Announcing the PureBoot Bundle: Tamper-evident Firmware from the Factory, Next TGP

Kyle Rankin

Chief Stability Officer
PGP ID: 0xB9EF770D6EFE360F
Fingerprint: 0DFE 2A03 7FEF B6BF C56F73C5 B9EF 770D 6EFE 360F
Librem Social
Announcing the PureBoot Bundle: Tamper-evident Firmware from the Factory, Next TGP

Most up-to-date posts by Kyle Rankin (see all)

We have been promoting the added benefits of our PureBoot tamper-evident firmware with a Librem Important for some time, but right until now our laptops have delivered with typical coreboot firmware, that did not include things like tamper-evident attributes. To get tamper-evident characteristics, you had to reflash your Librem laptop with PureBoot firmware right after the actuality, using our typical firmware update method. Just one of the greatest worries for most men and women utilizing PureBoot was the preliminary setup process–but several folks might  discover installing an OS demanding too.

The finest way to solve this challenge is for us to do the setup for you–and that is what we are joyful to announce these days.

When we will even now default to our common coreboot firmware, setting up these days, if you purchase a Librem laptop computer and decide on the “PureBoot Bundle” possibility for the firmware, you can select to have PureBoot mounted and configured at the manufacturing facility. The PureBoot Bundle incorporates a Librem Important, as very well as a “Vault” USB push that will contain the GPG public vital we created at the manufacturing facility. You can use the Vault generate later to store backups of GPG keys you generate and retailer them in a risk-free spot.

With the PureBoot Bundle, you will be able to detect firmware tampering and rootkits out of the box! Just unbox the laptop, plug in the Librem Important and flip it on–if the Librem Vital blinks environmentally friendly, your laptop is protected if it blinks crimson, it was tampered with in transit. Also, now that our Librem Keys are designed in the Usa following to our achievement center, we have even tighter control around the source chain for the most essential trusted element in this equation.

If you select a PureBoot Bundle, we will perform the next additional ways on prime of the common PureOS install process

  • Reflash the firmware with PureBoot
  • Factory-reset the Librem Vital and set default user and admin PINs
  • Create a new, distinctive GPG key on the Librem Crucial
  • Copy the corresponding GPG general public vital to a USB flash drive delivered with the notebook
  • Signal all of the files in /boot with this GPG crucial
  • Increase the GPG public vital to the firmware’s GPG keyring and reflash the firmware
  • Reset the TPM and established a default admin PIN
  • Store the known-fantastic firmware measurements in the TPM
  • Share a top secret in the TPM and Librem Vital to detect later tampering

When you get your PureBoot Bundle, you can straight away take a look at whether the firmware was tampered with through shipment. For an more demand, you can speak to us about our anti-interdiction services which, among other steps, ships the Librem notebook and Librem Vital separately.

We imagine you really should have complete control about your keys

When you have verified the integrity of the firmware, you can established new passwords and strategies on the Librem Important and TPM, deliver new GPG keys (or copy around GPG keys you currently have), and re-indicator all of the documents, all with keys underneath your manage, at any time.

We hope that, by location it up for you at the manufacturing unit, we can get this future-generation tamper-detection technology into far more customers’ hands. Everyone–not just hardcore geeks–deserves the peace of head of figuring out that their units are harmless from tampering and as opposed to with other safe boot programs, PureBoot presents you tamper-apparent firmware with no seller lock-in–you handle all of the keys.

To get the PureBoot Bundle, get a Librem 13 or Librem 15 and on the configuration webpage in the shop, pick “PureBoot Bundle” below the firmware choice.

Kyle Rankin