PureBoot Bundles¶

Overview¶

This guide documents what PureBoot bundles are offered by Purism, and how to use PureBoot with the PureBoot Bundle.

Refer to the Heads documentation for more information on how PureBoot or Heads works, including how to build and install it yourself.

Download PureBoot Blog

Bundle options¶

When purchasing an x86-based Librem device, you have presented with several options for boot firmware (“BIOS”):

Default: PureBoot Basic¶

There is no Librem Key involved, and PureBoot is configured in Basic mode. This is the simplest choice.

If you have a Librem Key, you can disable Basic mode and configure PureBoot with your Librem Key at any time. To add a Librem Key to a device shipped without the PureBoot Bundle, disable Basic mode, then perform an OEM Reset. Follow these steps to switch from coreboot/SeaBIOS to PureBoot.

PureBoot Bundle¶

Preconfigured PureBoot: Librem Key with a factory-generated GPG key. The Librem Vault USB drive is used to store the public GPG key.

PureBoot Bundle Plus¶

The same as the PureBoot Bundle with the Librem Key shipped separately from the device. This means that a malicious person cannot have your laptop and your Librem Key at the same time, offering additional protection.

PureBoot Bundle Anti-Interdiction¶

Refer to our anti-interdiction service documentation.

Terminology¶

HOTP token¶

The HOTP token is the secret shared between the TPM chip and your Librem Key. This token allows the Librem Key to detect firmware tampering (or intentional modifications - it cannot determine malicious intent versus an intentional change by the user).

These changes occur any time the PureBoot firmware is modified by:

Changing PureBoot settings
Adding new GPG keys to the PureBoot keyring
Flashing an updated PureBoot firmware
Resetting the TPM

LED blinking¶

The Librem Key has a green and red LED. The green LED is only used at the beginning of the PureBoot process to prove the firmware hasn’t been tampered with. In that case, the green LED will blink steadily a few times and stop.

The red LED is not only used to warn about firmware tampering, but is also used to show activity whenever the Librem Key is accessed. For instance when you boot the system with a Librem Key inserted, the red LED will light up briefly as PureBoot detects the device. When you use the Librem Key to encrypt/decrypt/sign something, the red LED will light up while the GPG function is running on the device.

So how do you tell activity from a warning? And how do you detect tampering if you are red/green color blind? When the red LED is warning you of tampering, it will do so with a steady blinking pattern and will do so indefinitely until you unplug it from the computer. The green LED will blink steadily a limited number of times and then stop after a few seconds. When the red LED is used to show activity it lights up irregularly.

First boot¶

Ensure that the Librem Key is inserted before you powering on the device for the first time. PureBoot will show a warning at boot if the Librem Key is not inserted. If this warning is given, the Librem Key can be inserted at this point. Once inserted, press Enter, or you can press Enter to ignore the warning and proceed to the main menu.

Note

While the Librem Key is not strictly required to boot the system, PureBoot cannot detect tampering without it.

While Pureboot starts, confirm that a green LED is flashing on the Librem Key. This indicates that no tampering has been detected. This is expected behavior for the first boot of OEM hardware; you should not see any warnings or alerts about modified files. If the red LED is flashing on the Librem Key, this means that your boot firmware has been modified, but cannot determine if the motive is legitimate or malicious. Refer to this section for more information.
If the boot files have not been modified, PureBoot will boot your Operating System automatically by default. Automatic boot can be changed from Configuration Settings. To enter the main menu instead, press a key when PureBoot prompts that it will boot automatically in a few seconds.
PureOS launches a configuration wizard the first time it boots to the desktop. Here, the encryption passphrase can be set, as well as a username, password, and other settings. The /boot files are modified when these settings are applied.

First reboot¶

A tampering alert will be issued the first time the computer is rebooted, and the modified files will be listed. Follow the default prompts to re-sign the boot files using your Librem Key. Refer to the Librem Key GPG User PIN default password if prompted to enter a PIN when re-signing files.

Other boot options¶

PureBoot is configured from the factory to boot the first PureOS kernel option in grub.conf. This is the option that boots when you select “Default boot” in the main menu.

Options → Boot Options: see alternate boot options. Note that when you select an option in the alternate boot menu, there will be an option to overwrite your current default boot.
Options → Boot Options → Show OS Boot menu: boot into a PureOS rescue mode or boot an alternate kernel. This displays all boot options available in the system grub.conf file.
Options → Boot Options → USB boot: With a USB flash drive inserted, displays options to boot from the USB flash drive.
Options → Boot Options → Ignore tampering and force a boot (Unsafe!): continue to boot from a system despite PureBoot issuing a warning of tampering.

Note

PureBoot will never lock a user out of the system, even if tampering is detected.