[Testannounce] Librem 14 Updates

[testannounce at announce.puri.sm]

Librem 14 Updates


  Librem 14 Updates

*Early bird pricing is ending on August 7, 2020.* Be sure to order your
Librem 14 by then to receive the $300 off pricing!

Pre-Order Librem 14 <https://shop.puri.sm/shop/librem-14/>
------------------------------------------------------------------------


    Librem 14 Features BIOS and EC Write Protection

As we have said a few times already, we set out to build our dream
laptop
<https://puri.sm/posts/librem-14-thoughts-from-a-librem-13-early-adopter/>
with the Librem 14 <https://puri.sm/products/librem-14/>. We approached
our flagship Librem 13 laptop with a wishlist of features to fit into
the reimagined Librem 14. As we have been able to confirm certain
features with a strong degree of confidence (like having 2 SO-DIMM slots
to double the max RAM to 64Gb
<https://puri.sm/posts/librem-14-launch-faq/>) we have updated our specs
and made new posts and today I’m excited to announce another item from
our wishlist that we will be able to fit into the first generation
Librem 14: *BIOS and EC flash chip write protection with a hardware switch*!

Librem 14


      Purism's History with BIOS Security

We have been focused on BIOS security at Purism since the beginning,
starting with our initiative to replace the proprietary BIOS on our
first generation laptops with the open source coreboot project
<https://puri.sm/coreboot/timeline/>. This was a great first step as it
not only meant customers could avoid proprietary code in line with
Purism’s social purpose <https://puri.sm/about/social-purpose/>, it also
meant the BIOS on Purism laptops could be audited for security bugs and
possible backdoors to help avoid problems like the privilege escalation
bug in Lenovo's AMI firmware
<https://www.cvedetails.com/cve/CVE-2017-3753/>.

Our next goal in BIOS security was to eliminate, replace or otherwise
bypass the proprietary Intel Management Engine (ME) in our firmware. We
have made massive progress on this front and our Librem laptops, Librem
Mini, and Librem Server <https://puri.sm/products/> all ship with an ME
that’s been disabled and neutralized
<https://puri.sm/posts/deep-dive-into-intel-me-disablement/>.

After that we shifted focus to protecting the BIOS against tampering. We
started by adding TPM chips to our laptops
<https://puri.sm/posts/tpm-by-default-and-free-international-shipping/>
and began work on integrating the Heads tamper-evident firmware project
<https://puri.sm/posts/purism-integrates-heads-security-firmware-with-tpm-giving-full-control-and-digital-privacy-to-laptop-users/>
into our overall boot security package we call PureBoot
<https://puri.sm/posts/pureboot-the-high-security-boot-process/>. Now
customers can choose between our default coreboot BIOS or our “PureBoot
Bundle
<https://puri.sm/posts/announcing-the-pureboot-bundle-tamper-evident-firmware-from-the-factory/>”
when they place an order. The PureBoot Bundle also enabled us to enhance
our anti-interdiction services
<https://puri.sm/posts/anti-interdiction-services/> and change it from a
secret menu option to a drop-down choice both for customers facing
stronger threats and those who just want more peace of mind
<https://puri.sm/posts/anti-interdiction-update-six-month-retrospective/>.


      Write Protection Adds Even Stronger BIOS Security

On the Librem 14 we will further improve BIOS (technically AP) and EC
firmware security with the addition of a *write-protect dip switch on
the motherboard*. For regular coreboot users this means you can flip the
switch and know that your BIOS is safe from remote tampering without
installing PureBoot. You would also get additional protection from
in-person attackers who would now need to remove the bottom of the
laptop to modify the firmware.

For PureBoot users this provides even more security on top of the
tamper-detection you already have in place. With write protection on,
you can rest assured that PureBoot will only change when you open the
case and flip the switch and if PureBoot does report BIOS tampering when
you have enabled write protection, you know to physically inspect your
motherboard for tampering.


      Enhanced Anti-Interdiction

A close-up of the unique pattern of blue glitter nail polish on the
center screw.

In combination with anti-interdiction tamper-detection measures like
painting screws with glitter nail polish, write-protect switches
dramatically increase the difficulty for even a sophisticated attacker
to modify your BIOS undetected during shipping. This protection extends
to whenever the laptop is out of your possession provided you inspect
the case screws.


    Librem 14 Adds Microphone Kill Switch Enhancements

Last week I announced that the Librem 14
<https://puri.sm/products/librem-14/> would feature a special "kill
switch" of sorts on the motherboard that would write-protect the BIOS
and EC chips
<https://puri.sm/posts/librem-14-features-bios-and-ec-write-protection/>.
I’m pleased to announce another enhancement that will be in the Librem
14: *the microphone kill switch will also kill microphones connected
through the headphone jack*.

Our camera/microphone hardware kill switch
<https://puri.sm/learn/hardware-kill-switches/> has long been a unique
feature on our laptops. While covering your webcams with tape is better
than nothing (even if Apple has no tolerance for webcam covers
<https://puri.sm/posts/apple-has-no-tolerance-for-webcam-covers/>), that
only solves half of your privacy issues. Even if a snoop can’t watch you
through a webcam cover, *they could still listen to you* so we’ve made
sure our camera/microphone kill switch disables the webcam at the top of
the laptop screen /and/ the embedded microphone.

With the Librem 14 we have enhanced this kill switch so that it also
disables the microphone in the headphone jack while leaving audio out
unaffected. That way if you happen to leave a headset plugged in–which
is common in the age of quarantined video chats–you can use the hardware
kill switch to *disable all microphones*, even ones connected through
the headphone jack.


      Our Most Secure Librem Laptop Yet

The Librem 14 is our most powerful and most secure laptop
<https://puri.sm/products/librem-14/> yet. If you want full control over
your BIOS security, microphone, and camera with cutting-edge, powerful
hardware, the Librem 14 is the best (some would say the only) choice. Be
sure to pre-order the Librem 14 <https://shop.puri.sm/shop/librem-14/>
before our $300 off early bird discount expires on August 7th!

Pre-Order Librem 14 <https://shop.puri.sm/shop/librem-14/>
------------------------------------------------------------------------
Purism

Thanking you for your support,
— the Purism team (feedback at puri.sm)

------------------------------------------------------------------------

Note: contents of this email are CC-by-SA; feel free to forward it to
friends!

/To remove yourself from our announcements list, simply email
announce-leave at announce.puri.sm <mailto:announce-leave at announce.puri.sm>
and you will automatically be instructed how to unsubscribe./

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://announce.puri.sm/pipermail/testannounce/attachments/20200728/0e82b6b1/attachment.html>