Purism Librem 13 and Qubes
Fredrik Strömberg
We're thinking of ordering "Librem 13" laptops for everyone at
Mullvad, but it's imperative that it works for Qubes. Otherwise the
laptops will be useless to us.
Do you think Librem 13 will work out of the box for Qubes?
If not, are you committed to making it work for Qubes?
As a sidenote: Thank you very much for your hard work! We are
incredibly grateful for what you have created - We rely on it daily.
We're very satisfied with Qubes and are definitely spreading the word
as well :)
Cheers,
Fredrik Strömberg
7v5w7go9ub0o
designation: e.g.what does that certification mean; will the candidate
computer be used/test-driven by ITL; etc.
Perhaps you could help keep that ball rolling - plus get reasonable
assurance that your laptops will serve you well - if you wrote Purism
describing your need to outfit Mullvad with Qubes Laptops, and inquiring
about the estimated date for ITL Qubes certification.
( <https://www.mullvad.net/en/> )
Fredrik Strömberg
reassuring response:
"""
Our hardware was specified from QubesOS developers, and we have been
actively involved for over a year with Qubes https://t.co/4rcRXer3AW
Our hardware has not been certified by Qubes yet, but that is only
because we haven't shipped Qubes the Librem 13 units yet, we will be
doing that within the next two weeks. We have two units for them.
We are beginning the process of working with QubesOS and PureOS, so if
there is any support that is currently missing it will be added very
shortly.
Both ITL/Qubes and Purism are devoted to getting QubesOS certified on
Librem laptops. If you order now, you will be within our first bulk
order, so you will receive the units within 3 weeks.
"""
I wanted a confirmation from Qubes devs that they are still committed
to supporting it completely, since I was planning on ordering all the
laptops in one batch. However, we just decided to order one for
testing first, so not as big of a risk :)
I love the Purism initiative. I really hope they succeed.
Cheers,
Fredrik
Radoslaw Szkodzinski
<stro...@mullvad.net> wrote:
> I love the Purism initiative. I really hope they succeed.
SINIT blob, microcode, memory initialization code and more...
Coreboot on its own is not enough.
http://www.coreboot.org/Binary_situation
That would probably open a whole can of worms related to security
which then would have to be patched, of course.
For now, the best solution would be to try to get Librem to make an
AMD-based laptop and test Qubes on it.
Best regards,
R.
Jeremias E.
Am Freitag, 25. September 2015 16:33:39 UTC+2 schrieb Radosław Szkodziński:
On Mon, Sep 21, 2015 at 10:48 PM, Fredrik Strömberg
<stro...@mullvad.net> wrote:
> I love the Purism initiative. I really hope they succeed.
They cannot truly succeed until Intel opens Management Engine code,
SINIT blob, microcode, memory initialization code and more...
Coreboot on its own is not enough.
http://www.coreboot.org/Binary_situation
They can succeed starting a movement, which has an economical impact.
If Intel sees their is a marked they want to be part of it, because they want to
make money.
A good example for such a movement is the Fairphone.
The first Fairphone was for enthusiasts, but not a real competitor on the mobile phone marked.
The Fairphone 2 is a real competitor to other mobile phones.
That would probably open a whole can of worms related to security
which then would have to be patched, of course.
For now, the best solution would be to try to get Librem to make an
AMD-based laptop and test Qubes on it.
Is a nice technical and economical idea, because AMD will maybe help to
build such a platform.
Best regards,
R.
cprise
> On Mon, Sep 21, 2015 at 10:48 PM, Fredrik Strömberg
> <stro...@mullvad.net> wrote:
>> I love the Purism initiative. I really hope they succeed.
>
> They cannot truly succeed until Intel opens Management Engine code,
> SINIT blob, microcode, memory initialization code and more...
> Coreboot on its own is not enough.
> http://www.coreboot.org/Binary_situation
firmware can be said to 'belong' to the CPU, and the CPU hardware itself
isn't open at all. The firmware and hardware both contain logic and I'm
not sure it means anything to be able to audit the firmware only. So the
CPU remains a 'black box' that must be trusted, whether you include
firmware in that definition or not.
There are probably many, many quirks in the hardware that could interact
in an 'unfortunate' way with perfectly tuned, innocent firmware or
software.
>
> That would probably open a whole can of worms related to security
> which then would have to be patched, of course.
>
> For now, the best solution would be to try to get Librem to make an
> AMD-based laptop and test Qubes on it.
great idea to me, given the circumstances...
http://hardware.slashdot.org/comments.pl?sid=7271031&cid=49491993
>
> Best regards,
> R.
>
Radoslaw Szkodzinski
>
>
> Am Freitag, 25. September 2015 16:33:39 UTC+2 schrieb Radosław Szkodziński:
>>
>> On Mon, Sep 21, 2015 at 10:48 PM, Fredrik Strömberg
>> <stro...@mullvad.net> wrote:
>> > I love the Purism initiative. I really hope they succeed.
>>
>> They cannot truly succeed until Intel opens Management Engine code,
>> SINIT blob, microcode, memory initialization code and more...
>> Coreboot on its own is not enough.
>> http://www.coreboot.org/Binary_situation
>
>
> They can succeed starting a movement, which has an economical impact.
> If Intel sees their is a marked they want to be part of it, because they
> want to
> make money.
software. Glugglug/Minifree did that quite a bit of time ago with
their Libreboot, even FSF certified. Nobody cares, sadly.
Librem likely will fail too for the same reasons - ideology is not
enough, and they are even worse at it technically-wise.
On the other hand, having a more secure laptop is a tangible benefit.
Without backdoors, with fewer bugs, audited firmware, perhaps even
partially audited hardware.
Maybe even make it easier on the designers, produce a server platform
matching those requirements - there's more of a market.
Google might even get in, as they are known to use a lot of customized
firmware and even hardware. I think they used to support Coreboot
itself.
They might have stopped caring about this though.
> A good example for such a movement is the Fairphone.
> The first Fairphone was for enthusiasts, but not a real competitor on the
> mobile phone marked.
> The Fairphone 2 is a real competitor to other mobile phones.
Try this argument again when it's actually a competitor to, say, any
iPhone. At least in top 10.
By the way, Fairphone 2 is a nice story for uninformed people, about
on par with Librem.
I approve of their other efforts, but it's nowhere near enough or
close to what's necessary.
The critical component, Qualcomm 801 chipset, will be running a
proprietary microkernel with proprietary RF firmware, proprietary DSP
code and more.
Good luck getting Qualcomm to open that - they are quite hostile to
any of those efforts.
Again, poor choice of an architecture and a very tough nut to crack.
(For instance, Marvell is way more open and much less hostile.)
>> That would probably open a whole can of worms related to security
>> which then would have to be patched, of course.
>>
>> For now, the best solution would be to try to get Librem to make an
>> AMD-based laptop and test Qubes on it.
>
>
> Is a nice technical and economical idea, because AMD will maybe help to
> build such a platform.
open source drivers effort which bodes somewhat well.
That said, their GPUs still require a few fat, complex firmware blobs
- fortunately Qubes is pretty good at scraping GUI and enforcing
separation thereof.
P.S. If we're talking about pie in the sky designs:
Probably the best design for an OS like Qubes would be to have
separate small CPUs instead of many cores, with separate RAM and
memory controller. Maybe even an integrated GPU each to run OpenGL.
Multiple USB controllers and hubs to simplify hardware redirection.
Multiple small flash drives or even chips. Expensive, power intensive,
hard to cool and large though.
Think a tiny cluster of mostly separate PCs, connected via an
extremely fast bus, such as HyperTransport. NUMA considerations would
be less important here as the CPUs with their associated memory would
be dedicated to a VM and the support exists in both Xen and Linux
anyway.
--
Radosław Szkodziński
visibil...@gmail.com
Conventional security approaches such as antivirus and malware detection programs are no longer enough to keep out sophisticated attackers. Qubes OS isolates the operating system’s components allowing for a more optimal security model than Microsoft Windows or Apple OSX can provide.
https://puri.sm/posts/purism-partners-with-qubes-security-focused-hardware-and-software-together/
Purism Partners with Qubes, Security-Focused Hardware and Software Together
Purism partners with Qubes, with the combined goal of offering Purism’s freedom-focused hardware bundled together with Qubes’ security-focused operating system
DECEMBER 8, 2015— SAN FRANCISCO, CA— In the midst of growing concerns about identity theft, Internet privacy, cybersecurity and digital rights, Purism, maker of the privacy, security, and freedom-focused Librem laptops has announced a partnership with the security-focused operating system Qubes OS, to ensure users are as protected from modern-day security threats as possible. This partnership will continue to evolve to push security for users in a positive direction within the hardware manufacturing process.
Qubes OS provides security through “compartmentalization.” If a user’s browser is compromised while visiting a website, for example, the attacker does not gain access to other information or programs on the system, such as sensitive documents, passwords, photos or personal data.
Conventional security approaches such as antivirus and malware detection programs are no longer enough to keep out sophisticated attackers. Qubes OS isolates the operating system’s components allowing for a more optimal security model than Microsoft Windows or Apple OSX can provide.
In addition, Qubes comes with Whonix-powered Tor integration, enabling the user to easily route network traffic through the Tor anonymity network. Given these features, combining Qubes with Purism Librem laptops is a natural fit – and users will benefit by being able to order Qubes OS preinstalled on the Librem 13.
“We are pleased to partner with the Purism team both in offering a
certified Qubes OS laptop today, and in the future improving the
functionality and security of Purism laptops to ensure that users can
have the best of freedom, security and privacy in one convenient
package,” said Joanna Rutkowska, well-known security researcher and
founder of the
Qubes OS project.
“We are ecstatic about the partnership between Purism and Qubes so we can bring together our goals of privacy, security and freedom in hardware with the best approach in software security. This union represents the ideal approach to protecting users by default, without sacrificing convenience or usability,” said Todd Weaver, CEO of Purism. “Qubes OS is a natural fit with the Purism Librem laptops in both functionality and ideology.”
The Librem: Privacy-Respecting Hardware
Purism’s goal with the Librem laptop is to offer a high-end computer with a simple, out-of-the-box, privacy-enhancing experience. The Librem laptop computer features privacy “kill switches” to physically shut off the camera, microphone and data connection, deterring data thieves, spies, cyberstalkers and hackers.
Librem 13:
The new Librem 13 is now shipping. It can be ordered at https://www.crowdsupply.com/purism/librem-13, for a base price of $1649 US, including Qubes OS.
Orders are shipped on a first-come, first-served basis in the order they were received. There is an additional shipping charge of $80 for orders outside the USA.
CrowdSupply will accept all forms of international currency including Bitcoin.
About Qubes OS:
Qubes OS is a security-oriented free and open source operating system for personal computers. Recognizing there can be no perfect, bug-free computing environment, Qubes aims instead to secure typical workflows through controlled interaction and minimize the attack surface for adversaries through compartmentalization.
Its architecture is built to enable a user to define different security environments or “domains” on their computer based on their threat model and manage their interaction with each other. This allows the user to control the level of access an application has to other information, protecting confidential work both from compromise and from exfiltration.
It can run Debian, Fedora, Whonix, and even Windows-based applications within this environment. For more information, visit: https://www.qubes-os.org
About Purism:
Purism’s goal is to manufacture secure, freedom, and privacy-respecting computers. Leading the way in protecting your digital life by making security and privacy simpler and easier-to-use by default. Purism is devoted to providing the highest quality hardware available, with the goal that the user’s data is kept private and is secure from hacking, malware, spyware, identity theft and other threats that cannot be prevented with antivirus or malware detection alone. Purism is based in San Francisco, California, and its products are assembled in the United States from components manufactured and sourced internationally. Privately held and privately funded, Purism has raised nearly $842,000 to date solely with crowd funding, making the Librem laptops one of the top three most successful crowd funded PC hardware projects in history, according to ZDNet, and the #1 crowd funded hardware project on Crowd Supply.
Press Contact
Giselle Bisson, Director of Communications, Purism Computer
415.655.1050
giselle...@puri.sm
https://puri.sm
Michael Carbone
mic...@invisiblethingslab.com
https://qubes-os.org
