Most active commenters
  • creshal(8)
  • dandelion_lover(3)
  • nextos(3)
  • throwaway7767(3)

←back to thread

Qubes OS will ship pre-installed on Purism’s security-focused Librem 13 laptop

(arstechnica.com)
154 points walterbell | 34 comments | 15 Dec 15 07:52 UTC | HN request time: 0.415s | source | bottom
Show context
INTPenis ◴[15 Dec 15 09:24 UTC] No.10736741[source]
Since I'm completely surprised by this project and very attracted to it I thought it was best to google around for some perspective. Found this http://www.pcworld.com/article/2960524/laptop-computers/why-...

Among other things. My first question was, is the hardware open? Couldn't find an answer to that.

Edit: Apparently revision 2 of Purism will possibly have Coreboot.

replies(3): >>10736758 #>>10736798 #>>10736827 #
1. creshal ◴[15 Dec 15 09:52 UTC] No.10736827[source]
The CPU uses proprietary, binary microcode blobs.

The graphics chip needs proprietary, binary firmware blobs.

The ethernet chip needs proprietary, binary firmware blobs.

The BIOS is a proprietary, binary firmware blob.

"Respects your freedom" my ass. The only difference to a whitebox laptop is marketing. Dell's or Lenovo's linux offerings are just as "free".

(And chromebooks with Coreboot are, technically, more free than both.)

replies(4): >>10736975 #>>10737206 #>>10739064 #>>10739904 #
2. dandelion_lover ◴[15 Dec 15 10:32 UTC] No.10736975[source]
They are not hiding it at all. Their goal is to achieve freedom in each of those components [0].

[0] https://puri.sm/road-to-fsf-ryf-endorsement-and-beyond/

replies(1): >>10737067 #
3. creshal ◴[15 Dec 15 10:56 UTC] No.10737067[source]
So they're selling vague promises. Getting everyone to open source their binary blobs (and the Librem has a lot) is highly optimistic at best.
replies(2): >>10737388 #>>10737977 #
4. nextos ◴[15 Dec 15 11:40 UTC] No.10737206[source]
Actually, a RockChip based Chromebook like C201 is completely free except for the 3D acceleration. Not even CPU microcodes. And it's dirty cheap.

I wonder why Purism didn't simply commission such a machine with the right 3D chip instead of going with a non-free and expensive option.

I would also love similar initiatives in the mobile space, but I reckon it is more challenging. Neo900 and Pyra are kind of cool though. And I'm hoping Jolla open sources Sailfish OS later this month or early new year.

replies(4): >>10737228 #>>10737541 #>>10740311 #>>10745038 #
5. creshal ◴[15 Dec 15 11:45 UTC] No.10737228[source]
> I wonder why Purism didn't simply commission such a machine with the right 3D chip instead of going with a non-free and expensive option.

Because they can sell the "expensive" option (which, for the OEM itself, isn't even too expensive) at a much higher premium.

> I would also love similar initiatives in the mobile space, but I reckon it is more challenging.

In the mobile space it would be an even bigger exercise in futility: There is no, and will never be, a baseband chip with a free firmware. The FCC made that pretty clear back in the OpenMoko days – use our NSA-approved proprietary blob or you'll never sell in the developed world.

replies(4): >>10737623 #>>10737654 #>>10737849 #>>10738650 #
6. dandelion_lover ◴[15 Dec 15 12:30 UTC] No.10737388{3}[source]
They are by far the best except for the Ministry of Freedom [0], which sell FSF-certified, but comparably slow laptops. And they admit that as I mentioned above.

Only after enough users is involved in freedom seeking, it can be possible to demand large companies to provide something we need. In my opinion, Purism do a lot in this direction.

[0] http://minifree.org/

replies(1): >>10737531 #
7. madez ◴[15 Dec 15 13:07 UTC] No.10737531{4}[source]
What things did they do beside marketing? What was achieved?
replies(1): >>10740819 #
8. revanx_ ◴[15 Dec 15 13:10 UTC] No.10737541[source]
Would love to know where you got this information from as in Chromebook C201 has no hardware blobs except for 3D acceleration.
replies(1): >>10737850 #
9. rtpg ◴[15 Dec 15 13:30 UTC] No.10737623{3}[source]
what's the story on OpenMoko? I have a hard time seeing the FCC directly saying something like that, and google isn't showing anything...
replies(3): >>10737905 #>>10739482 #>>10739568 #
10. Gregordinary ◴[15 Dec 15 13:38 UTC] No.10737654{3}[source]
The FreeCalypso project is working on free baseband firmware with an older TI Chipset. If I recall from their mailing list, which is fairly active, they have voice calls working now. It will of course not be a smartphone, and it'll be GSM only.

https://www.freecalypso.org/

replies(1): >>10737680 #
11. creshal ◴[15 Dec 15 13:43 UTC] No.10737680{4}[source]
How do they plan to get it FCC certified? Without FCC certification, it may not be legally used outside shielded testing environments.
replies(1): >>10737807 #
12. Gregordinary ◴[15 Dec 15 14:12 UTC] No.10737807{5}[source]
I'm actually not sure, recently joined the mailing list and have been passively monitoring.

Would it make a difference if the chipset being used was already used for a cellphone that was FCC certified? If I put DD-WRT on my router, do I need to re-apply for FCC certification? (Wondering)

replies(1): >>10737897 #
13. nextos ◴[15 Dec 15 14:22 UTC] No.10737849{3}[source]
But see how the Neo900 guys have worked this out. They isolate the baseband chip, and handle it as a threat, which is a very good model I think.
replies(1): >>10737907 #
14. nextos ◴[15 Dec 15 14:22 UTC] No.10737850{3}[source]
http://www.libreboot.org/docs/hcl/c201.html

Well, also the wifi requires a blob, but one can use small usb adapters sanctioned by FSF, and blobfree.

15. creshal ◴[15 Dec 15 14:30 UTC] No.10737897{6}[source]
I'm not sure whether the certification guidelines for wifi and cell devices are the same.

For Wifi it's surprisingly strict:

• Every antenna+transmitter configuration has to be certified separately (that's why Lenovo and other laptop vendors have Wifi card whitelists and refuse booting with uncertified chips installed).

• The software that directly drives the hardware must be certified to conform to the transmission power limits etc.

For DD-WRT and others neither is a problem, because the hardware combination has been certified by the router vendor, and DD-WRT uses the wifi chip vendor's firmware blob to drive the hardware, which is certified by the vendor.

replies(2): >>10738577 #>>10738715 #
16. ansible ◴[15 Dec 15 14:32 UTC] No.10737905{4}[source]
That was an attempt at a Linux-based phone before Android. It is very old (close to 10 years?).
replies(1): >>10738208 #
17. creshal ◴[15 Dec 15 14:32 UTC] No.10737907{4}[source]
It's a good model to limit the damage a hijacked baseband chip can do, yes. But it is still not "free".
18. chrsw ◴[15 Dec 15 14:45 UTC] No.10737977{3}[source]
You're right, Purism doesn't offer anything no one else offers at the moment. It looks like they're trying to grow a customer base then use that base as leverage when it comes time to negotiate with OEMs over features, open docs, open firmware, etc.

Since they're not at all transparent on the details about how they will actually achieve true Freedom on modern hardware, and since modern hardware IP is deeply entangled in patent and licensing issues, it's reasonable to be high skeptical of what's going on here.

Then again it can all be a scam which would render anything I just said irrelevant anyway.

19. rtpg ◴[15 Dec 15 15:18 UTC] No.10738208{5}[source]
Was more wondering about the accusation that the FCC shot down the effort. Google seems to show that it launched something, can't find any trace of controversy
replies(1): >>10738470 #
20. creshal ◴[15 Dec 15 15:58 UTC] No.10738470{6}[source]
The project itself didn't fail because it – that was just due to Android being more attractive by the time it was working –, but they never managed to opensource the baseband firmware for that reason.
21. lmns ◴[15 Dec 15 16:15 UTC] No.10738577{7}[source]
>DD-WRT uses the wifi chip vendor's firmware blob to drive the hardware, which is certified by the vendor.

At least for many Atheros-based chipsets they use ath9k instead of the vendor blobs.

22. throwaway7767 ◴[15 Dec 15 16:26 UTC] No.10738650{3}[source]
If someone were to develop an open-source replacement firmware for a baseband chip, the hardware project could use that chip but ship with the manufacturers firmware. It would then be on the users to reflash if desired. I doubt the FCC can do anything about that, people are already doing this with the TI Calypso replacement firmware.
replies(2): >>10738753 #>>10739407 #
23. throwaway7767 ◴[15 Dec 15 16:37 UTC] No.10738715{7}[source]
> Every antenna+transmitter configuration has to be certified separately (that's why Lenovo and other laptop vendors have Wifi card whitelists and refuse booting with uncertified chips installed).

Are you sure about that? The fact that not every vendor has such a lock suggests to me that there is no legal requirement for it.

24. creshal ◴[15 Dec 15 16:44 UTC] No.10738753{4}[source]
Oh, they cannot prevent you from installing the firmware… but if anyone catches you using it in the wild, you're in deep REDACTED.

E.g., If you're worried about the police monitoring your communications, giving them a perfectly legal reason to detain you is likely not your preferred course of action.

replies(2): >>10738951 #>>10739082 #
25. throwaway7767 ◴[15 Dec 15 17:17 UTC] No.10738951{5}[source]
Sure, but assuming there isn't a serious bug in the baseband causing other spectrum users grief, how likely is it that someone will check your phone's baseband for tampering?

If you're a person of interest, the police can come up with a better reason to detain you than this.

26. nickpsecurity ◴[15 Dec 15 17:34 UTC] No.10739064[source]
Open a few side windows, add one to basement, drill a tunnel to basement, balsawood for backdoor, ladder to hole in roof, and... now with brand new locks on front door. Shit, security and freedom have never been better. Sign me up!
27. jessaustin ◴[15 Dec 15 17:37 UTC] No.10739082{5}[source]
In this case we're not really worried about police monitoring. The police aren't magical, yet. If they're trying to surveil without the target's knowledge, and the first attempt fails, they'll try something else. If no electronic surveillance works, they'll find another way to investigate, or they'll prioritize other investigations. They really have no way to catch random people with unauthorized firmware, so long as that firmware generally follows FCC guidelines.

However it may be that other, less Constitutionally-constrained parties would have the ability to dragnet for nonstandard firmware to highlight people for more intense scrutiny. The police could use a parallel construction based on that. Then they could say that unauthorized firmware on a seized phone establishes some sort of criminal intent.

28. hackuser ◴[15 Dec 15 18:21 UTC] No.10739407{4}[source]
Here are a few possibilities I've come across:

* OsmocomBB (http://bb.osmocom.org/trac/)

* An old HN discussion: https://news.ycombinator.com/item?id=7064187

* OKL4, a hypervisor, is used widely in basebands. AFAICT It was developed by Open Kernel Labs and was open. It seems to have been acquired by General Dynamics and I don't know it's current status (does anyone know more about it?) (https://gdmissionsystems.com/cyber/products/trusted-computin...)

29. hackuser ◴[15 Dec 15 18:32 UTC] No.10739482{4}[source]
Some follow-on and related projects:

* GTA04 by OpenPhoenux (http://projects.goldelico.com/p/gta04-main/)

* Neo900 (http://neo900.org/)

* QTMoko (http://qtmoko.sourceforge.net/)

* SHR (http://shr-project.org/)

30. wawi ◴[15 Dec 15 18:46 UTC] No.10739568{4}[source]
The OpenMoko project sort of fizzog'ed, but you can get a good kick out of the OpenPandora (and new: OpenPyra) projects, which the GTA04/neo guys have helped along a bit, I think ..

http://openpandora.org/

31. yuhong ◴[15 Dec 15 19:35 UTC] No.10739904[source]
And the microcode is built into the CPU so skipping microcode updates would be useless.
32. drudru11 ◴[15 Dec 15 20:39 UTC] No.10740311[source]
They needed x86 virtualization. The cheaper ARM systems don't support that (yet).
33. dandelion_lover ◴[15 Dec 15 22:02 UTC] No.10740819{5}[source]
I am not sure whether you consider this marketing, but for me important things are (0) demonstrating the interest of customers in freedom, (1) explaining what's wrong with "ordinary" laptops to the public; increasing awareness in the media [0], and (2) working closely with QubesOS to make this system work on their laptops. Hardware switches are also very good.

And yes, it might be a scam. But might be not.

[0] (1) is being already done by FSF, but to me it looks like it's not enough.

34. madez ◴[16 Dec 15 15:55 UTC] No.10745038[source]
The Chromebook C201 is not offered in my country, i.e. Germany. Any ideas where to get it from?