Warnings and alerts

Overview

Tip

If you see an alert, don’t panic! Follow the prompts to resolve it.

The normal operation of PureBoot is relatively hands-off, much like traditional GRUB systems–just turn on the computer, press Enter, and your system boots. Behind the scenes, though, PureBoot is performing a number of different tests to detect tampering on the system. Routine tasks like updating the software on your system might potentially trigger a tampering warning, so if you do see a warning or alert, don’t panic! Just read and follow the instructions on the screen. In this section we will cover some of the most likely alerts you will see, what they mean, and how to respond to them.

Librem Key is not Inserted

If you boot your system without your Librem Key inserted, you will get a warning. This gives you an opportunity to insert the Librem Key before pressing OK, so PureBoot can prove it hasn’t been tampered with. If you don’t have your Librem Key, you can just select “OK” to skip this warning and boot the system. However, note that you are skipping the firmware tamper detection.

Librem Key Flashes Red

If an attacker has modified the firmware, they can change the screen to make things appear normal. The value of the Librem Key is that while the screen might lie, the Librem Key won’t. If the Librem Key flashes red, it could indicate that someone has tampered with the firmware, or it could also be triggered by a number of other circumstances–all caused by making changes to PureBoot:

  • Changing internal PureBoot settings

  • Adding new GPG keys to the PureBoot keyring

  • Flashing an updated PureBoot firmware

  • Resetting the TPM

If you have not made any changes to PureBoot and your Librem Key is flashing red unexpectedly, it could indicate tampering. Otherwise if you have made some of the above changes, just follow the prompts on the screen to set a new TOTP/HOTP secret on your Librem Key.

Boot files have been modified

The most common alert you will likely see when using PureBoot occurs after you tell the system to boot. At that point PureBoot will scan all of the boot files to see if any have been modified before it boots into your OS. If any of the files it has previously signed have changed, PureBoot will show an alert that tells you which files have changed. Note that there are a number of routine tasks you will perform on your OS that will trigger this alert:

  • Updating system packages that refresh the initrd

  • Updating your kernel (which changes grub.conf)

  • Making custom changes to your GRUB configuration

PureOS reboots the system to install updates safely. If you reboot to apply updates, you can test that PureBoot is still in a safe state before updates when it reboots. Then when it applies the updates and reboots again, if you see a PureBoot alert about modified boot files, you can be assured that it was caused by the software update.

Otherwise, if you have not updated or changed your system since the last boot and you see this alert, this could indicate that someone has tampered with your kernel or other boot files.