PureBoot Restricted Boot

Summary

PureBoot provides flexible security measures, with defaults that balance security with ease of use. PureBoot Restricted Boot hardens boot security even further by only booting trusted, signed executables both on a local disk and USB. This video illustrates how to safeguard your boot security with Restricted mode in PureBoot.

Download

Enabling Restricted Boot

A recent version of Pureboot is required to enable thi option from within the user interface. To switch modes or upgrade PureBoot, follow this guide.

  1. Navigate to: Options -> Change Configuration Settings -> Enable Restricted Boot.

  2. Select Save the current configuration to the running BIOS to save the configuration changes.

The Operating System may be booted like normal once the computer is rebooted, but tamper warnings and options to boot into failsafe mode may no longer be ignored. Other options such as the recovery shell are also disabled.

Updates

During normal use, updating your Operating System with Restricted Boot enabled will behave as expected. Files in /boot must be re-signed using the Librem Key if the Linux kernel is updated. After the files are re-signed, the Operating System may be booted normally.

USB

Signed Linux distributions may be booted via USB in this mode. Rather than flashing an ISO image directly to a USB, copy the ISO file and its corresponding .asc GPG signature file (provided by the distribution vendor). This allows you to boot from .iso files on USB disks if the signature file matches a trusted public key in the PureBoot ISO keyring. By default, we include public keys for Arch Linux, Qubes, Tails, and PureOS.

Note

A future release of PureBoot will allow modifications of approved keys from within the GUI itself.

Disabling

To disable Restricted boot, go back to Options -> Change Configuration Settings and select Disable Restricted Boot. Once you select this option, your TPM will be reset; this prevents someone from disabling this without detection. This will notify the proper user of tampering once they try to boot their computer again.