Purism Librem: Laptop for privacy conscious users

Posted by Sami Tikka on May 21, 2018

I have been testing Purism Librem 15 laptop as my main development computer for a while now. So far it has been a joy to work with, and using Linux as my main work operating system has never felt more right. Purism laptops seem to be a good choice for anyone who wants to have a solid, well built hardware with strong focus on privacy.


Laptop for privacy conscious users

Purism aims to manufacture computers with hardware choices that address major security issues identified in common PC hardware. For example, Intel has been including Intel Management Engine (IME) subsystem in every processor since 2008. This subsystem has it’s own microprocessor, operating system and network interface, running even when computer’s main processor is turned off. All network traffic is routed to this subsystem before passing it forward to main network interface.

Its’ exact workings are largely undocumented and its code is obfuscated using confidential huffman tables stored directly in hardware, so the firmware does not contain the information necessary to decode its contents. –Wikipedia

The existence of hardware with unknown features, functionality and inner workings does not exactly inspire confidence. If you as a user would like to be in charge of what exactly is going on in your computer, most modern PCs do not fulfill this requirement when it comes to their hardware components. Moreover, several security weaknesses has been found from IME, including remote elevation of privilege and execution of arbitrary code. Granted, these flaws are not present in every Intel processor, but nonetheless highlight the inherent security concerns when running unknown code with absolute privileges (privilege ring -3) on computer hardware.

Luckily, security researchers have found a way to disable IME on Intel processors by enabling an undocumented mode on it. It turns out, that Intel has made this special mode (High Assurance Platform, or HAP) for computers delivered to US government. Knowing that US government agencies have a long history of compromising computer software and hardware, this mode being available gives us a hint who might be the driving force behind Intel’s enthusiasm to include this kind of functionality into every processor it manufactures. To be fair, Intel is the only processor manufacturer with similar closed subsystems. AMD processors have equivalent functionality called AMD Platform Security Processor (PSP).


Purism laptops come with IME disabled, so that’s definitely one thing less to worry about. Librem also has hardware switches for camera, microphone, bluetooth and wireless network interface. Nowadays it seems to be a common practice to put a piece of tape over your laptop camera. Having a hardware switch which disables the camera completely is naturally a more secure way to avoid being a subject to unwanted filming.

Purism also includes firmware called Coreboot. Coreboot is an open source firmware for BIOS or UEFI found in PCs responsible for hardware initialisation and loading main OS kernel. Coreboot is a good replacement for a closed source binary blob found in most PCs.

Year of the Linux on desktop

Librem comes with Purism’s own PureOS installed. However, I’m a long time fan of Debian, so I installed Debian Stretch on it. Remembering the battles I fought in the past with Linux and PC hardware, this time getting Debian installation working with hardware like external monitor and Bluetooth headphones was a fairly straightforward operation. It’s been a while since I had Linux as my primary desktop OS, so naturally I was pleasantly surprised by the maturity of the installation experience. Most of the hardware problems are solved by installing non-free drivers. The ideal of using systems running fully free software is something to strive for, but sometimes you have to make compromises in order to realise their full capabilities.

Even though MacOS is based on BSD, all the open source software development tools are just a bit more natural to use in a full Linux environment. Moreover, for people like me who have accustomed to using a specific IDE, many development software providers also offer their products as Linux binaries (Jetbrains, Oracle Virtualbox etc.), so switching over to the Light side of the Force is quite easy even with specific developer software requirements.

Goodbye MacOS

Only problem compared to my previous development setup of Macbook Pro and external 4K monitor was that Librem’s GPU does not seem to be powerful enough to output 4K graphics. That is a minor complaint though, and I don’t mind looking at a bit “soft” graphics on external monitor. Non-4K monitors should have more crisp image with Librem.

Using Linux instead of a proprietary OS like MacOS also offers major security and privacy improvements. MacOS or Windows users are not really in control in terms of what their computer does on their own. For example, both OSes install updates without notifying users, and the updates are largely forced upon. It’s an analogous situation to using Intel hardware: You are not fully sure what is going on in your computer, what the operating system is doing, where does it make contact and for what purpose.

Little Snitch screenshot of MacOS processes "phoning home"

Revealing insight into MacOS functionality gan be gained by running software like Little Snitch, which shows every network contact through TCP protocol made by system processes and other applications. I’ve taken the screenshot shown above right after connecting to a wireless network. There seems to be a whole bunch of processes connecting to Apple for whatever purpose, like push notification services, Apple’s identity service, geolocation service (even with Location services turned off) etc. These have legitimate purposes, but they also inform Apple of the place, time and network environment whenever becoming online.

Using free software OSes like Linux gives you better control over what code is running on your computer, and where does it make connections (if any).


Librem + Linux (or any other open source software OS) offers an almost unheard promise of being in charge of your computer. Almost every other proprietary hardware and OSes are doing their things without your consent. In this regard, Librem is quite a liberating experience indeed. Librem hardware can be ordered according to your specifications, and unlike many other popular laptops, Librem hardware, like RAM, wireless chipset and battery, can be easily accessed and replaced if you choose to do so. i7 processor, 16GB/32GB of RAM and fast SSD disk is a powerful combination for most serious work computing needs.

Purism also accepts cryptocurrencies as payment. Supported cryptos ATM are Monero, Bitcoin Cash and Bitcoin. Paying with cryptocurrencies is at least a semi-anonymous way to purchase hardware and an additional layer of security for those who need it. For the rest of us, paying with cryptocurrencies online is much more convenient and secure than using credit cards.