For GNU/Linux users wanting a laptop, it’s almost always easier to find the hardware you want and then install the distro of your choice – perhaps with some muttering about the ‘Windows tax’, or even making a stand and getting the Microsoft licence portion of the price refunded.
However, as Purism puts it: “The model of ‘buy hardware, install free software’ is ageing, due primarily to the fact that there is a growing cryptographic bond between proprietary non-free signed binaries and the hardware that they run on.”
There are one or two laptops available from manufacturers with Ubuntu pre-installed, although Dell doesn’t always make it easy to find them, and a few resellers who’ll do the install for you, such as System76 – but the sad truth is that most laptop manufacturers do not care about software freedom, at least not enough to take a risk in standing out from the herd.
If they don’t care, that’s probably because the public don’t exercise themselves much over the issue – although awareness of free and open source software is slowly growing, and the Raspberry Pi has put GNU/Linux into the hands of a new generation.
But privacy and security is an area where public perception has radically changed in the last few years, against a backdrop of ransomware, leaks about surveillance and concerns over the pervasiveness of corporate data gathering. More recently, the extent of malicious code in numerous apps has been exposed. ZDNet reported that “over 500 Android apps with a combined 100 million downloads [were] found to secretly contain spyware,” and Ars Technica observed that researchers had discovered more than 4,000 apps that secretly record audio and steal logs – including a few that made it into Google’s official Play Store.
Anyone offering a quality product with a credible approach to privacy and data security will – if they combine it with real usability – find a ready and growing market. Enter Purism, maker of the Librem laptops: computers that tackle privacy concerns head on with hardware kill switches (HKS) on the camera and microphone, eschewing kernel blobs and binary firmware to offer an entirely free software stack.
Librem laptops run PureOS, a GNOME 3 desktop on a Debian-based distro, with security enhancements and a Firefox-based Pure Browser with all of the privacy and security plug-ins installed and enabled by default. GNOME 3’s move towards effective containerisation with Flatpak also adds to security, isolating any buggy app from being exploited to escalate privileges and to compromise the system.
PureOS is not just a nice-to-use version of Debian and GNOME; it is endorsed by the Free Software Foundation (FSF). Further down the stack, the Linux kernel is free of proprietary binary drivers – using GNU’s Linux-libre project – and the bootloader is free. Then, in the hardware itself, the CPU and motherboard has the Field Programmable Fuses (FPFs) set to allow unsigned binaries, and running coreboot.
Full stack freedom
Purism has put a lot of developer time into being able to replace proprietary BIOS with coreboot, as featured in the Librem 13 v2 and Librem 15 v3 laptops. They are close to having it ready for download to those who have older Purism hardware – it’s undergoing QA testing at the time of writing.
- Check out our review of the Purism Librem 15 laptop
Given successful proof that you can use a USB flash drive’s firmware to take control of a laptop – by Berlin-based hacking research collective and consulting think tank Security Research Labs – Purism has been looking at freeing SSD firmware, as well as moving towards the superior NVMe specification.
Whether you’re specifically after a GNU/Linux laptop or not, the USP of Librem laptops is privacy by default and it’s implemented in the hardware and the software – with the latter set to prevent tracking. For various nefarious reasons, hackers are able to switch on your camera or microphone remotely to snoop on you, if you have a compromised PC or phone.
While Librem’s software stack gives you a great deal of protection from this, the simple act of flipping a hardware kill switch (HKS), and physically cutting the power to the microphone and camera, guarantees that they cannot be misused. For the upcoming Librem 11 tablet, and just-announced Librem 5 phone, there should be an HKS for the SIM card slot and one for the GPS.
Perhaps the firm’s most important work – given that Open ISC is not yet ready for this sort of laptop – is in neutralising Intel’s Management Engine (ME). In the words of Purism’s Intel ME-less petition: “ME is a threat to users’ digital rights. It is an unreadable binary file that is cryptographically signed by Intel, requiring users to compromise their security, privacy and freedom because users must execute unknown and unverifiable code on the CPU.”
So far Purism has removed the kernel, network stack and about 92% of the Intel ME binary – and is committed to neutralising or replacing all of it. Security is a game of depth, and there’s a large section of the Vault 7 leaks regarding attacks against EFI/ UEFI (modern BIOS replacement) firmware.
The launch of Purism’s crowdfunding campaign for the Librem 5 dubbed the “world’s first encrypted, open smartphone ecosystem giving users complete device control” – is a big step for the small hardware startup and social enterprise (Purism is incorporated as a Social Purpose Corporation).
The Librem laptops, and their single-minded journey to free up the entire stack, show that Purism has the potential to succeed where other phone offerings have failed to materialise.
Intrigued by the laptops, and what lies behind them, we spoke to Purism founder and CEO Todd Weaver at this year’s GUADEC (GNOME Conference), and started by asking him: Why does it matter?
“Digital rights should mirror physical rights,” Weaver told us. “The trend is to more data gathering and more corporate surveillance, especially on mobile devices. It’s trending in the wrong direction. We needed a product which protects the digital rights of the consumer – and hardware crafted to work with the software.”
He emphasised the depth of credibility from giving the user control and leveraging the Free Software Foundation principles into hardware, but believes in taking it one stage further, with ease of use. “Convenience, control," says Weaver, are "two words that matter.”
So why use GNOME 3? Weaver sees it generally as a great free software product that bundles together great apps and looks great – but particularly singled out its “great security story with app isolation giving privacy for individuals, security by default, and respecting digital rights (as it’s free software).”
Purism’s GNOME 3 PureOS will also make it onto the phone with the Librem 5, so while many end users will buy it for “end-to-end encrypted decentralised communication”, or even to escape the existing duopoly’s walled gardens, many users will be anticipating a convergence device to be docked at home with a large screen and keyboard – and just such a package is one of the most popular options on the crowdfunding page.
