Overview

PureBoot is Purism’s cutting edge, complete secured boot process and combines a number of technologies, including:

• Neutralized and Disabled Intel Management Engine, where the Management Engine is disabled with the HAP bit in firmware.

• coreboot the free software BIOS replacement.

• A Trusted Platform Module (TPM) chip

• Heads, our tamper-evident boot software that loads from within coreboot and uses the TPM and the user’s own GPG keys to detect tampering within the BIOS, kernel, and GRUB config.

• Librem Key, our USB security token that integrates with Heads to alert the user to tampering with an easy “green light good, red light bad” process.

• Integration between the Librem Key and LUKS disk encryption so you can unlock your disk with your Librem Key.

With PureBoot you can easily verify if the your device software has been tampered with while you were not attending it, or during transit from Purism to you. Each time existing files in /boot change, Librem Key will warn you by flashing red light. This means that there may be some false positives if you upgrade your system, so you may want to check out best practices with PureBoot.

PureBoot also allow you to unlock your encrypted disk using your Librem Key (having to enter just your Key’s PIN).

See also

• PureBoot: The high-security boot process

• PureBoot best practices

• What is TPM and why do I need it?

• What is coreboot and why is it important?

• PureBoot Bundles
• Compatibility
• Security
• PureBoot Basic
• PureBoot Restricted Boot