PureBoot Restricted Boot¶
With PureBoot Restricted Boot, you can lock down your boot firmware to only boot trusted, signed executables both on a local disk and USB, so you control the keys. Let’s see how you tighten down your boot security with Restricted PureBoot in this video.
Enabling Restricted Boot¶
You’ll need to be running a recent version of Pureboot; if you need to switch or upgrade, follow this.
Go to: Options -> Change Configuration Settings -> Enable Restricted Boot.
To save the configuration changes, select Save the current configuration to the running BIOS.
After rebooting, you can still boot into your system as normal, but you will no longer be allowed to ignore any tamper warnings and boot into failsafe mode. This also disables options such as the recovery shell.
Updates¶
During normal use, when you update your OS while Restricted Boot is enabled, it will behave much like you expect.
If your kernel changes, you will be prompted to re-sign files in /boot
using your Librem Key.
Once you do, you will be able to boot into your OS as normal.
USB¶
In this mode, you can also boot pre-approved signed distros via USB. Instead of imaging directly to a USB, copy the ISO and the corresponding .asc GPG signature file the vendor provides. This will allow you to boot from ISOs on USB disks, as long as their signature matches one of the trusted public keys in PureBoots ISO keyring. By default, we include public keys for Arch Linux, Qubes, Tails, and PureOS. Later on, we would like to add a feature that lets you modify the approved keys from within the GUI itself, but that feature did not make it for this first release.
Disabling¶
To disable Restricted boot, go back to Options -> Change Configuration Settings and select Disable Restricted Boot. Once you select this option, your TPM will be reset; this prevents someone from disabling this without detection. This will notify the proper user of tampering once they try to boot their computer again.
Summary¶
PureBoot provides flexible security measures, with defaults that balance security with ease of use. Restricted Boot allows you to tighten down boot security even further, while still having full control over your own system.