Re-sign boot files

If some of the following symptoms occur when booting with PureBoot, the user may need to navigate the menus to re-sign the files.

• PureBoot is not reporting a Boot Hash Mismatch

• PureBoot is unable to boot due to an invalid signature error (often seen as ERROR: Invalid signature on kexec boot params)

• PureBoot drops to a recovery shell

Warning

These symptoms could also be reported due to tampering. Before proceeding with this procedure, the user must decide whether it could be tampering. Re-signing boot files following an indicator of compromise is equivalent to the user saying “I understand what happened and choose to ignore the warning.”

If you do not suspect that the system has been compromised, follow these steps to re-sign the boot files:

1. During boot, when PureBoot says “Automatic boot in 5 seconds unless interrupted by keypress…”, press the spacebar

2. Navigate to Options > Update checksums and sign all files in /boot

3. Select Yes to confirm

4. Insert your Librem Key, wait 5 seconds, then press the Y key to confirm it is inserted

5. Enter your Librem Key’s PIN when prompted (the default is 123456), then press Enter. PureBoot will not display anything on the screen while typing for security. Simply type your PIN and press Enter.

PureBoot will re-sign your boot files and return to the main menu. You can now select Default boot to boot into your OS.

If you are not able to complete the procedure for any reason, it is also possible to perform a PureBoot OEM factory reset to generate new keys.