Find answers to Frequently Asked Questions:
Purism is a Social Purpose Corporation!
Purism, SPC is based in San Francisco, CA USA (Headquarters).
Purism finalizes assembly, quality control tests, and delivers all our hardware from our fulfillment center in Carlsbad, California, USA.
Purism has employees, contractors, and volunteers from around the world.
Through business negotiations we license reference designs and prepay for all the tooling, so that we can do small quantity fabrication, albeit at a higher per-unit price. It is not inexpensive, but it is possible! Purism’s founder, Todd Weaver, has built up these relationships for over a decade.
Have a look at Manufacturing and Sourcing information.
You can help by purchasing a Librem device and benefit from a more secure computing experience. You could also help us out with projects that we are currently working on as we are sometimes stretched thin. Finally, the easiest way would be to help answer questions in our community forums, engage with others that are considering Purism products, spreading the word about Purism, be willing to write in with bug reports or user experiences or donating time and/or money for our project. Another item would be to write a blog post about your experiences in switching to a Librem or to GNU/Linux in general. Send an email to info(at)puri.sm for questions, additional information or your willingness to be involved.
Short answer: Yes. See https://puri.sm/jobs/
Longer answer: Purism is hiring for a great number of positions, even more than are listed in our jobs section. If you are interested in any of the listed positions, or have an idea of a position you’d like to create within our organization, please send an email to hr(at)puri.sm with the following:
We offer various forms of compensation and roles, from volunteer, part-time, paid, or margin share. Please list what forms of compensation you require and are amenable to.
Yes, please reach out to ir(at)puri.sm (Investor Relations), and you will get a reply within 24 hours to discuss the opportunity.
See the policies page for our warranty, returns & refunds policy.
In the future we plan to expand our offer, so far Librem tablets, Librem servers, Librem desktops, and Librem routers are on our roadmap.
FLOSS stands for Free/Libre Open Source Software and is software with its source code available to the public and allowed to be modified, improved or whatever else users feel like doing do it. It grants you freedom.
A “Linux” operating system, properly described as GNU/Linux, is an operating system based upon the Linux kernel. The Linux kernel was created by Linus Torvalds initially for his own use during his years in college. It was used with the GNU operating system. GNU, created by Richard Stallman, is the entire operating system, minus the kernel. So, when people say “Linux operating system” they should be saying “GNU/Linux operating system”, or even a “GNU operating system”.
Both Torvalds and Stallman released their software to the world for free.
English language more often uses word “free” to describe something that is gratis – while it is true that all the software in FLOSS is gratis, it is not mandatory to be like that. The important part of FLOSS is that is has the liberty to be examined, learn about it, modify it to your needs without any restriction of copyright license which forbids you to use it as you want.
Often said it is “free as in freedom”.
No, not at all. There are many people that do in fact use GNU/Linux to program and develop applications for various operating systems (not just for Linux) but GNU/Linux is easily used by many people of all levels of computing skill.
PureOS is designed to be user friendly by utilizing one of the most popular desktop environments available called Gnome 3. Gnome 3 works well with both touch and traditional mouse and keyboard user inputs to allow for easy use. The Librem has well known traditional ports and utilizes off the shelf parts for easy replacement if something needs replaced.
Yes and no. No Windows applications will run natively on PureOS. However, some Windows applications can be run with an application called Wine. Please go to www.winehq.org to check on the availability of your program. Applications designed for Apple products can not run on a GNU/Linux based machine such as a Librem.
Additionally, you can also run Windows or Apple operating systems within our virtual box application, Boxes, which would allow you to run the applications that you need.
Please also note that Windows based programs run as non-free source/proprietary code and Purism can not offer a guarantee that your Librem will continue to be secure if you choose to install. We do not recommend doing this for your own privacy and security but you are welcome to as the Librem is your machine.
You don’t have to. There is also a “terminal” in Windows, Apple and Google machines as well but like those operating systems, complicated command lines are going away in favor of graphic user interface (GUI) focus. PureOS does have a terminal just like all Linux distributions but it is not needed in many situations for newer users.
All operating systems have their differences when comparing, for instance, a mobile operating system like Android to a computer focused one like Windows. Apple has differences from Windows as well. However, each operating system allows you to do the same or similar things – it may just be a different button to push or icon to click.
Web browsers, applications and file managers will all work in PureOS/Librem in ways that you are used to on other devices. They may look a little different than what you’re used to, but they will get you to the same place.
Yes! Our operating system, PureOS, has an app store called “Software” where many different applications are available giving you many additional gaming, productivity, video, graphics, and office choices.
Netflix, Hulu, and Amazon Prime distribute content with restrictive DRM technologies that Purism does not support natively through PureBrowser. However, there are other browsers that you are free to install if you choose to.
YouTube supports HTML5 and will play without additional input.
No, it does not, as these are major security issues. Most websites are switching to HTML5 due to these security issues. However, you can install an OS which supports this proprietary software, but have in mind that this is a bad security practice.
Often times when we think of an operating system we think of how it looks and feels. This is called the user interface or user experience. PureOS 3 uses a Graphical User Interface (GUI, also sometimes called “Desktop Environment”) called Gnome 3. Information on this user interface can be found here:
The same reasons you are concerned over unwanted people entering your property, peeping through your windows, or installing cameras in your house. These same physical rights apply directly to digital rights. You should not want unwanted people having access to your digital files, your photos, emails, website history, or your camera or microphone. Your home is your private life, your digital life should have the same rights and protections.
Properly used, Librem will make it by magnitudes harder to have data breaches compared to Windows and Mac OS X. It has integrated full disk encryption, all of the best GNU/Linux security practices, sand boxed applications, and hardened security features.
All threats are bonded a lot to user interaction with their device. Librem’s underlying software by default do not track or log your keypresses, location, software usage. Default operating system (PureOS) has app isolation (with Wayland) and SELinux enabled.
No. Quite simply, we will not show you advertisements nor do we care about mining your data. Your data, your pictures, your browsing history – that’s for you and you alone. We exist as a company because we personally wanted to have better control of our own data. And we think you do, too.
No! We hate those proprietary things! Your Librem will work with industry standards such as HDMI, USB, hardware after market parts and all software is free and libre. RAM, hard drives or solid state drives, batteries and power supplies are all “off the shelf” and available for purchase from online and big box stores.
Librem Key is a USB security token to make encryption, key management, and tamper detection convenient and secure. See here to learn more about what it does, its specs and to see purchase options.
The tamper-evident boot only works with our Heads firmware that runs on top of coreboot. We have not yet released a Heads ROM for our systems but we are working to beta test that right now before we release it to a wider audience.
We intentionally still allow users to boot even if Heads detects tampering. We do not want to lock people out of their own systems. That said, Heads is free software so you could modify it to have that behavior if you wanted to.
At the moment you could only register a Librem Key with one Heads ROM.
Yes, you can backup the GPG keys that you put on a Librem Key to a USB thumb drive or other backup. As far as the shared secret for tamper-evident boot, if you were to lose your Librem Key you could either skip tamper-evident checks until you got a replacement, or fall back to the 6-digit TOTP code + your phone.
The Librem Key does not currently support U2F, but we are looking into adding that feature into a future revision.
The Librem Key and Nitrokey Pro v2 have the same hardware and similar firmware, so yes, you can use Heads with Nitrokey Pro v2.
Nitrokey Pro v1 has older firmware and will not integrate with Heads.
But please understand we can provide support only for Librem Key and its integration with other Librem hardware.
The Librem name originated with the desire to make a truly freedom respecting laptop and phone. Libre is an adjective meaning “free, at liberty” and is used to distinguish it from gratis which means “free of charge”. Libre is used extensively in the GNU/Linux community to show that software is free in the sense that its source code is available as opposed to non-free software where the source code can not be viewed. Libre also translates easily to a variety of languages. The “m” was added to help it roll of the tongue.
The Librem runs PureOS as it’s operating system. This operating system is based upon the Linux kernel and is viewed by privacy and security experts as being incredibly secure. This is due to it being free software where the source code is available, meaning that people with proper technical skill can easily read, view and understand the language of the operating system. Operating systems that you are used to such as Windows and OS X are non-free and the source code is held by Microsoft and Apple. This non-free software, where the source code is not available in proprietary OSes makes it impossible to fully read and understand the computer language thereby making it impossible to fully know what your Microsoft or Apple based computer is doing or if it is secure.
We are working hard to bring down the price of the Librems. In fact, we were able to reduce the price of the Librem 13 in April 2016 by over $200! In the simplest terms, it is the sheer economics of supply and demand. As there is more demand for privacy respecting and secure computing, the price will come down because as we will be able to order more parts for our wonderful computers.
The truth is that we need capital in order to grow as a business. We are already working with thin margins. The benefits to supporting a privacy and security focused computer manufacturer are vast but the decision to help us is yours.
The HKS physically cut the power going to the microphone/webcam and the wifi/bluetooth radios in the device. There have been several cases where either big government agencies or nearby hackers have remotely accessed these devices to turn on computers or otherwise view or listen in through the microphone or web camera. Software solutions of turning the camera on and off can be easily bypassed. The HKS physically cut the electronic circuit to the accessory. No power, no work. When the switches are thrown the accessory is, quite simply, off, and can not be remotely turned back on.
This matters as a security feature and for your own piece of mind. No longer do you have to worry about private communications being recorded or someone looking back at you through the webcam. Parents can especially enjoy this feature to help protect their children.
The switch for the WiFi can be thrown and along with pulling out the ethernet cord will ensure you the convenience of true off line computing. Then when you want to use either the microphone/web camera or the WiFi/Bluetooth, simply return power to the accessory by turning the switch.
The outer shell is solid aluminum with a black anodized finish.
They were custom fabricated for us.
Yes, it is possible to order replacements for the wireless card, RAM, 2.5″ SATA drive and M.2 SSD, power adapter. Batteries are available within the USA, international shipment for batteries is on a case-by-case basis (due to carrier restrictions such as these).
Yes, just press ESC when Purism logo shows up and select your device to boot.
Yes, you can unscrew the back and add your own upgrades, like storage, RAM or wifi card.
Aluminium 2.5″ SSD mounting frame required for mounting 2.5″ disk is not included if you do not order 2.5″ disk, but you can purchase it from our web store.
While we are preloading PureOS which, alongside Parabola, Trisquel and few others, is the strictest of GNU/Linux distributions—we strip all binary blobs from the Linux kernel—you can easily install any less strict up-to-date GNU/Linux distribution, such as Fedora, Debian and Ubuntu. You can even install them alongside PureOS, and simply choose what OS to run from the boot screen.
We have not tried installing a non-GNU/Linux-based operating system, but the Librem is your computer, so you can do with it whatever you wish, even if that includes installing non-free Windows or other operating systems. We obviously don’t recommend this, but it is your computer to do what you wish with it.
Yes, with full disk encryption provided by our OEM system setup (PureOS). The first time you start your Librem laptop, you will have to setup the disk encryption passphrase. See here for the full setup procedure.
You can use Librem One services on any desktop, mobile or embedded platform with compatible software.
Native apps for Android are available on the Google Play Store and F-Droid. Native apps for iOS are available on the Apple App Store. Native apps for Librem hardware (including the Librem 5) are coming to the PureOS store soon.
You can also set up third-party software on any platform, including GNU/Linux, *BSD, macOS and Windows. Please refer to our documentation for details.
If you need to pick a client for your platform, the following guides and lists will help:
We are changing the landscape of digital rights, which includes changing the business model from the previous exploitative zero-price for all-your-data, to a nominal-price to retain your digital rights, data, and privacy.
Since not everybody can afford to pay, we do offer a free Librem One Basic account if you agree to strictly avoid products and services from big-tech that exploit you, lock you in, and control your data. If you agree to that, select the FREE option for Librem One Basic: Social + Chat service, and you can get a free account as a gesture of gratitude from Purism, SPC.
Yes! Librem One uses open standards, free software, and decentralized protocols for all our services; similar to email, you can communicate to anybody using the same protocols for chat, email, and social, this allows you to communicate across different domains.
Yes, you can buy an individual account or a Family Pack, and then download the bundle and have the persons sign-in using the account you created.
Currently you will install and setup the applications individually, in the future you will be able to just sign-up and then log-in during initial product setup and have all the services available by default.
Yes, we accept many forms of payment and even offer a free basic service, Librem One has no restrictions on geolocation or country, if your country has rules or regulations that limit service it is not due to Librem One restrictions.
Public data (Librem Social) is publicly visible to everybody. Private data (Librem Chat, Mail and Tunnel) is end-to-end encrypted and only visible to you and the intended recipient(s). If something is not Public and not Private, it is Temporary and is removed within 30 days (this includes unencrypted direct messages and unencrypted email). Any valid legal request for data (including so-called metadata) will be complied with. To learn more about your rights and seek legal representation, read our Stay Safe guide.
Basic tier users have a 1 GiB storage quota across all services. Complete tier users have a 2 GiB quota. If you exceed your quota, your oldest messages/posts will be deleted, until you are within quota again.
Once Librem Files and Librem Backup are released, you will be able to opt-in to a pay-as-you-go storage plan.
You can tunnel unlimited traffic from up to 10 devices.
Current upload limits are:
Your username needs to be valid across multiple existing and future protocols and services. So we permit only the “lowest common denominator”. That means no dot, underscore, accents, non-roman letters or emoji is allowed.
Note that most clients let you set your “display name” to anything you want.
You can do this with two accounts. For example, register
email@example.com for chat and social posts, and register
firstname.lastname@example.org for mail and tunnel services.
Multiple accounts also allow you to implement a separation of concerns. For example, you could have a business account, and a separate account when discussing a medical condition with your support network.
To protect your privacy, we do not store a mapping between accounts, except in the case of family packs where one user is financially responsible for multiple accounts.
Our registration system currently does not allow one to use the same recovery email address for a Purism Shop account and a Librem One account. In order to create a Librem One account you need to use a recovery email address that is different from the one you have used to buy something at shop.puri.sm.
Please confirm that you have subscribed to a Complete or Family Pack account. Then visit your profile page to activate your tunnel connection. Once you have done this, your Librem Tunnel client will work.
Please confirm that you have subscribed to a Complete or Family Pack account.
Librem Mail uses a Sender Framework Policy (SPF) which basically says: “Do not allow mail from email@example.com if it does not originate from a Librem One mailserver”. So if you try to forward your @librem.one mail via alternative mail providers it will probably fail. The same will happen if you try to forward your personal mail to your librem.one mail using a mail service that uses SPF. The librem.one mailserver will see that your personal mail is forwarded by an unauthorized mail server and block the connection.
Here’s a more extensive explanation of the problem (with possible solutions) for the tech savvy: https://tools.ietf.org/html/rfc4408#section-9.3.
Any illegal content or illegal acts should be reported to the appropriate authorities who are equipped to handle it.
Each of these services, all owned by Facebook, has a different set of steps for deletion. To delete your Facebook account, see the Facebook or WikiHow guide.
To delete your Instagram account see the Instagram or WikiHow guide.
To delete your Whatsapp account, see the WhatsApp or WikiHow guide.
Then sign up here!
On the macOS desktop you can use Thunderbird to encrypt email with OpenPGP. Read the EFF’s how-to on PGP for macOS.
There is no free software solution for OpenPGP on iOS today. You can still send and receive temporary messages from the Mail app. Native Librem Mail app for iOS is in our TODO list.
Librem Mail is a new email provider. Our server details are not yet recorded by Apple and unlike other clients, the Mail app doesn’t perform this lookup automatically.
No, we are a Social Purpose Corporation, which means we are bound by our articles of incorporation that clearly state we cannot exploit people and that we must put doing social good over maximizing profit.
Not day 1. However there is a lot of interest in including a isolation layer that will be able to power Android applications natively, the community can pool together and either implement that functionality, or we would need to run a new campaign for this specific feature (as the stretch goal for it was not met in our initial campaign).
For phone calls, email, web browsing, there will be no issues with switching, if you rely upon native applications that are not yet supported, you may need to use HTML5 applications (Social Media, News, Banking), or consider alternatives (e.g. Riot.im vs. Signal).
Yes, you will be able to use the phone as a storage device, that can show up on your computer by just plugging in the USB cable and viewing the folders. This will allow you to import or export files, photos, documents, with ease. With the Librem 5 there is no proprietary software that locks your files into proprietary formats, allowing easy sharing of the content you want to share.
Yes, you will be able to make regular unencrypted phone calls to any phone number. You will also be able to communicate securely by using the phone dialing application and messaging application, that can run on the Librem 5 phone, Android based phones, and iOS based phones, and any computing device.
The Librem 5 will be the most secure when communicating with another Librem 5 phone, communicating via an encrypted app on a Librem 5 to an Android or iOS encrypted app is the second best option available.
The Librem 5 is an open network phone, not locked to any particular network.
There are 2 possible modem choices:
Here’s the detailed list of bands supported:
|Gemalto PLS8||BroadMobi BM818|
Using frequencycheck.com, you can find your carrier under your country to see which bands are supported by them. However, keep in mind that not all of these bands may be available in your area.
To find out which LTE bands are available from cell towers in your area, you can look at cellmapper.net. Additionally, if you call your carrier they may tell you which LTE bands are available in your area but they also may not divulge this information.
Note that some carriers do not allow devices on their networks unless devices are approved by themselves.
Using the 3G/4G data+voice modem, the Librem 5 will work with most carriers; the carriers are the ones providing technological support for emergency services dialing.
Based on our testing: the CPU, GPU, Bootloader and all software will run free software, we are evaluating the WiFi and Bluetooth chips and their firmware, this is an area we have to evaluate, finalize, and test. The mobile baseband will most likely use ROM loaded firmware, but a free software kernel driver. We intend to invest time and money toward freeing any non-free firmware.
Quite likely, although we will not expend resources to test this.
Not likely, and we will not expend resources to test this.
Yes, all hardware Purism releases gets regular security and performance updates within PureOS.
Yes, any web based app will work through the browser. Over time these sites will either use progressive web applications, or could have a native app.
On the day of release we expect to have a fully working apps listed in the application compatibility chart.
Development will continue after release for other apps, like email client, camera app, etc. Some apps (like Lollypop and Fragments) are already announced to be available on our PureStore. Dozen others are to follow.
Librem 5’s operating system already supports a bunch of applications, almost everything that can run on a desktop computer can run on Librem 5 as well. See our showcase: week 1, week 2, week 3. But additional work is required to make those more usable on a phone size screen.
At delivery we do not plan to support the reader or renderer for these proprietary formats, but this is a top priority to solve after product delivery.
Yes, like all Purism products, the case itself will allow you to access the insides, and the battery will be modular and can be replaced with ease.
No, because CALEA applies to US based telecommunications providers, not to Purism. If the user of a Librem 5 phone uses a carrier in the US with a traditional “phone number”, that carrier must comply with CALEA for phone calls, as the phone call is sent over the carrier’s connection. Pure Matrix-to-Matrix calls are outside of CALEA requirements (Matrix nor Purism are telecommunications service providers). If the call touches the PSTN is becomes the carrier’s responsibility to adhere to CALEA. Matrix is an encrypted VoIP/messaging protocol not a telco.
The Librem 5 is not Intel-based, it is based on an i.MX 8M chipset, so we don’t need coreboot nor the Management Engine. The chipset will be completely free software without any binaries whatsoever!
Since Librem 5 is based on an i.MX 8M chipset, it is not vulnerable to either Meltdown nor Spectre.
Because we want to promote a pure and unified stack, not have a separate mobile OS with proprietary bits or a completely different middleware stack. We want to support the community efforts of GNOME, KDE and UBPorts, and allow for any GNU+Linux to work out-of-the-box providing mainline improvements that work not just on mobile but across the device spectrum. The Librem 5 is a new approach to use a regular Linux system and adopt it to mobile use-cases instead of creating a completely new system. We do not create a walled garden, instead we tear down these walls, creating an open utopia. A fully standards-based freedom-oriented system, based on Debian and many other upstream projects, has never been done before–we will be the first to seriously attempt this.
You can also learn more about our position on GNOME and KDE further below in this FAQ.
We will be working with GNOME/GTK, KDE/Plasma and Ubuntu Touch communities, and have partnered with the foundations behind them for the middleware layer. PureOS currently is GNOME-based and look forward to working with GNOME as an upstream as well as GNOME’s OS and design-centric development model; however we will also test, support, and develop with KDE and the KDE community, and of course we will support Qt for application development.
Learn more about the rationale behind this approach (part 1 and part 2).
We will test the capabilities of powering Anbox or Shashlik to allow users the ability to run Android applications within PureOS on the Librem 5, but our long-term goal is to utilize native applications that adhere to our strict philosophy. Enterprise clients or users who require Android applications may choose to to run a Android applications within an isolation container, so this is the reason for testing this type of configuration. We have a stretch goal to help with this developmental effort to have Android apps run in isolation.
Our intention is to have everything freed down to the schematic level, but have not cleared all design, patents, legal, and contractual details. We will continue to advance toward this goal as it aligns with our long-term beliefs.
No, we will not be shipping with any biometric hardware, the reasons for this is because single access via biometrics does not prevent access to your phone the same way a security code or lock does. The US Supreme Court has alluded to biometric access not protecting you the same way that a security code from memory (a security code) does (e.g. You can say “no” to a passphrase, or security code, but you cannot say “no” to biometric (physical) information). So even if in future models of the Librem 5 phone we do include biometric hardware, we will be double-locking it with a security code, to have the best security story we can for users.
To learn more about why biometric access is not good you can read this fine article here.
Not the first model, but there is some room for implementing this in one of the future models.
Not in the first model of the phone. We want to have a metal case and that is already a challenge with the three other antenna systems that we have to support: Cellular, WiFi/BT and GNSS (GPS…). NFC Antennas, likewise wireless charging, are pretty large. Last but not least they add another radio emitter which can cause additional EMC issues.
The hardware will support this, the software to do so may require developer community effort or take some additional time to include.
We are providing the hardware to do it, and will increment the software as we progress.
Librem 5 will have M.2 slot for a baseband module, so it is a potenital for “upgrade”. But when we first start shipping Librem 5 this probably won’t happen, as 5G is relatively new and still in testing.
CPU: NXP® i.MX 8M Quad core Cortex A53, 64bit ARM @max 1.5GHz (auxiliary Cortex M4)
GPU: Vivante GC7000Lite
RAM: 3 GB
Storage: 32 GB eMMC internal storage
External Storage: microSD (2TB max)
Screen: 5.7″ IPS TFT 720×1440
DAC: Wolfson Media WM8962
3.5mm jack: Yes (stereo out and mono microphone in)
FM Radio: No
Battery: 3,500mAh, user-replaceable
USB: USB C: USB 3.0 data, PowerDelivery (Dual-Role Port), video out (DisplayPort)
Buttons: Power, volume ± buttons
Kill Switches 3 – WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS)
Accelerometer: “9-axis” by ST, LSM9DS1 (gyro, accel, magnetometer)
Ambient light and proximity sensor: Yes (VCNL4040)
Back Camera: 13 Mpx with flash LED
Front Camera: 8 Mpx
Notification LED: Yes (RGB LED with PWM control per color)
Smartcard Reader: 2FF format smart cards (SIM card size)
Haptic Motor: Yes
Unfortunately, no. If you are worried about privacy, you can pay with bitcoin or monero.
Credit card, cryptocurrencies (Bitcoin, Monero, Litecoin, Dogecoin, Decred, Ethereum) and direct bank transfer. We also offer interest free monthly payment plans. You can select payment option during order checkout:
If you need any assistance or alternative options for payment, email payments(at)puri.sm for assistance.
Please note that for cryptocurrency or direct bank transfer it could take some time before we validate the payment.
If you want to change your payment option or you have issues with payments, send an email to payments(at)puri.sm and await further instructions.
In case you have other questions, send an email to info(at)puri.sm.
You can review your order by loggin-in to our webshop interface and go to your Account page orders section.
Our products are available on our online store. Getting the product into big box stores is something that is on the Purism road map.
Short answer: Yes.
Longer answer: We can ship pretty much anywhere, and offer free international shipping, but the customer is responsible for customs clearing/duties, and local taxation. International shipments may be subject to customs processing and additional charges, customs policies vary from country to country, therefore you should contact your local customs office for more information. When customs clearance procedures are required, it can cause delays in arrival. If you can normally order product from the U.S. and have it shipped to you, then you can order from Purism in the same manner.
By FedEX Ground in USA, and USPS Priority Mail International or DHL for international shipments. You can also pay for something faster, leave a note when ordering and contact ops(at)puri.sm. Email confirmation with tracking number is sent on the day of shipping.
Non-ECC. Because ECC RAM takes modifying the motherboard in addition to selecting a CPU that supports ECC.
TPM (Trusted Platform Module) is a special chip on a Librem laptop motherboard which provides some interesting security features. To best understand what it can do please read the following news articles from our blog, sorted by date:
The last link should be able to help you decide whether or not do you need it.
Note that the software part for TPM is in early alpha-stage (still in the testing phase) and once ready, we will provide instructions to compile, install, enable and set it up on a TPM-enabled Librem laptop.
The user completely controls any keys that are stored in the TPM on our hardware. Traditional understanding that manufacturer is in control of the master key stored in TPM is not true for our hardware. We don’t use it that way.
Coreboot is a free software (and open-source) replacement for proprietary BIOS. Librem laptops come with coreboot pre-installed. For more info about coreboot please read this tech page.
Libreboot is a downstream distribution (or fork) of coreboot which doesn’t allow non-free binaries (“blobs”), and only supports a small number of devices, the vast majority of which are over 10 years old. Libreboot also doesn’t “keep track” with coreboot; its most recent release is from mid-2016, whereas coreboot’s is late 2018.
Our coreboot firmware still has some blobs, as all modern Intel-based systems require them, but our our goal is to ship devices with blob-free coreboot. Since our devices are already working with completely free software, blob-free coreboot firmware would allow us to achieve FSF’s RYF certification for Librem laptops.
Our coreboot currently contains the following blobs:
* video initialization blob (VBIOS) — we’ve already made some progress on this front, and our next coreboot version might be shipped without it.
* memory/silicon initialization blob (FSP) — there are some rumors Intel might release source code for this, so our work on this is currently on hold.
* CPU microcode updates — microcode updates are uploaded to the CPU at boot time, which patch the built-in microcode and disables buggy parts of the CPU to improve reliability. In the past, these updates were handled by the operating system kernel, but on all recent Intel systems the system firmware is required to perform this task (though it can still be updated by the kernel after the fact).
* Intel Management Engine (ME) firmware — we disable and effectively neutralize this blob by removing most of its code and setting flags to disable the ME coprocessor at boot time.
No. We ship with the free software firmware coreboot. We don’t ship Librem 13 or Librem 15 with any proprietary BIOS/UEFI.
Most of our changes have been upstreamed and merged, there is very little difference and it’s mostly just for the most recent patches that we haven’t yet pushed.
The Intel Management Engine (ME) is a separate independent processor core that is actually embedded inside the Multichip Package (MCP) on Intel CPUs. It operates all-by-itself and separate from the main processor, the BIOS, and the Operating system (OS), but it does interact with the BIOS and OS kernel. It is a black box of mystery code at the lowest level, in ring -2, with complete control over every part of the system, and therefore presents a serious threat to your security and privacy, as it could be possibly exploited by a remote attacker to gain full access to your system. It is present on every post-2008 Intel CPU system.
Security is a game of depth, and Purism goes deeper than any manufacturer by avoiding blobs or mystery code in the top 4 layers of a computer: applications, operating system, kernel, and bootloader.
At the firmware level, we utilize Coreboot instead of a proprietary BIOS/UEFI, a huge advancement for current high-end laptops. Within Coreboot there is still some binaries: video initialization binary and Video BIOS. Our goal is to have them replaced with free software alternatives and we are making a slow but steady progress in this direction.
We are “as close to free software foundations respects your freedom as possible with current Intel CPUs” but are spending real money to advance that toward Coreboot binary freedom.
If you would like to try Qubes OS, you may purchase the installer on a USB Flash Drive. This option is an installer only, not a LiveUSB, and is only recommended for advanced users with a strong technical knowledge. Most users should stick with our default operating system, PureOS.
We do not offer Qubes OS pre-installed on our Librem devices, though Qubes OS runs well on our Librem laptops. It will not run on Librem smartphones — Qubes OS requires virtualization on the CPU and there is no port for ARM architectures.
Please direct all support questions pertaining to Qubes OS to the Qubes community.
We cannot share the schematics nor design currently because it is copyright encumbered from Intel reference designs. In the future, on future versions we plan to be able to release those.
No, this hardware requires proprietary firmware to even function, therefore not aligned with our philosophy. However, we are monitoring the development and will consider them if something changes in the future.
We hope to have a version of PureBoot available for the Librem 5 for users who want to verify it with a Librem Key. We cannot commit to it being available at launch but it’s a goal.
Standard 2.5″ slot supports SATA interface, disks are mostly cheap and available in larger capacities. For Librem laptops they require aluminum frame which holds them in place. Maximum disk height that will fit in Librem is 10mm.
M.2 supports SATA and PCIe interfaces. Both SATA and PCIe M.2 are very similar from the outside: they are smaller, compact and easier to install, compared to 2.5″ disks. To install one in a Librem laptop you only need one screw. Librem laptops support B+M keyed 2280 sized disks.
SATA M.2 disks do not offer speed improvements over 2.5″ SATA SSD disks.
PCIe M.2 disks using NVMe interface offer quite the speed improvement compared to SATA M.2 or standard 2.5″ disk.
For M.2 Purism offers:
* SATA disks (sequential read/write speeds: up to 550/520 MB/s)
* NVMe disks (sequential read/write speeds: max 3,200/1,900 MB/s)
* NVMe PRO disks (sequential read/write speeds: max 3,500/3,300 MB/s)
LUKS software disk encryption with standard setup (cipher: aes-xts-plain64, size: 256) is used.
Librem laptops come with PureOS with OEM setup, which pre-encrypts the disk but allows customer to set up their own disk encryption password. Boot partition is not encrypted but it can be verified with Librem Key (see PureBoot).
Librem Phone encryption is still work in progress.
We are using PureBoot.
Librem Tunnel utilizes OpenVPN.