Warnings and alerts

Overview

Tip

If you see an alert, don’t panic! Follow the prompts to resolve it.

The normal operation of PureBoot is relatively hands-off, much like traditional GRUB systems–just turn on the computer, press Enter, and your system boots. Behind the scenes, though, PureBoot is performing a number of different tests to detect tampering on the system. Routine tasks like updating the software on your system might potentially trigger a tampering warning, so if you do see a warning or alert, don’t panic! Just read and follow the instructions on the screen. In this section we will cover some of the most likely alerts you will see, what they mean, and how to respond to them.

Librem Key is not Inserted

If you boot your system without your Librem Key inserted, you will get a warning. This gives you an opportunity to insert the Librem Key before pressing OK, so PureBoot can prove it hasn’t been tampered with. If you don’t have your Librem Key, you can just select “OK” to skip this warning and boot the system. However, note that you are skipping the firmware tamper detection.

Librem Key Flashes Red

If an attacker has modified the firmware, they can change the screen to make things appear normal. The value of the Librem Key is that while the screen might lie, the Librem Key won’t. If the Librem Key flashes red, it could indicate that someone has tampered with the firmware, or it could also be triggered by a number of other circumstances–all caused by making changes to PureBoot:

  • Changing internal PureBoot settings

  • Adding new GPG keys to the PureBoot keyring

  • Flashing an updated PureBoot firmware

  • Resetting the TPM

If you have not made any changes to PureBoot and your Librem Key is flashing red unexpectedly, it could indicate tampering. Otherwise if you have made some of the above changes, just follow the prompts on the screen to set a new TOTP/HOTP secret on your Librem Key.

Boot files have been modified

The most common alert you will likely see when using PureBoot occurs after you tell the system to boot. At that point PureBoot will scan all of the boot files to see if any have been modified before it boots into your OS. If any of the files it has previously signed have changed, PureBoot will show an alert that tells you which files have changed. Note that there are a number of routine tasks you will perform on your OS that will trigger this alert:

  • Updating system packages that refresh the initrd

  • Updating your kernel (which changes grub.conf)

  • Making custom changes to your GRUB configuration

PureOS reboots the system to install updates safely. If you reboot to apply updates, you can test that PureBoot is still in a safe state before updates when it reboots. Then when it applies the updates and reboots again, if you see a PureBoot alert about modified boot files, you can be assured that it was caused by the software update.

Otherwise, if you have not updated or changed your system since the last boot and you see this alert, this could indicate that someone has tampered with your kernel or other boot files.

Tampering suspected - Investigate

If PureBoot alerts you to modified boot files and you do suspect these files were the result of system updates or changes you know you made, the next steps to take will depend on your threats. First, make a note of the suspected files PureBoot is warning you about for later (we recommend writing them down).

PureBoot provides a recovery shell to investigate the boot files of the compromised system. The recovery shell is limited to a small subset of Linux command line tools, including a text editor.

If additional tools are needed, we recommend booting from a USB disk, such as the PureOS live install media, and using the tools provided within PureOS. To start, mount the /boot partition and inspect the files that PureBoot told you about.

  1. Create a directory to mount to.

sudo mkdir /mnt/boot

  1. Identify the OS boot partition with the command lsblk. The partitions may not be labelled so you may need to use other context clues to help. In PureOS, the boot partition will show 1.1G in the size column. Typically, this will be nvme0n1p1 for NVMe drives and sda1 for SATA drives, though double-check to ensure this is correct.

    pureos@pureos:~$ lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
loop0         7:0    0  1.6G  1 loop /rofs
sr0          11:0    1  1.6G  0 rom  /cdrom
zram0       253:0    0  7.8G  0 disk [SWAP]
nvme0n1     254:0    0   15G  0 disk
├─nvme0n1p1 254:1    0  1.1G  0 part
└─nvme0n1p1 254:2    0 13.9G  0 part

  2. Mount the boot partition.

sudo mount /dev/sda1 /mnt/boot

Feel free to contact our Support department (support@puri.sm) for additional help. We can even reflash your system to a factory state!

Tampering suspected - PureBoot

If you suspect PureBoot itself was tampered with, you can create a copy of the version of PureBoot on the system with the flashrom tool and inspect it directly.

To recover from a compromised PureBoot, we recommend reflashing the PureBoot firmware before reinstalling an OS, such as PureOS, on your device. The most secure solution is to reflash the boot firmware with hardware, if possible. If you are unable to reflash PureBoot with a hardware flasher, you can use the coreboot utility script; if done from this method, we recommend doing this from a live PureOS environment from a USB drive.

Afterward, you should reset your Librem Key from PureBoot.

As an extra precaution, we recommend reinstalling your OS on top of this.

Tampering suspected - Operating system

1. Create backup of personal files.

Option 2: Bypass PureBoot warning

We do not recommend bypassing the warnings to boot the OS if you suspect it has been tampered. However, you can do this if you understand the risk and have no other way to back up your personal files. If the OS has been tampered, be aware that the tampered OS will have access to everything you do once you boot it, including observing passwords, connecting to your network and the Internet, and altering storage devices.

2. Reinstall the OS.

Please follow the steps to reinstall PureOS from the link provided.