Updated, 2/27/2018, 08:00am PT: Purism announced that, after almost a year of testing, it was able to successfully integrate the Heads firmware into its TPM-enabled and Coreboot-running Librem laptops. The open source firmware, which checks if someone has tampered with the laptops, allows users to freely inspect and customize the code. Purism also recently announced that all of its new Librem 13 and 15 laptops now include a TPM by default, so they all come with the Heads firmware by default, too.
Updated, 4/12/2017, 11:50pm PT: Article was corrected to specify that Trammell Hudson is only collaborating with Purism to integrate the "Heads" firmware into the company's laptops.
Purism, a startup that builds laptops with a focus on privacy and security, announced that Trammell Hudson, an infosec researcher known for creating the “Thunderstrike” exploits against Macs, will collaborate with the company to integrate his own “Heads” firmware project into Purism laptops to increase their anti-tampering security.
Heads Firmware
Heads is free (as in freedom) and open source firmware that runs in the computer’s ROM. It enables cryptographically signing the lowest levels of the system and protecting users against third-party modification.
Chipset features such as Bootguard, flash protection, and the Trusted Platform Module (TPM) are used to create a strong hardware “root of trust,” while also allowing users to install their own custom firmware.
“Purism’s Librem laptops are ideally suited for the philosophy of the Heads firmware project—Purism is manufacturing modern hardware designed to allow the users to have control of their own systems,” said Trammell Hudson, a well-known information security researcher and founder of the Heads project. “They are the only vendor that allows users to establish their own hardware root of trust with CPU features like Bootguard, and their support for Coreboot and Heads improves security by being open, auditable, flexible and measured,” Hudson added.
Fighting Rootkits
The development of Heads firmware has been influenced by previous research on rootkits and BIOS malware, as well as by research on protecting against Intel’s Management Engine, which itself has been called a rootkit.
Purism has already taken significant steps to disable Intel chipset features that would allow for any Intel-powered computer to be remotely controlled, but some of them can’t be removed completely without Intel’s help and accord.
Purism laptops also come with Coreboot (an EFI/UEFI open source alternative), which the company said it has already protected its customers against Vault7-related attacks that targeted EFI/UEFI firmware.
UEFI contains millions of lines of closed source code, which makes it harder to audit and more exposed to attacks. Coreboot has a much smaller attack surface due to its minimal code base that is only responsible for booting a system and not much else.
Purism currently offers two Skylake-based laptops and a Broadwell-Y tablet with an optional dock, all of which can be pre-ordered and should ship within the next few months. The devices run the company’s own privacy-friendly PureOS Linux-based operating system by default, but Qubes OS is also available as a free alternative.
