Purism Powers Librem Laptops With Firmware And OS Verification Via Heads

The company Purism, known for its Librem laptops and smartphone, has announced that it will provide its laptops with firmware and OS verification via the open source firmware Heads, in collaboration with security researcher Trammel Hudson.

The partnership between Hudson and Purism was previously announced, the company now reports that the integration of Heads in its Librem laptops with a trusted platform module has actually been successful. This should allow users to exercise control over the boot process by viewing and modifying the code themselves. Using the rpm it should be possible to determine whether a malicious person has made changes to the system, for example in the form of a rootkit.

The integration, Purism said, required changes to the hardware design, as well as adjustments to uefi alternative coreboot and the operating system. The installation of Heads is not easy and requires taking apart a laptop. In addition, there is a risk of bricking the device. Once the installation is successful, users can use a totp code and an authentication app to verify that no changes have been made to the system during the boot process.

Hudson describes Heads as the counterpart of the Linux distribution Tails. Unlike Tails, his project would come in handy when users need to store data on the system itself. He writes, “Heads is an open source custom firmware and OS configuration for laptops and servers that aims to provide slightly greater physical security and protect data on the system.” According to Hudson, whether these adjustments are useful depends on the threat model, or threat model, of the individual user. Purism previously went on to largely disable Intel’s Management Engine on its laptops.

Hudson’s 2016 CCC Presentation on Heads