Framework Laptop
Framework Laptop (Source: Wikipedia)

Framework Security

by

My laptops and me

Once again, I’ve been thinking about which laptop I’ll buy should my current one break down. I assume that my device will last a long time (the predecessor lasted over seven years) and since it is theoretically capable of Windows 11, I still have no need in 2025 (unlike almost all PCs that I maintain in the family).

There are three main aspects of the current machine that bother me:

  • It doesn’t have USB/Thunderbolt with Displaylink.
  • Since the battery burst and was removed, the touchpad no longer works reliably
  • It does not charge via USB-C

Some of the criteria that limited the choices and drove up the prices on the last two devices are now obsolete. Since I expect to replace my server soon and could then use it for image development with Lightroom, I no longer need the strong processing power on the laptop. Virtualization of many clients has also not been used for a long time. The need for a dedicated GPU (also to drive many monitors) is also eliminated, as USB/Thunderbolt docks will hopefully make three external monitors a non-issue.

Also, the soon to be twelve year old requirement for me to have an SSD for the OS and an HDD for at least 2TB of data is no longer relevant with the current prices for very large SSD. However, I would prefer two dedicated SSDs. If necessary, some could be swapped out to an external storage medium.

Since I almost only work on external screens, I don’t care about the screen size by now. On the other hand, I’m almost no longer on the road with my private laptop, so the weight is no longer important.

It’s even easier with my work devices. Both can be charged via USB-C, work on the Thunderbolt dock, and I don’t need much storage capacity on them either. At least the batteries lasted a long time during the last replacement in 2020. The customer’s PC would theoretically also be available as a VDI, but that just didn’t work well enough, as there were issues with audio and video in conferences, and multiple monitors didn’t run cleanly in my setup either. The performance of the VDI also frustrated me more than was good. So I am very happy to be able to use the customer PC as a physical device. The biggest disadvantage, however, is that I only take one device to work with me.

Solution

Currently, the Framework laptop seems to be a good option. I was sceptical at first, because I also find the product range from Schenker/Bestware okay. My requirements for maintainability and adaptability were always met.

Besides the replaceability of all components, I find the expansion cards fascinating. It looks to me like there are four USB-C adapters on the motherboard (that’s why the USB-C card is so cheap). Simply clever.

Especially the statement that it is possible to boot from the expansion cards gave me the idea that I could replace two of the three laptops on my desk with such an expansion card. What if I had to put the work PC and the client PC each into a framework laptop only as a memory expansion card? From an environmental point of view, it would be great to only have to replace one device every x years instead of three. Travel would also be easier. The costs for employers and clients would also be reduced, although I suspect that the hardware itself wouldn’t make much of a difference.

The main drawback would be that only one OS would be plugged in and booted at a time, so I’d never be able to use all three or even two systems at once. I’ll keep an eye on how often that would be a problem. However, there is the occasional situation that I have a meeting in between, for which I have to change the PC – that would then probably be more problematic (especially with startup and shutdown and the establishment of the VPN connection). Currently, I only switch the docking station and the HDMI cable. Otherwise, I usually only have one computer switched on to save power.

Now it will be secure

My next thought was that my employer’s and customer’s IT departments would probably never allow this (aside from the deployment processes not yet in place for this scenario). Surely there are security requirements that are not met when repurposing IT, right? Which ones, actually? Currently, no one prevents me from disassembling and manipulating devices at home (I still don’t do it, of course). Whether it is noticed in the office, if one disappears with laptop and tools for 30 minutes on toilet I must still examine. But why? Thanks to Secure Boot and Bitlocker, booting from a cloned SSD should not work. I’ll have to keep that in mind and try it out on my last day of work (for the record, I won’t). So with a lot of effort I’m sure you can break something, but I won’t be as successful as Fluepke anyway due to lack of experience.

In my opinion, bigger and more likely dangers come from fake and manipulated IT products like the OMG cable. But those won’t get any more or less with a framework laptop.

Possible direct manipulations should be prevented by TPM in theory. So apart from that, TPM doesn’t provide 100% security either. My experience with TPM is that the hardware and OS are tied to the motherboard. But that would also be the case with the framework laptop. Problems would arise in the scenario that I have a flexible pool of laptops and only provide memory expansion cards to each user, which would then be plugged into different laptops. In my scenario, I’ll assume I had one laptop with three cards (personal, employer, customer). The OS (including secure boot) and TPM should be able to handle a switch, right?

I will think about it further. Currently, I unfortunately do not have several framework laptops to try.

Summary

Currently it’s just an idea and I don’t think this scenario will become reality anytime soon. However, I’m keeping the Framework laptop on my radar in any case and maybe I can figure it out sometime.

From an ecological and economical point of view, the Framework laptop makes sense, but I don’t see the big synergy yet, but if there are probably more pretextual than really new IT security problems.

Very simply thought, however, this solution would have always been possible with booting from a USB stick.

Translated with www.DeepL.com/Translator (free version)