For most Linux desktop users who want a ready-to-run Linux laptop, I recommend the latest high-end Dell XPS 13. I can also suggest System76 or ZaReason PCs or laptops for those who want top-of-the-line Linux hardware. But if privacy, security, and free software are at the top of your "Want" list, then you should check out Purism, maker of free software and Linux-powered laptops, and its next-generation Librem 14 laptop.
This newest model, which is scheduled to ship in early Q4 2020, comes with the following hardware:
It's default low-end configuration with 8GB of RAM and a 250GB drive is available for pre-order now with an "early bird" base price of $1199. Later, the same model will, it appears, sell for $1,499.
But you're not buying a Purism laptop for its price or hardware specs as you might any other computer. You're buying it because it puts security and free software first. It starts with PureBoot.
This disables part of the Intel Management Engine, so only the essential code for your PC to boot is left. For the BIOS firmware, it uses Coreboot, a free software BIOS replacement.
The laptop, and other Purism hardware, also comes with a Trusted Platform Module (TPM) chip. This is used by Heads, Purism's tamper-evident boot software that loads from within Coreboot and uses the TPM and the user's own GPG keys to detect tampering within the BIOS, kernel, and GRUB config. You can use this with the company's two-factor authentication Librem Key, a USB security token. This works with Heads to alert the user to tampering with an easy "green light good, red light bad" alert.
Heads is an open-source computer firmware and configuration tool that aims to provide better physical security and data protection. It's built on Trammel Hudson's Heads security firmware. This firmware combines physical hardening of hardware platforms and flash security features with custom Coreboot firmware and a Linux boot loader in ROM.
While still not a complete replacement for proprietary AMD or Intel firmware blobs, Heads -- by controlling a system from the first instruction the CPU executes to full boot up -- enables you to track steps of the boot firmware and configuration.
Once the system is in a known good state, the TPM acts as a hardware key to decrypt your LUKS encrypted drive. Additionally, the Xen hypervisor, Linux kernel, and initial ramdisk (initrd) images are signed by user-controlled keys.
Purism's Debian Linux-based PureOS uses a signed, immutable root filesystem. With this, software exploits that attempt to gain persistence should be detected. While these improvements can't secure your laptop against every possible attack vector, they harden it against several known classes of boot process attacks.
PureOS is one of the few GNU/Linux distributions to be endorsed by the Free Software Foundation (FSF). PureOS earned this, according to Donald Robertson, FSF Licensing and Compliance Manager. "An operating system like PureOS is a giant collection of software, much of which in the course of use encourages installation of even more software like plugins and extensions. Issues are inevitable, but the team behind PureOS worked incredibly hard to fix everything we identified."
This Linux distro uses the GNOME desktop. Currently, PureOS uses the Firefox Extended Support Release (ESR) as its default web browser on PureOS 9 Amber. But the company is moving to the GNOME Epiphany web browser in its next release, PureOS 10 Byzantium. With both, Purism edits the programs to make them more free-software friendly and more secure.
To help lock down its applications, PureOS comes with some programs secured with AppArmor. This, like SELinux, is a Linux security system. It binds access to programs rather than to users via Linux kernel loaded profiles. Purism also uses the Flatpak packing system for extra security. Flatpak installed programs, like Snap, run in containers, so they can't interfere with each other.
Last, but not least, Purism comes with hardware kill switches to physically disconnect the camera and mic and/or Wi-Fi and Bluetooth to keep snoopers away.
For those who are truly paranoid, you can use Purism's anti-interdiction services for added security in transit to verify your new laptop has not been tampered with during shipment.
Todd Weaver, Purism's CEO and founder, said: "I am beyond excited to see the Librem laptop journey arrive at the build quality and specifications in the Librem 14. This fifth version of our line is the culmination of our dream device rolled into a powerful professional laptop. We have invested heavily so every customer will be proud to carry our laptops, and the Librem 14 will be the best one yet."
I've been using Purism's Librem 15 myself over the last few months. This system, which comes with a 3.50GHz Core i7 Kaby Lake Processor, 8GB of RAM, and a 256GB SSD, has worked well for me. I'm sure that, for any user whose top requirements are security and free software, the new Librem 14 will make you happy, too.