Hi again! Things have been busy on the PureBoot front since our last blog post on overall coreboot progress. – and we can prove it: we now have a video that walks us through the complete PureBoot demo we showed for the first time at SCALE a few weeks ago.
The video, as you can see, starts with powering on the Librem Laptop with a Librem Key inserted. PureBoot then starts by checking the firmware for tampering and authenticating itself to the Librem Key, which blinks green to indicate the system is safe.
Next we select the Default Boot option, and PureBoot scans the /boot directory for any tampering – and if and when it doesn’t find any, it starts booting the OS as normal.
Once the OS boots, you see a prompt show up on the screen requesting the user’s GPG PIN, which demonstrates PureBoot unlocking disk encryption using the Librem Key instead of a passphrase. We find this approach to be more convenient for the user than typing in a long passphrase; and being a 2-factor authentication, it’s more secure too.
Finally we reboot the machine and simulate tampering, by storing a new shared secret in the TPM chip without the Librem Key inserted. Once we do reboot, PureBoot detects and warns us that the Librem Key isn’t inserted. We could skip this warning and boot anyway, but we insert it and then the Librem Key flashes red to warn us that there was tampering.
In addition to the demo, we’ve also made a number of PureBoot improvements since our last blog post:
In the past you had to hard-code a specific disk device, in order for PureBoot to use when booting or using a USB disk – which was clunky, and caused some problems to those trying to set up PureBoot for the first time on a system with only an NVMe drive. Now it dynamically detects any USB disks that are present – and if more than one exists, you get a prompt; otherwise it just automatically uses the one it finds.
We’ve also added a number of cosmetic improvements to the initial boot screens, including removing or changing certain prompts that were proving confusing to some of our beta testers. We’ve also added an automated “OEM factory reset” option to the GPG menu, that will factory reset a Librem Key and then generate a new random GPG key on the device – and add it to PureBoot firmware in an automated way.
We’ve also updated the official PureBoot documentation at https://docs.puri.sm/PureBoot.html to describe how to use our new coreboot utility to pull down pre-built PureBoot firmware, so you no longer have to compile it yourself.
The introduction of pre-built PureBoot firmware has brought in a new wave of beta testers, which in turn has led to a fresh set of improvements. Each of these changes brings us closer to PureBoot being ready for general availability… we are looking forward to being able to announce PureBoot as a pre-installed, pre-configured option when buying new Librem laptops with a Librem Key very soon, so stay tuned for more Pureboot news!