Tag: Phones

Introducing the Librem Key

A few months ago we announced that we were partnering with Nitrokey to produce a new security token: the Librem Key and I’m pleased to announce that today the Librem Key is available for purchase on our site for $59.

What is a USB Security Token?

In case you haven’t heard of USB security tokens before, they are devices typically about the size of a USB thumb drive that can act as “something you have” for multi-factor authentication. With so many attacks on password logins, most security experts these days recommend adding a second form of authentication (often referred to as “2FA” or “multi-factor authentication”) in addition to your password so that if your password gets compromised the attacker still has to compromise your second factor. USB security tokens work well as this second factor because they are “something you have” instead of “something you know” like a password is, and because they are portable enough you can just keep them in your pocket, purse, or keychain and use them only when you need to login to a secure site.

In addition to multi-factor authentication, security tokens can also often store your private GPG keys in a tamper-proof way so you can protect them from attackers who may compromise your laptop. With your private keys on the security token, you can just insert the key when you need to encrypt, decrypt, sign, or authenticate and then type in your PIN to unlock the key. Since your private keys stay on the security token, even if an attacker compromises your computer, they can’t copy your keys (and even if you leave the key plugged in, they need to know your PIN to use it).

Why Make a Librem Key?

There are many other vendors out there who offer their own security tokens, so why make our own? The first reason is that few security tokens out on the market align with our values here at Purism, in particular with respect to freedom. I’ve explained in a previous post why freedom is essential to security and privacy and this is especially true for a device that is holding some of your most sensitive secrets. We wanted a security token that used open hardware, free software firmware, and free software user applications and that is why we partnered with Nitrokey to produce a security token that respected your freedom from the beginning.

We also wanted to make the Librem Key because of all of the integration possibilities with our existing products that would make customers more secure in a way that’s also more convenient. When you can bundle a security token with your own laptop and operating system, there are so many interesting possibilities, especially when the firmware and user applications are free software so we can easily modify them to add even more features.

In addition to the standard features of a security token (GPG key storage and multi-factor authentication) that the Librem Key can perform on any computer, here are some of the interesting integration options with our Librem laptops we are already looking into with the Librem Key that will make security much more convenient for users who are facing average threats:

  • Insert the Librem Key at boot and automatically decrypt your hard drive
  • Automatically lock your laptop whenever you remove the Librem Key
  • Use your Librem Key to log in

Provable Security, Made Easy

One of the most exciting opportunities the Librem Key opens up to us is in integrating with our tamper-evident Heads BIOS to provide cutting-edge tamper-evident security but in a convenient package that doesn’t exist anywhere else.

Currently with Heads, when you want to prove that the BIOS hasn’t been tampered with, you need to set up a TOTP application on your phone and scan a QR code from within Heads. Then at each boot you compare the 6-digit code Heads displays on the screen with the code in your phone. If the codes match, the BIOS is safe. This method works but is a bit cumbersome and with the Librem Key we can do better.

We have worked with Nitrokey to add a custom feature to our Librem Key firmware specifically for Heads. This custom firmware along with a userspace application allows us to store the shared secret from the TPM on the Librem Key instead of on a phone app. Then when Heads boots, if the BIOS hasn’t been tampered with the TPM will unlock its copy of the shared secret, and Heads will send the 6-digit code over to the Librem Key. If the code matches what the Librem Key itself generated, it flashes a green light. If the codes don’t match, it flashes a red light.

So if you are concerned about someone tampering with your computer when you aren’t around, just boot with the Librem Key inserted. If it blinks green you are safe, if it blinks red you’ve been tampered with. There is no other product on the market today that offers this kind of simple but strong tamper-evident protection, much less one that respects your freedom where the keys are fully in your control.

Even Stronger Anti-Interdiction Protection

The Librem Key opens up possibilities for even stronger anti-interdiction protection for customers who need it. We will be able to link a Librem Key with a laptop running Heads at our facility and then ship them separately. Then when each package arrives you can immediately test for tampering with an easy “green is good, red is bad” test.

Convenient Security for the Enterprise

Many companies have already incorporated 3rd party security tokens into their engineering teams as a way for software engineers to sign their code pushes securely or as convenient multi-factor token. The Librem Key offers enterprises a way to combine all of the other features they are used to with other security tokens along with our cutting-edge tamper-evident boot process on our Librem laptops in an easy and convenient package where all of the keys are fully under their control.

Since the firmware and userspace tools are free software, that means enterprises can also easily customize these tools to suit their own internal policies whether with their own software teams or by working with Purism. That could mean anything from providing a customized error page to employees when Heads detects tampering to actively preventing employees from booting a tampered-with machine.

Only the Beginning

Knowing that our customers have a secure and freedom-respecting security token opens up all sorts of other possibilities and today we are only scratching the surface on what we will be able to do with Librem Key both for new customers and those that have been with us from the beginning. Stay tuned for future posts where I will dive deeper into some of the Librem Key’s features and explain how to get the most out of it. In the mean time you can order your own Librem Key from the Librem Key product page.

Update: read more in our follow-up post explaining the interaction between the Librem Key and our coreboot+Heads BIOS replacement to learn more about how the tamper detection works.

Purism launches Librem Key, the first and only security key to offer tamper evident protection to laptop users

New OpenPGP smart cards now available for purchase on Purism’s website

SAN FRANCISCO, Calif., September 20, 2018 — Purism, the social purpose corporation which designs and produces popular digital rights respecting hardware, software, and services, has launched its new security token, the Librem Key, which is the first and only OpenPGP smart card providing a Heads-firmware-integrated tamper-evident boot process. The new Librem Key, built with Open Hardware USB OpenPGP security tokens from Nitrokey, can store up to 4096-bit RSA keys and up to 512-bit ECC keys and can securely generate them directly on the device. Librem Keys are now available for purchase on Purism’s website, with Librem laptops or as a single order. Librem Keys will be able to provide basic security token functions on any laptop, but have extended features that work exclusively with Purism’s Librem laptop line and other devices that support Trammel Hudson’s Heads security firmware. Read more

Librem 5 general development report — September 6th, 2018

Conferences

Some of the Purism team members attended Akademy 2018 in Vienna. This conference facilitated further discussions with KDE developers and it was nice to meet everyone in person!

There were also some team members that attended FrOSCon. Coming up, we have Todd presenting at AllThingsOpen, and Capitole du Libre where François and Adrien will be manning a booth (so be sure to stop by and say bonjour if you’re there).

Design

More improvements have been made to the shell mock-ups and those should be complete soon! Also some exciting new icons are on the horizon and we will use them early in our development builds and on the apps shipping with the phone; GNOME’s new icons are slated for inclusion in the 3.32 release in 2019.

Software Work

Images

Now the qcow2 images are archived as well as the raw image file. This makes the x86_64 VM image more accessible to those “can’t wait” to try things out today, or who haven’t ordered a development board. You can find the most recent builds and build artifacts here. See below for a demo of rotation in the qcow2 image. Also, a couple of packages have been added to the images to enable the resizing of the rootfs to fill the partitioned space.

We are now transforming Plasma Mobile’s Debian packaging into git repositories suitable for our build jobs and building them. These packages will eventually be included in a Plasma Mobile Librem 5 image. There is ongoing work with upstream Plasma developers to resolve the remaining build issues.

Phosh

Many fixes and tweaks have occurred in phosh in the last few weeks. Size calculations have been fixed (and therefore menu positions) on scaled displays with custom modes. The German translation has been updated. Now a login shell is used when we launch gnome-session, which ensures XDG_* is set up correctly so icons of flatpak applications are correctly recognized by phosh. To make phosh more robust, more compile warnings were enabled and the resulting errors were addressed.

gnome-settings-daemon

To lay the ground work for configuring your modem, an upstream discussion has been started to discuss how gnome-settings-daemon should behave regarding modems.

Wlroots

Wlroots was known to crash when phosh reconnects and that has been fixed. We also continue to keep wlroots up to date with new upstream snapshots.

GTK+ 4 and libhandy

Since the compositor and GTK+ need to work well together, an issue was fixed to make the xdg-shell’s app_id match GApplication’s application-id property. This makes it simpler for compositors to match applications to desktop files in Wayland.

Among the many fixes in libhandy recently, it has been made more robust during builds to now fail on warnings. There are three GTK+ bugs that currently affect the ability to create adaptive UIs that have been brought up with the upstream developers: a non-rounded corner issue, an off-screen popover issue, and an issue that causes the separator to sometimes be transparent. For the separator issue, a solution has been proposed as well. There is ongoing work upstream on the separator to add a selection mode variant and make adding a separator less complicated that is quite necessary to have cleanly defined panels in HdyLeaflet. Furthermore, the libhandy flatpak runtime (org.gnome.Platform) has been updated from 3.26 to master so we can be on the bleeding edge.

Keyboard

On the OSK front, the text-input-v3 patch-set has been included in wayland-protocols and gtk-3.24. The preliminary support of text-input-v3 has also been added to wlroots. Additionally, the virtual-keyboard protocol patch has been updated and is in review. There has even been an input-method-v2 protocol RFC posted. So get ready to type on your virtual keyboard!

Calls and messaging

Since the decision to implement a ModemManager back-end to the Calls application, some changes were needed to Calls. To give ModemManager more privileges, some policy kit files were created. To improve the UI of Calls, some of the Calls display code was cleaned up and made the Calls UI closer to the final design.

New and exciting things are on the horizon for the Messaging app. A new SMS libpurple-plugin has begun development and testing is ongoing with the Pidgin-Debug window to check if the ModemManager interface works. Work is advancing to glue the Chatty GTK+ objects to libpurple UiOps structs and signals for conversation handling. A blog post on Chatty—complete with a demo video—has just been published so go read it if you haven’t already!

Kernel

A significant effort has been put in to make the 4.18 kernel work with the devkit SoM. In order to help debug kernel hangs, some work was done on openocd like adding a board configuration for the particular board that will be used on the dev kits and warn when the CPU is not halted by invoking phys2virt. The openOCD folks were a great help on this effort!

Efforts continue on other pieces of the kernel too. Work continues on the power supply driver for the battery charger with upstream kernel developers and should be accepted soon. USB 2 has been tested and is working. There were also some clock issues that were resolved and both SDMA and RTC are both now working as well.

Hardware Work

The Purism hardware team has sent out the manufacturing files for PCB fabrication and assembly of the prototypes. The files are currently under review.

Community Outreach

An issue template has been added to the current phosh, libhandy, calls, chatty, docs, and virtboard projects to guide the user to provide all of the necessary information when filing an issue against these projects. For more information on filing issues, see our documentation page on reporting an issue.

A big Thanks goes out to all of the external teams that have helped review and merge changes into upstream projects. Everyone’s time and contribution is much appreciated!

That’s all for now folks. Stay tuned for more exciting updates to come!

Librem 5, the world’s first ethical, user-controlled smartphone, makes steady progress for initial shipping beginning April 2019

Device maker Purism shares new details on the smartphone’s status and production schedule

SAN FRANCISCO, Calif., September 4, 2018 — Purism, the social purpose corporation which designs and produces popular digital rights respecting hardware, software, and services, is sharing the much anticipated progress and scheduling for its Librem 5 smartphone. Read more

Progress update from the Librem 5 hardware department

As you might have noted when we announced closing the development kit “last call” sale, new specifications have been made public. I want to explain what led to these specifications and why we made the choices we made and what the current timeline is for the devkits and Librem 5 phones. Read more

Ethical aesthetics – Librem 5 design report #7

You may have noticed that there is no obvious visual branding on the Librem laptops. While this was at first a technical limitation on the very first Librem model (back in 2015), the subtle and minimalistic branding that began on newer models in 2016 was a conscious design decision.

Now, we’re hoping to refine the physical branding further.
One reason for a minimalist design is aesthetic. Just like on a piece of hand-made jewelry, we wish the branding to be made in the form of an inconspicuous marking that doesn’t interfere with the natural beauty of the overall shape.

Another reason is ethical. While one should easily be able to identify a computer model when closely inspecting it, people using a Librem device should be prevented from, unintentionally, exposing the brand of their hardware, which may be seen as arrogant in some situations. But, above all, the Librem customer should not be used as a passive promoting medium. We think that this is an essential part of an ethical design.

This is described within our internal industrial design policies in term of visual identity, so I think important to emphasize those points.

Branding on the Librem laptops

Therefore, on the current Librem line, branding is only visible on the keyboard (with the “Super” key displaying the Purism logo) and on the bottom cover, displaying the brand and model name, along with certification symbols, underneath the computer.

That said, while not being visible during normal use (open on a table), the bottom branding of the Librem may be considered a bit flashy when carrying the laptop around, so we are considering making it even more discreet in the future.

Branding on the Librem 5

The Librem 5 is not in production yet but the public mock-ups have been escaping that rule so far. While I think that it was important for everyone to easily identify the device mock-ups during the campaign, the final model should not display any branding on the back cover of the handset. Instead we are discussing the possibility of having the brand and model number carved on the side of the device.

Designing the scope of the Librem 5’s communication apps

We have spent the last few weeks focusing on the design of the default communication features of the Librem 5. As part of that process, we came up with the design specification for two applications. One of them is called “Calls” and has been designed for the purpose of—you guessed it—making and receiving phone calls. The second one, called “Messages” has been designed for the no less obvious purpose of sending and receiving messages.

Tobias, our lead designer, does a great job in communicating and collaborating with the GNOME design team, and so we keep making progress jointly with the upstream GNOME project. When Tobias joined, we started by having a call with Allan Day and Jakub Steiner (from the GNOME design team) where we presented our project, our goals and discussed the way to structure our contributions to GNOME. For example, we have an app design repository on the upstream GNOME GitLab server, where our design and mock-ups are made available to everyone. All in all, our project and vision seem to be very well received by the GNOME community.

The “Calls” application

This application is not based on any existing application so we had to design it from scratch. We did so while Bob was making good progress on implementing the basic cellular call features.

“Calls” is supposed to let the user handle regular phone calls but is not limited to that. It is designed to integrate a much higher level of security and privacy through end to end encrypted technologies in a very transparent way. Private calls, between two devices supporting that feature, would be made by simply selecting a contact and pressing the “call” button.

The full design of the Calls application can be seen in its own repository.

The “Messages” application

At the beginning of the summer, some Purism members (Dorota, Adrien, Tobias and myself) participated in the Fractal hackfest in Strasbourg. The goal was to analyze and discuss the possibility of having Fractal become the default messaging application on PureOS and the Librem 5. This is motivated by our wish to be in sync with upstream choices as well as with the fact that Tobias, besides being the designer for the Librem 5 applications, is also the designer of Fractal. We also took this opportunity to meet Matthew from Matrix who provided very helpful technical clarifications about the Matrix technology.

It was clear in this meeting that Fractal’s future plans are aligned with the Ethical Design principles, that the Librem 5 and PureOS design guidelines are based on. An application following those guidelines, must be simple and focused on a single purpose.

One might think that the current state of Fractal already fits the main purpose of the Messages application (sending and receiving messages), but it is actually too general in terms of purpose. Chatting privately with a friend is not the same as discussing in a crowded IRC like public room. While the back-end technology may be the same for both situations, the user interface may have different requirements. This was discussed at the Fractal hackfest (Tobias used the analogy of the “barbecue” and the “banquet” to expose the problem), where Fractal developers decided that Fractal should be split into two distinct applications; one application would be used for the purpose of private 1 to 1 and small group chats (the barbecue), the other one would be used for the purpose of crowded IRC like discussions (the banquet). It will take a while for that split of an existing application to happen, however.

The simplified Messages application we have been developing is based on the “barbecue” usecase; private 1 to 1 and small groups chats, the most common usage for the majority of the population. The plan is for the Messages application to be able to handle regular text messages (SMS) while also handling secure end-to-end encrypted messages in a transparent way between two compatible devices.

The full design of the Messages application can be seen in its own repository.

Librem 5 general development report — July 16, 2018

These last few weeks, the Librem 5 team has been hard at work improving the current software stack as well as making great strides towards finalizing the development kit schematic. Here are the highlights of the exciting progress that has been made.

Software Work

Images

The images produced for the i.MX6 board now have phosh as the default shell and we are experimenting with PureOS as the base OS (instead of Debian buster). There is also now an x86_64 raw VM image being produced and you can follow these instructions on getting a copy of the image and running it. The VM image uses the same screen resolution that the actual Librem5 phone will use.

While the i.MX6 images have been developed for the current hardware in the team’s hands, work continues on the image to be used on the i.MX8-based development board and actual phone. Note that during the investigation of the i.MX8 CPU, there were freedom issues that needed to be addressed. To read more about this, checkout the Solving the first FSF RYF hurdle for the Librem 5 blog post.

The image built for the i.MX8 board can now boot a very basic mainline kernel (instead of the vendor kernel offered up by the manufacturer). The next steps are to bring more components (like the display) online and to upstream these changes. All in all though, this i.MX8 image is really coming together!

Phosh/wlroots

At some point, most people will likely use their Librem 5 at night so having redshift in place makes the screen easier on the eyes. There was some work done to implement some of Mutter‘s DBus API in phosh, needed for e.g. display configuration and redshift. So now, phosh can detect the attached outputs and supported video modes and report them in a mutter/gnome-shell compatible way so they show up in gnome-settings and gnome-settings-daemon is happy. This is the base for future gamma control work (redshift). This depends on a patch to wlroots which is currently under discussion.

Other phosh usability improvements have been made as well. The lock screen timeout has been increased to allow for a bit more time to log in. Also, the favorites / home screen handling has been corrected to properly wrap columns and add scroll bars when necessary.

Since phosh is the shell and it works hand-in-hand with wlroots, they both are key areas for the image development. There have been frequent updates to wlroots to stay current with the upstream snapshots. A minor issue was fixed in upstream wlroots to improve the error handling of compiling for armhf. Also support for adding custom video modes has been added to wlroots. Work on Gcr system-prompt integration is being done in phosh. This  will solve a heap of authentication and modal dialog issues with PINs, PUKs, passwords, smart cards and keyrings by leveraging what’s already in GNOME.

Keyboard

There has been ongoing work into the onscreen keyboard (virtboard) which has led to virtboard being included in the images. In order for virtboard to show/hide when needed, merging of an input method (text-input) into wlroots was needed and GTK+ upstream was contacted about upstreaming the input method code. We are working on a patch securing the input method in our compositor. There has also been continued feedback from upstream on upstreaming the virtual keyboard protocol. The keyboard scales much better now too!

Calls

The calls application has also been added to the images for easy access. Within the calls app, the sending of DTMF tones has been added so that you can now hear those familiar sounds when touching a number on the keypad.

To make calls more robust, the possibility of doing unit tests of Calls’ oFono provider backend using the phonesim simulator were explored but unfortunately running ofonod requires root privileges in order to  take ownership of the well-known name, org.ofono, which makes testing a massive headache if not impractical. Still though, unit tests for the Calls Provider interface using the dummy implementation, as well as tests for Origin and Call interfaces have been added.

Libhandy

The libhandy GTK+ widget has seen some growth too. HdyColumn has been added to help out with dynamic column resizing. There have also been some unit tests added for HdyArrows (used for directional swiping). A first version of libhandy has been released and v0.0.1 has even been uploaded to Debian experimental!

Epiphany/GNOME Web

The web browser on the Librem 5 will be Epiphany so adaptive changes have been merged upstream to improve the usability on small screens. An in-window app-menu for Epiphany has started to be implemented and is still a work in progress.

Messaging

A demo app for libpurple has been drafted and an XMPP conversation has been established between the demo app and Dino. For encryption, an OMEMO conversation running with libpurple and the Lurch plugin was established. There has also been a conversation-view that pulls avatar/account data from a buddy list stored in xml. The ofono interface in SMS/XMPP was implemented into the demo app as well.

Hardware Work

External factors have caused our development board schedule to slip beyond our initial June projected ship date. While developing the schematic for the development board, not all information was readily available so investigations were needed on various components (e.g. cameras, WLAN+BT, batteries, switches, push buttons, etc), and circuits needed to be added before the schematic is considered ready for review by the third party that will print the boards. The Librem 5 hardware team has done all of these required tasks and are in the process of ordering parts to be sent to the manufacturer of the boards. Our current rough estimate for shipment of the development boards is August 2018 but stay tuned for a more detailed blog post on the subject.

Community Outreach

The Librem 5 matrix chat rooms have really exploded with lots of fantastic feedback and questions. Some community members have even stepped up to help find new issues, fix some issues, and  add to the documentation. Due to the demand from the community, there is now an x86_64 VM raw image available that looks just like what the team is installing on the i.MX6 boards.

The Purism collaboration with the Plasma community continues as well. There are now some arm and aarch64 flatpaks of Plasma software. The Purism team is also actively investigating building a Plasma image for the i.MX6 boards as well.

Developer documentation changes have also been made to better guide everyone to the right places:

  • The volunteers page has been updated with more clear instructions on how to participate.
  • Regardless of the type of board (whether physical or emulated), common steps have been added to a first steps page.
  • There are now instructions on setting up the x86_64 VM image.
  • Contribution guidelines have been posted to demonstrate the preferred communication processes
  • A GTK+ page has been added with example apps and includes documentation on adaptive labels.
  • A phone constraints page has been added to outline some specific constraints that should be considered when developing apps for the Librem 5 phone.

We also recently attended the GUADEC conference in Spain where we got to interact with a lot of wonderful folks excited about the Librem 5. More on the GUADEC conference to com in a future progress report.

A big Thanks goes out to all of the external teams that have helped review and merge changes into upstream projects. Everyone’s time and contribution is much appreciated!

That’s all for now folks. Stay tuned for more exciting updates to come!

Solving the first FSF RYF hurdle for the Librem 5

While investigating using the i.MX 8 for the Librem 5 phone we found an issue that would have been problematic for us to obtain the Free Software Foundation’s “Respects Your Freedom” (RYF) hardware endorsement:

  • In U-Boot there are a number of firmware blobs that need to be loaded into the DDR PHY so that it can be trained to work with DDR4. This training is done on every boot.
  • The normal boot sequence for the i.MX 8 is that the internal ROM loader loads the Secondary Program Loader (SPL) which, in this case, is a small version of U-Boot that can initialize the DDR and load the full U-Boot into DDR to finish the boot process. Very early in the SPL, the training blobs get loaded into the DDR PHY and the training sequence is run. The DDR training procedure is completely un-documented so re-writing the firmware blobs with free/libre or open source versions would be an arduous process.
  • We can’t ignore the DDR PHY because it is interface between the i.MX 8 internal buses and the DDR4 chips outside of the SOC. The DDR PHY is also part of the i.MX 8 silicon so we can’t just replace the DDR PHY with a different one. It also appears that all DDR PHY’s required this training to work with DDR4, so going to a different SOC wouldn’t solve it either.

The RYF has a “secondary processor” exclusion that can be granted on a case by case basis. We will leverage this exclusion to load and train the DDR PHY on the i.MX 8. We will use a secondary processor to keep binary blobs out of u-boot and the kernel. Read more