PureBoot Setup
This guide walks the user through setting up a machine which relies on PureBoot to verify the authenticity of the .iso image which is being booted, as well to ensure that firmware of the machine has not been tampered with between uses.
This guide assumes the use of a Purism machine, with a Librem Key.
Requirements
-
1 Storage Device
-
1 Librem Smart Card
-
1 Librem 14 Computer with PureBoot firmware installed.
Notes
After you complete this setup, the Librem Smart Card will be provisioned with a
new GPG key pair, which will be used for signing the BIOS, as well as any .iso
images which will be booted using the Restricted Boot
mode.
At the end of this guide you will have:
-
1 Librem Smart Card
-
With a newly generated GPG key pair
-
With a newly generated HOTP secret
-
-
1 storage device with the public key of the newly generated GPG key
- This GPG key will be used to sign
.isofiles booted on the machine
- This GPG key will be used to sign
Steps
-
Plug in the Librem Smart Card into the machine
-
Turn on the machine
-
Wait for the prompt that says "Automatic boot in 5 seconds unless interrupted by keypress..."
- Press any key
-
Select "Options -->"
- Press Enter
-
Select "GPG Options" -->
- Press Enter
-
Select "Generate GPG keys manually on a Librem Key"
- Press Enter
-
Please Confirm that your GPG card is inserted [Y/n/]
- Input "Y", press Enter
-
$ gpg/card>
- Input
admin, press Enter
- Input
-
$ gpg/card>
- Inpuut
generate, press Enter
- Inpuut
-
Make off-card backup of encryption key (Y/n):
- Input "n", Press Enter
-
Replace existing keys? (y/n):
- Input "y", press Enter
-
PIN:
(default is 123456) - Input
user_pin, press Enter
- Input
-
Key is valid for? (0):
- Press Enter
-
Key does not expire at all. Is this correct? (y/N):
- Input "y", press Enter
-
Real name:
- Note: You must supply at least one of the "Real name", "Email address" or "Comment"
- Input one of the values, and press Enter
-
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
- Input "O", press Enter
-
Admin PIN:
(default is 12345678) - Input
admin_pin, press Enter
- Input
-
After step q, the generation of the key will take some time then you will see a prompt:
gpg: key<ID> market as ultimately trusted gpg: directory '//.gnupg/openpgp-revocs.d' created gpg: recovation certificate stored as '//.gnupg/openpgp-revocs.d/<ID>.rev' public and secret key created and signed -
$ gpg/card>
- Input "quit", press Enter
-
"Would you like to copy the GPG public key you generated to a USB disk? You may need it, if you want to use it outside of Heads later. The file will show up as
.asc" -
Ensure a USB drive is connected
-
Select "Yes", press Enter
-
-
"Would you like to add the GPG public key you generated to the BIOS? This makes it a trusted key used to sign files in /boot"
- Select "Yes", press Enter
-
"Would you like to update the checksum and sign all of the files in /boot? You will need your GPG key to continue and this will modify your disk Otherwise the system will reboot immediately."
- Select "Yes", press Enter
-
Please confirm that your GPG card is inserted [Y/n]:
- Input "Y", press Enter
-
After the computer reboots you will be faced with an error: "ERROR: PureBoot couldn't generate the TOTP code."
- Select "Generate new HOTP/TOTP secret", press Enter
-
"This will erase your old secret and replace it with a new one! Do you want to proceed?"
- Select "Yes", press Enter