​Purism adds open-source security firmware to its Linux laptop line

Purism, the Linux hardware vendor for users who want as much control as possible over their gear, has integrated Heads open-source CPU firmware into its PCs.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Video: Barcelona, Bye Microsoft, hola Linux

If you really believe in having the most possible control over your computer and operating system, then Purism, maker of free software and Linux-powered laptops, is the company for you.

In its latest news, Purism announced that it has successfully integrated Trammel Hudson's Heads security firmware into its Trusted Platform Module (TPM)-equipped Librem laptops. Heads is an open-source computer firmware and configuration tool that aims to provide better physical security and data protection.

Heads combines physical hardening of hardware platforms and flash security features with custom coreboot firmware and a Linux boot loader in ROM. While still not a complete replacement for proprietary AMD or Intel firmware blobs, Heads, by controlling a system from the first instruction the CPU executes to full boot up, enables you to track steps of the boot firmware and configuration.

Once the system is in a known good state, the TPM is used as a hardware key storage to decrypt your drive. Additionally, the Xen hypervisor, Linux kernel, and initial ramdisk (initrd) images are signed by user-controlled keys. Purism's Linux-based PureOS uses a signed, immutable root filesystem, so any software exploits that attempt to gain persistence will be detected. While these improvements can't secure your laptop against every possible attack vector, they harden it against several known classes of boot process attacks.

In addition, Pursim recently disabled the Minix-based Intel Management Engine. The company did this by using the open-source coreboot firmware. Pursim also puts an end to any software snooping on your laptop by adding physical switches to your Wi-Fi, Bluetooth, webcam, and microphone so you can turn them off. Hackers can crack many things, but without their hands on your gear, they can't crack this.

"Your privacy is dependent on your freedom. We believe that having true privacy means your computer and data should be under your control, and not controlled by big tech corporations," said Todd Weaver, Purism's founder and CEO, in a statement. Weaver claims "Librem laptops [are] the most secure laptop you can buy."

Moving forward, Purism will now include the Heads integrated TPM chip in all new Librem 13 and Librem 15 orders by default, as a standard feature of the newest hardware revisions shipping out this month.

Related stories

Editorial standards