PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-09-19 09:14:42 -04:00
Code

Change formatting

Browse Source 
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-06-10 12:10:43 -07:00
parent 82b0c9caca
commit 9ee97925cc
Signed by: Tomster
GPG Key ID: 555C902A34EC968F
1 changed files with 3 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
content/posts/knowledge/Laptop Hardware Security/index.md
View File

@ -145,27 +145,22 @@ Purism sells their laptops with PureBoot, a fork of Heads. It works in pretty mu
Let's go through some of their claims and contrast that agains reality. Let's go through some of their claims and contrast that agains reality.
--- > Claim: PureBoot can protect against firmware tampering.
Claim: PureBoot can protect against firmware tampering.
Reality: It cannot protect against firmware tampering as discussed in the [Heads](/#heads) section. Reality: It cannot protect against firmware tampering as discussed in the [Heads](/#heads) section.
---
Claim: They [disable the ME (setting the HAP field to 1), then wiping most of it with `me_cleaner`](https://puri.sm/learn/intel-me/). Claim: They [disable the ME (setting the HAP field to 1), then wiping most of it with `me_cleaner`](https://puri.sm/learn/intel-me/).
Reality: They only set the HAP field now, but you have to find that out through a [forum post](https://forums.puri.sm/t/librem-14s-me-disabled-but-not-neutralized/12238). Regardless, they crippled critical security features including the ones described in the [Intel CSME and AMD PSP](/#intel-csme-and-amd-psp) section. Reality: They only set the HAP field now, but you have to find that out through a [forum post](https://forums.puri.sm/t/librem-14s-me-disabled-but-not-neutralized/12238). Regardless, they crippled critical security features including the ones described in the [Intel CSME and AMD PSP](/#intel-csme-and-amd-psp) section.
--- > Claim: They are [not vulnerable](https://puri.sm/posts/pureboot-not-vulnerable-to-uefi-exploits-again/) to UEFI firmware vulnerabilities which lead to Boot Guard bypasses.
Claim: They are [not vulnerable](https://puri.sm/posts/pureboot-not-vulnerable-to-uefi-exploits-again/) to UEFI firmware vulnerabilities which lead to Boot Guard bypasses.
Reality: They referenced the LogoFail vulnerability where the firmware's image parser can be exploited to make the firmware run arbitary code despite of being verified by Boot Guard. In Purism's case, they do not even use Boot Guard to begin with, so there is no basic protection to even bypass. They are just vulnerable by design. Reality: They referenced the LogoFail vulnerability where the firmware's image parser can be exploited to make the firmware run arbitary code despite of being verified by Boot Guard. In Purism's case, they do not even use Boot Guard to begin with, so there is no basic protection to even bypass. They are just vulnerable by design.
--- > Claim: They have developed a special ["blob jail"](https://puri.sm/posts/intel-ax200-wi-fi-bluetooth-shipping-for-new-orders/) for their Wifi card.
Claim: They have developed a special ["blob jail"](https://puri.sm/posts/intel-ax200-wi-fi-bluetooth-shipping-for-new-orders/) for their Wifi card.
Reality: The "blob jail" is not special. It is an imitation of how the `linux-firmware` package works, and it only exists because they are refusing to ship firmware updates through PureOS. The blobs inside of the "blob jail" are not any more isolated than the blobs provided by `linux-firmware`. It is much more proper to just ship firmware for peripherals through the OS like normal distributions than shipping it through a boot firmware that requires manual updates. Reality: The "blob jail" is not special. It is an imitation of how the `linux-firmware` package works, and it only exists because they are refusing to ship firmware updates through PureOS. The blobs inside of the "blob jail" are not any more isolated than the blobs provided by `linux-firmware`. It is much more proper to just ship firmware for peripherals through the OS like normal distributions than shipping it through a boot firmware that requires manual updates.
---
The harshest reality of all, is that because of how much they have crippled hardware security, [Librem laptops are at HSI level 0](https://www.fwupd.org/lvfs/hsireports/device?host_vendor=Purism&host_family=Librem+14&host_product=Librem+14). You should avoid all Heads laptops and Purism products. The harshest reality of all, is that because of how much they have crippled hardware security, [Librem laptops are at HSI level 0](https://www.fwupd.org/lvfs/hsireports/device?host_vendor=Purism&host_family=Librem+14&host_product=Librem+14). You should avoid all Heads laptops and Purism products.
### RYF and the Illusion of Freedom ### RYF and the Illusion of Freedom