Purism: Second-class security in the Librem Mini - Golem.de

Content

With Pureboot, the manufacturer of Linux hardware Purism offers a secure and authenticated boot process designed to protect Librem computers from attacks. This relies on the open-source firmware Coreboot, the Payload Heads, a TPM (Trusted Platform Module), and a Librem Key.

The components check the computer for changes when starting up. If the Librem Key blinks green, everything is fine. If it blinks red, the BIOS or the unencrypted boot partition of the Linux system has been altered, for example, if the computer was left unattended in a hotel room (Evil Maid attack). However, the NUC-like mini computer Librem Mini from Purism lacks the TPM and thus an important part of the security chain.

That should not be a problem, if not even safer, Purism explained to us during the Librem Mini test. However, in a pull request, in which Purism wants to directly integrate the TPMless approach into Heads, it is heavily criticized and the proposal is rejected. Because security is not as comparable as claimed by Purism, but rather allows relatively simple attacks.

Lead developer Thierry Laurion of the company Insurgo, which offers a secured Thinkpad X230 from Lenovo with the Privacy Beast, speaks of a "false sense of security" that the TPMless approach creates. In the discussion about such a Heads light, several developers are calling for this to be taken into account at least in marketing.

Purism advertises TPMless Pureboot as secure, but contradicts itself

  1. KfW Bankengruppe, Frankfurt am Main, Berlin
  2. alanta health service GmbH, Hennef (Sieg)

However, on the product page of the Librem Mini and in the description of Pureboot, there is no mention of the missing TPM of the Librem Mini or the resulting reduced security. On the contrary, Pureboot without TPM is only promoted in the FAQ and in a blog post for older legacy laptops (not for the Librem Mini) that lack the corresponding security chip. It is stated that these would receive "an equivalent protection against manipulations".

During the test of the Librem Mini by Golem.de, the absence of TPM was noticed and inquired with Purism. At that time, Matt DeVillier, Firmware Developer at Purism, explained to us that one could argue that the TPMless approach might even be more secure, as the entire firmware is read and hashed.

But in the Pull-Request, Kyle Rankin writes, CSO at Purism, that the aim is "to try \ o bring a certain level of protection to Heads on hardware that does not have a physical TPM". While the approach does not protect against targeted Evil Maid attacks, it does offer other security measures, such as detecting changes to the operating system's boot partition or "possibly detecting firmware changes from less sophisticated attackers".

New Apple Mac Mini with Apple M1 Chip (8 GB RAM, 256 GB SSD)

But that's exactly not what one expects from a system that is advertised with the "easy check if the software on your device has been tampered with while you were away", as promoted. Which is roughly the definition of Evil Maid attacks - that is, alterations by third parties to the physical device while you are not present.

Moreover, a simple and comparatively quickly executable attack scenario in the pull request demonstrates that the TPM-less Pureboot of the Librem Mini does not even protect against less sophisticated attacks.

Please activate Javascript. Or use the Golem-pur-offer and read Golem.de

  • without advertising
  • with JavaScript turned off
  • with full-text RSS feed

Page 2

To underscore the questionable security of the TPMless approach, Laurion has described a simple multi-step attack: It suffices for an intruder to start the Librem Mini and switch to the recovery shell by pressing 'r'. From there, a backup of the current firmware ROM can be created and saved on a USB stick.

  1. Statistisches Bundesamt, Wiesbaden
  2. BIM Berliner Immobilienmanagement GmbH, Berlin

Subsequently, the hash of the ROM can be determined, which in turn is used as a key for HOTP (HMAC-based One Time Password). With this HOTP key, a code is generated, which is compared with a Librem Key/Nitrokey. If both match, the security key flashes green, indicating that no changes have been made to the firmware.

In the described attack, however, the verification routine that determines the hash-/HOTP key is simply replaced by the already determined hash-/HOTP key. Accordingly, the correct HOTP is still generated, but the firmware is no longer checked for changes. Thus, it can be supplemented with any malicious functions, up to skipping the verification of the boot partition. The only limitation is the limited storage space of the BIOS chips.

Finally, the modified firmware ROM must be flashed onto the computer with TPMless Pureboot - in our case, the Librem Mini - via USB stick, Laurion writes. This even works through the Heads GUI, as Pureboot does not support signature verification, as confirmed by Purism in response to Golem.de.

When the device is subsequently started, it pretends to provide false security: the HOTP code is generated and sent to the Librem Key/Nitrokey, which then blinks green - everything seems fine, even though the firmware has been altered and the verification has been replaced. A relatively simple Evil-Maid attack, which Purbeoot/Heads should actually protect against. It does - if a TPM is installed.

'Without TPM, I would reflash the ROM before using my X230 laptop if I left it unattended,' writes Laurion. However, the TPM variant is not completely secure either, as emphasized by the Heads developers.

New Apple Mac Mini with Apple M1 Chip (8 GB RAM, 256 GB SSD)

'TPM is not a miracle weapon, but another barrier'

Project founder Trammell Hudson did not speak up in the discussion. We contacted him and asked what he thinks of the TPMless approach. "TPM is not a silver bullet," he told us. Since there is no real hardware root of trust (like Bootguard or an onboard boot ROM as found in many ARM CPUs), an intruder with physical access could, for example, make hardware modifications unnoticed, bypassing many of the protections provided by Heads.

So there are hardware implants known to interfere with the TPM (such as TPM Genie). There are also implants that can mimic the TPM. For example, these can be found in the ANT catalog of the NSA. Nevertheless, the TPM is at least another barrier that attackers must overcome. Hudson is not a fan of TPMless-Heads implementation: Even if a USB security key is used, it is never as tightly bound to the system as a TPM and can therefore be bypassed more easily.

Please activate Javascript. Or use the Golem-pur-offer and read Golem.de

  • without advertising
  • with JavaScript turned off
  • with full-text RSS feed

Page 3

Ultimately, there is simply - as everywhere - no absolute security, explains Hudson. Laurion agrees. Of course, there are also attack vectors on Heads or Pureboot with a TPM, for example via SHA-1 collisions, as the TPM 1.x chips used only support SHA-1. However, such attacks are much more complex: "We are talking about much more work than changing the content of a function under Heads, called secret_from_hash, with the calculated secret - which takes five seconds," says Laurion.

  1. Fürst Group, Nuremberg
  2. SRAM Germany GmbH, Schweinfurt

He criticizes that the vote revolves around marketing and economic interests, putting him in a peculiar situation. "I'm just trying to do what's best for the Heads project and global security in the Blobless world," writes Laurion.

Nitrokey also offers a similar computer to the Librem Mini - without TPM. Nitrokey consciously chose not to implement Heads in the NitroPC, CEO Jan Suhr told Golem.de. "Without TPM, we do not see any real security benefit from Heads compared to a BIOS or UEFI, as long as it is open source." To avoid creating false security expectations and to differentiate the TPM-less NitroPC from the Nitropads (Test) with TPM and Heads, Nitrokey offers the NitroPCs with Coreboot and Tianocore, Suhr said.

Purism between marketing and threat models

Confronted with criticism from the Heads developers, Matt DeVillier of Purism explained to us that protection against Evil-Maid attacks is not the main purpose of Pureboot. "Absolute protection against Evil-Maid attacks (even with a TPM) is not possible," DeVillier wrote to Golem.de. "Therefore, every user must define their own threat model and evaluate how the Heads/Pureboot solution fits into this model."

New Apple Mac Mini with Apple M1 Chip (8 GB RAM, 256 GB SSD)

But why isn't the missing TPM addressed on the website? "In marketing, it is not common to focus on the features that a device does not have," explained DeVillier. He could not answer why they do not at least address the "slight weakening of security" described by him and Rankin, as it is not within his area of responsibility. This makes it difficult for Purism customers to select products based on their own threat model, while marketing promises security that is not always evident.

Please activate Javascript. Or use the Golem-pur-offer and read Golem.de

  • without advertising
  • with JavaScript turned off
  • with full-text RSS feed
  1. (e.g. Razer Basilisk X HyperSpeed Wireless Gaming Mouse for €45.99, Razer Huntsman Tournament... 2. (e.g. Fire TV Stick 4K for €44.99, Echo Dot 4th Gen. for €29.99, Echo Show 5 for €49.99) 3. for all customers, with or without Prime membership 4. (e.g. WD Elements Portable 1TB + Sandisk Cruzer Blade 32GB for €44, Philips 70PUS8545/12 70...

The Galaxy S21 Ultra is the top model of Samsung's new S21 series and differs significantly from the other two models.

Gothic: Der Rollenspiel-Klassiker aus dem Ruhrpott

Heart, Snout, and Diego: Golem.de has replayed the cult role-playing game Gothic for its 20th anniversary - and was once again thrilled. By Benedikt Plass-Fleßenkämper

Lenovo Thinkstation P620 im Test: An dieser Workstation lieben wir fast alles

Extremely fast and absolutely maintenance-friendly: Rarely have we had so much fun with a PC as with Lenovo's Threadripper workstation. A test by Marc Sauter

Asus PN50 und Zotac ZBox Magnus im Test: Mini und Mini gegen den Mac Mini

Zotac and Asus build mini PCs that compete with the Mac Mini. Thanks to the Apple M1, it is a worthy opponent. A test by Oliver Nickel

Summary
Purism offers a secure boot process called Pureboot for its Librem computers, utilizing Coreboot firmware, Heads payload, a TPM, and a Librem Key to protect against attacks. The absence of a TPM in the Librem Mini has raised concerns about security, with critics arguing that the TPMless approach may create a false sense of security. Purism claims that Pureboot without a TPM provides adequate protection, but critics highlight vulnerabilities, including a simple attack scenario outlined by developer Thierry Laurion. The attack involves manipulating the firmware-ROM to bypass security checks, demonstrating the limitations of TPMless Pureboot. Despite Purism's assertion that the TPMless approach is secure, critics emphasize the need for transparency in marketing and caution against overestimating its security capabilities.