====== Purism Librem 14 ======

The //Librem 14// is a 14" ultra thin laptop designed by [[https://puri.sm|Purism]] to use as many free-as-in-freedom licensed components as is practical, and enabling the user to protect their security and privacy. The Librem 14 achieves this through state of the art tamper-evident booting, full disk encryption using LUKS, physical killswitches (one for webcam + mic, the other for WiFi and Bluetooth), and support for OpenPGP smartcards out of the box.

Despite this design goal, the device still runs non-free software in the form of SeaBIOS and the non-free Atheros firmware needed for Bluetooth. Additionally, the Intel Management Engine is only //neutralized// instead of completely disabled, due to how deeply embedded the ME is in the operation of the modern Intel processor.

This page used to be aimed at issues and tips to run a Librem 14 with the default PureOS that comes with the machine. **However, Purism generates their own encryption key per-laptop and during the initial setup of a unit, you're actually only updating a //keyfile// that can decrypt the master key used to encrypt, NOT encrypting it with your own key!**

This decision was explained by TODO:

FIXME //Include direct link to Purism employee explaining why.// FIXME

For that reason, this section will favor Purism's repositories only for hardware-specific tools or kernel-related configuration, and it is highly suggested to at least re-generate an encryption master key and re-encrypt your Librem 14's storage.

  * update coreboot to v18.1 to cover boot vulnerability (one flag is flipped since L14 supports it)
  * Enable Debian's ''non-free'' repository to acquire ''atheros-firmware'' package, which supports the Atheros AR3012 that the Librem 14 uses for Bluetooth capability.
  * Set battery charging thresholds via systemd oneshot unit on boot (Purism is aware and supposedly has a fix...?) (won't apply to Gentoo since they use OpenRC, maybe fixable with EC flash?)
  * Create your own master key so you can re-image the drive and re-encrypt, or re-encrypt with a live environment and ''cryptsetup''
  * [[.:gentoo-luks-lvm-librem-key|Gentoo on Librem 14]] -- Unlock the potential of this machine, with LUKS, LVM, and Librem Key