.. include:: /substitutions.rst
.. include:: /urls.rst

.. _pureboot_security:

Security
========


.. _pureboot_default_secrets:

Default secrets
---------------

The following are the default passwords used for OEM devices shipped with the PureBoot Bundle:

.. important::

   It is good practice to change the default passwords for PureBoot and the Librem Key.

+-------------------------------+----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Component                     | Default PIN/password | Purpose                                                                                                                                                                       |
+===============================+======================+===============================================================================================================================================================================+
| Librem Key |br| GPG User PIN  | **123456**           | Primary password used within PureBoot. |br| |br| Used to re-sign ``/boot`` files.                                                                                             |
+-------------------------------+----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Librem Key |br| GPG Admin PIN | **12345678**         | Administrative Librem Key operations. |br| |br| Updating the user PIN |br| Updating default GPG keys on the device |br| Resetting the :ref:`HOTP token <pureboot_hotp_token>` |
+-------------------------------+----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| TPM Owner Password            | **12345678**         |                                                                                                                                                                               |
+-------------------------------+----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

.. seealso::
   :ref:`Changing the GPG user and admin PIN on the Librem Key <librem_key_pin>`


.. _pureboot_changing_tpm_owner_password:

Changing the TPM Owner password
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The TPM Owner password is used less frequently.
You might be prompted for this password if you were to flash a brand new PureBoot firmware and erase any existing settings, or when selecting a new default boot option.
The TPM must be reset to change the TPM Owner password, which will erase any existing secrets.
This also requires creation of a new HOTP password for the Librem Key.
Select **Options → TPM/TOTP/HOTP Options → Reset the TPM** from the main PureBoot menu and follow the prompts.


.. _pureboot_changing_gpg_keys:

Changing GPG keys
~~~~~~~~~~~~~~~~~

Factory-provided GPG keys may be replaced with new ones.
To do this:

#. If applicable, :ref:`set up the Librem Key and generate GPG keys and subkeys for use on the Librem Key <librem_key_gpg_gen>`.
#. :ref:`Copy the subkeys over to your Librem Key <librem_key_move_keys>`.
#. If an ASCII-armored GPG public key file (e.g. ``pubkey.asc``) has not yet been created, run:

   .. code-block:: bash

     gpg --armor --output pubkey.asc --export <youremail@yourdomain.com>

   .. note::
      The GPG public key file must end with ``.asc`` for detection in PureBoot.

#. Insert a USB flash drive and copy the public key file to it.
#. Keep the USB flash inserted and reboot into PureBoot.
#. Select **Options → GPG Options → Replace GPG key(s) in the current ROM and reflash**.
   This will detect any GPG public keys you have present on your thumb drive and present them to you so you can select the one to add.
   Once selected, Heads will replace any existing GPG keys in the keyring with the key provided.
#. All of the files in ``/boot`` must be re-signed with the new key signature after reflash/reboot.
   Select **Options → Update checksums** and sign all files in ``/boot``.


.. _pureboot_intelme:

Intel Management Engine
-----------------------

The Intel Management Engine (or ME) is a proprietary binary loaded into the firmware of all recent Intel hardware.
Purism has gone through many lengths to neutralize and disable the `Intel ME`_, where only the code absolutely essential for the system to boot is left in the ME firmware binary.

.. seealso::
   `Intel ME disablement <Intel_ME_disablement_>`_ on Skylake/Kabylake processors