bought; it's certainly not their fault.
It depends what you're doing, but if it involves anything to do with gaming, professional/business software, or the creative/multimedia industries, I stand by my previous comment.
For example, arguing that LibreOffice is an acceptable professional substitute for MS Office is fine until your accountant can't open the spreadsheet you sent over because of some incompatibility in the macros, at which point the amount of money it's going to cost for the lost time on that one occasion will instantly cover the cost of buying the real thing.
For another example, despite the recent push by the likes of Valve, gaming on Linux is still a far cry from gaming on Windows or any recent console.
But most people aren't going to care, because they want to watch their movie, and this laptop won't let them unless they jump through hoops and, in many places, break the law along the way.
You mean, like the Steamboxes?
Those are due to be released later this year, but no-one really knows yet how they will work out in terms of performance or cost-effectiveness, or what range of games will be available for them. Even if Valve port all of their own big titles over, the major titles from others in the industry may or may not follow, and it will probably take time if they do.
So yes, Steam machines are what I was referring to, but yes, gaming on Linux is still a far cry from gaming on Windows or any recent console.
This is for people who want a laptop where all hardware is well supported by open and upstream drivers in linux.
If you're running Windows or OS X, most of the point of this is defeated. You can't tell much about privacy, security, etc. The hardware switches are nifty, but they're an add-on due to popular demand, not the main feature.
(It is a bit annoying the the marketing isn't clear that this is just a nice modern laptop which supports linux very well and avoids you supporting Apple or Microsoft with your purchase.)
But that's rather the point. I'm willing to trust a clean Windows 7 installation and well-known drivers not to be phoning home. Given a system that was never contaminated with junkware, I then have a reasonable chance of only getting stuff I choose on there afterwards and keeping control of what applies downloaded software updates and when, and that is my primary requirement in software terms for a system I'm willing to trust. The desire for a good spec is just because so many business laptops are overpriced junk here in the UK, and the physical switches are just safeguards to mitigate things like zero days attacks or, frankly, embarrassing forgetfulness.
I don't really buy the theory that the source for everything you install theoretically being available somehow makes your privacy better protected. Given that I'm not going to personally audit the entire source code of the OS distro being installed -- and neither is anyone else who buys these laptops -- the benefit is largely illusory, and the reality is that I'm just trusting the distro and everyone contributing to it instead of trusting the likes of Microsoft. Either way you're also assuming the system is secure so any privacy you start with will stay that way.
> Purism’s Librem 15 will ship with an Intel CPU fused to run unsigned BIOS code, allowing a future where free software can replace the proprietary, digitally signed, BIOS binaries.
Now I don't have the freedom to modify the code or improved security. How is this making me better off?
If there's no way to get one without sacrificing the other, the better option for my privacy, security, and freedom is to take a static but non-free BIOS.
So the result is that you can't update your computer's firmware, but somebody else (although probably not the average criminal).
The standard solution is to lock down the write access to the flash chip. While current era firmware requires writable flash for memory init (or you lose suspend to RAM capabilities), it can be locked down directly afterwards and before code from somewhere else is executed.
That works nicely without Boot Guard, but not so good with UEFI (which stores its persistent variables in the same flash memory part).
Or, of course, they could have been honest with the OS and browser they are using ...
Something built from the ground up, where you can build and (with inspection) trust every part of it.
And the hardware they do provide is not significantly more secure/libre than any run-of-the-mill laptop. I mean Intel, with Intel Management Engine? Surely, you're joking.
Providing a linux distro-spin-off as an OS?
To me, these guys sound like crooks, because they make a lot of claims, and they are nowhere near delivering on those promises. And they use a bullshit language with terms like ideology, but again with no real substance to back this up.
I'd much rather buy a Novena, if I was really concerned about this kind of things. Just my 2 cents.
Or do they target privacy curious Mac and Windows users? In which case: What happens when these users want to design and order a photo book? (Here in the Netherlands, nobody offers that on Linux and it is a big thing keeping me from switching my "please remove my browser toolbars once a month" mother in law to Linux.) Even more knowledgeable computer users don't simply switch to Linux, and this page does not even mention its OS, so what can you expect? I think the difference is way to big to just glance over it and say you have mac/windows compatible software. As a Windows user going to a Mac is a big step, many people I know hated it and move back. Imagine them moving to Linux...
I'd buy one, if it would mean I'd get a System76 like machine that just works with in-kernel stuff for sure. The hardware switches, the lack of a windows key and the nice looks are very attractive extra's.
> Bundled with the fully free/libre, no mystery software Trisquel GNU/Linux operating system, with free/libre professional quality web browser, email, graphics, drawing, word processing, presentation, spreadsheet, and media software, users can easily replace their existing computer. Since it is a GNU-based distribution, users can add hundreds of thousands of free/libre and open source applications easily.
It is annoying that the marketing is not clear on this fact. This is a nice, if pricey, laptop which supports any modern linux distro well. And when you buy it, you avoid your purchase supporting Apple or Microsoft. (I've purchased a couple Apple laptops over the years, begrudgingly, just to run linux on them. I'm excited to have an alternative.)
How does their hardware tackle privacy issues? What do they do exactly?
They also disabled signature verification on the chipset firmware, but it's not clear that solves any privacy issues, given that the only extant firmware is the closed-source one from Intel. (If anything, disabling signatures is a net negative for privacy, as the authors of a malicious replacement wouldn't even need access to Intel's signing key to create one.)
It is true that I do not trust Canonical or Dell, but why would I trust Purism instead? What proof of trustworthiness do they provide?
My Dell's very low spec is good enough for what most developers typically do: use a text editor to deal with source files and use the shell to ssh into a remote machine. The most taxing program that I use is firefox. The browser consumes more CPU cycles and memory than all other programs taken together.
The short story: I do not need a laptop that costs 1600+ USD, just for its nebulous, unproven claims of privacy, when I am perfectly happy with one that costs 250+ USD.
Also a "privacy" oriented laptop with Boot Guard disabled? hah? With how prevalent UEFI malware appears to be why would any one want to disable pretty much the only security measure against it?
Boot Guard allows you to perform block level or cryptographic verification of the BIOS and firmware.
And while a CPU fused to boot unsigned bios sounds nice and nifty virtually ever motherboard out there supports unlocking the signature validation using a hard or a soft jumper any how.
Disabling that is like disabling the file system integrity access checks on an encrypted hard drive it can only lead to a disaster....
Even libre firmware can't guarantee my system won't be compromised and updated with malicious firmware.
So checking that your libre firmware locks down the flash as soon as it's done with its work can be a pretty strong guarantee.
But there's no way I'd ever give money to someone who has hired the execrable Jacob Applebaum. No way.
The company is free to associate itself with him, and I'm free not to purchase their otherwise-quite-interesting product.