Not to discredit this product, but I'm having a harder and harder time trusting products that feature high security. They seem like trojan horses. I think I'm probably just being paranoid - is there a trustworthy independent third-party of some sort that verifies just how private these types of products are?
Edit: to be clear this is most likely an awesome product put out by people who care about security and privacy. I'm not trying to call this product out specifically. Privacy / security are really bold claims and without any specific regulations in the area that I'm aware of I feel extra cautious around anything claiming to provide those things. Like I said, I'm probably just being paranoid, but I like to think strategically, and if i were to be a spy agency of any sort and thought I could get away with it, selling a not-so-private privacy product would definitely be a move of mine.
What regulations, issued by which authority, would you trust?
The Purism claims are relevatively small (e.g. camera/microphone hardware switch can be verified by a motherboard inspection) and are an incremental move in a positive direction.
I'd recommend getting an old thinkpad or macbook compatible with libreboot (http://www.libreboot.org/) which is apporved by FSF and only runs free software in the bootloader/BIOS. Purism, on the other hand, uses a proprietary bootloader, as well as proprietary BIOS, as well as proprietary code for Intel FSP, Intel ME, Intel VBIOS, and Intel CPU microcode updates.
At user request, the Intel i7 CPU in the Purism 15 was chosen to include VT-d support (needed for Qubes security, which isolates the GPU to a single driver VM) and to exclude support for the black box Intel ME hardware (vPro).
In contrast, on virtually every mainstream laptop with VT-d, you are forced to use a CPU which includes Intel ME/vPro support.
ME is in the chipset and not the CPU[1][2]. Chances are the silicon for it is there and working, but Intel doesn't officially "support" ME with that chipset+CPU combination and supplies firmware that doesn't use it. It doesn't necessarily mean there is no ME capability that could be exploited.
IMHO "support" has become a bit of a weasel-word today, meaning everything from "it's physically impossible because the hardware doesn't even have the circuitry" to "it's all there and functional, but we just don't want you to use it". In between are things like disabled via undocumented hardware jumpers or software settings (remember how certain AMD CPUs could have extra cores "unlocked"? Same principle.) The older models without ME are the former, but I'm almost willing to bet that the latter is the case of the newer CPUs and chipsets.
It will be good to run some tests against the Purism 15 motherboard, at least to evaluate the dormancy/presence of the Intel ME via publicly known interfaces.
It's still a step in the right direction to be able to buy a laptop with a CPU that "does not support" the Intel ME, because it will permit some testing of the Intel claim. It also helps that Purism is using non-Intel components for wired and wifi networks, since Intel ME/AMT/vPro requires Intel networking.
> It will be good to run some tests against the Purism 15 motherboard, at least to evaluate the dormancy/presence of the Intel ME via publicly known interfaces.
The ME is required to be able to boot contemporary Intel devices. It's required to do power management for years. There is no way they ship a device with Intel CPUs and no ME.
What they can do is ship a system without the AMT/vPro features that are implemented in ME firmware. The difference being if the firmware for that part of the chipset is 2MB or 6MB. If you want to know what Intel requires 2MB of firmware for a chip that isn't supposed to be very active, I have no idea either.
But given that the 6MB firmware supports intercepting USB (for keyboard and mouse) and the GPU to route them over the network interface for the soft-KVM feature, be aware that the chip has these capabilities in hardware, no matter the firmware. It just doesn't use them (or so Intel claims).
I'm pretty put off that I spent 5 minutes digging around on their site and couldn't find one of those claims. All I saw was "Everyone is trying to steal your private datas, but for a large markup we can make you secure."
To follow up: the crowdsourced page does indeed make a large number of claims which at least make this sound like a very secure and privacy ensuring device. When I mentioned regulations, I was thinking along the lines of ad companies in the US. For example, an ad for a sleeping pill wouldn't be allowed to outright claim to put you to sleep if the pill didn't work... unless that pill was labeled under homeopathic medicine, then all bets are off because homeopathic "medicine" is unregulated (or was the last time I checked).
New (and also old) privacy focused companies remind me of homeopathic medicine.
This old blog post has some info about BIOS and firmware, https://puri.sm/posts/bios-freedom-status/ . We need more OEMs to publish similar lists and begin moving the incremental needle towards transparency, rather than claiming an opaque supply chain of black box components.
Edit: to be clear this is most likely an awesome product put out by people who care about security and privacy. I'm not trying to call this product out specifically. Privacy / security are really bold claims and without any specific regulations in the area that I'm aware of I feel extra cautious around anything claiming to provide those things. Like I said, I'm probably just being paranoid, but I like to think strategically, and if i were to be a spy agency of any sort and thought I could get away with it, selling a not-so-private privacy product would definitely be a move of mine.