Invest in the Future You Want to See. Closing Soon!

A First Public Offering of Purism Stock on StartEngine. Minimum $500.

Invest Now

Stay Protected with Librem 14’s Latest Pureboot Feature

Librem 14, Security, Software

David Hamner

Latest posts by David Hamner (see all)

The Librem 14 Pureboot bundle is pushing the envelope on security tools. Newly added to our latest PureBoot release is a feature that protects against file changes on your root filesystem. This is the same validation done on the boot partition, simply expanded to specified directories on the root filesystem. This allows you to cryptographically sign your OS files with keys in your control.

Why to Enable This Feature

Enabling this feature on boot adds a few minutes to startup but protects against many filesystem-level attacks. Our chief security officer Kyle Rankin explains how he created this feature and precisely what this does and dost not protect against.

Upgrading PureBoot

To get the new root scanning feature enabled, you’ll need to be running our latest PureBoot. If you’re running an older version, you’ll need to upgrade. To do so, download and extract the Librem-14 Pureboot ROM onto a USB flash drive. Then attach your USB to your Librem 14 and boot it.

Press any key on startup to interrupt the boot process, then select ‘options’, ‘Flash/Upgrade the BIOS’, then Select Flash the firmware with new ROM retaining all settings.

Next, select the attached USB, then select the ROM file on your USB.You’ll see a successful flash message if everything goes well. Note, the subsequent restart will take a bit of time.

How to Enable the New feature

With the BIOS updated and paired with the Librem Key, let’s start by generating new hashes for the filesystem.

Go back to options, then select Check/Update file hashes on root disk, then Update root hashes.This process will take a few minutesYou can use the same menu to “check the root hashes” for any changes that may have occurred. This is a handy way to verify your root filesystem on demand.You can also precisely control which root folders are validated by selecting options, Configuration settings, Change the root directories to hash.Enter the folders you want checked, separated with a space and without a leading slash.You can enable auto root hash checking for every boot from the same menu.Make sure to select “Save the current configuration to the running BIOS” to make the alterations persistent.Saving the settings will take about a minute to complete, and you’ll need to re-sign your boot files and regenerate your HOTP/TOTP secret.With these settings applied, your Librem 14 will now validate your root folders automatically on startup.

How to Manage the Changes

If you run updates or change a file in one of your checked root folders, you’ll get prompted about the changes the next time you boot, if you set PureBoot to scan the root file system at each boot. Otherwise the changes will only get detected the next time you run a scan. In either case you need to mark the changes as valid so you can tell the legitimate changes apart from future tampering. To do so, reboot and select options, select Check/Update file hashes on the root disk, and then update root hashes.If a bad file is detected, you’ll have the option to abort the boot and investigate.Troubleshooting could include mounting your filesystem, looking at the filesYou can also chroot into your system with a known unaltered kernel.For advice on how to handle your particular case, our support staff can walk you through possible solutions. Here is how to get in touch

Purism Products and Availability Chart

 ModelStatusLead Time 
USB Security Token Purism Librem KeyLibrem Key

(Made in USA)		In Stock
($59+)		10 business days
Learn More Buy Now
Librem 5In Stock
($999+)
3GB/32GB		10 business days
Learn More Buy Now
Librem 5 + SIMple
(4 GB Data)		In Stock
($99/mo)		10 business days
Learn More Buy Now
Librem 5 + SIMple Plus
(10 GB Data)		In Stock
($129/mo)		10 business days
Learn More Buy Now
Librem 5 + AweSIM
(Unlimited Data)		In Stock
($169/mo)		10 business days
Learn More Buy Now
Librem 11In Stock
($999+)
8GB/1TB		10 business days
Learn More Buy Now
Most Secure Laptop Purism Librem 14Librem 14In Stock
($1,370+)		10 business days
Learn More Buy Now
Most Secure PC Purism Librem Mini
Librem MiniApr 2024
($799+)		Shipping April, 2024
Learn More Buy Now
Purism Liberty Phone with Made in USA ElectronicsLiberty Phone
(Made in USA Electronics)		Apr 2024
($1,999+)
4GB/128GB		Shipping April, 2024
Learn More Buy Now
Most Secure Server Purism Librem ServersLibrem ServerApr 2024
($2,999+)		Shipping April, 2024
Learn More Buy Now
The current product and shipping chart of Purism Librem products, updated on March 26th, 2024

Recent Posts

Related Content

Tags

Advanced readers AweSIM Battery life Benchmarks and testing Boot and BIOS Chipsets and components Communications infrastructure Crowdfunding Customer Feedback cybersecurity Enterprise FLOSS applications Giving and contributing back Graphics infosec Laptops librem 5 Librem 5 USA Librem 14 Linux kernel Made in USA Electronics most secure computer most secure laptop most secure pc most secure phone Newsletter and status updates Phones Power management Press Privacy Product or service launch PureOS secure computing Security Social media Software freedom Supply chain Tablets Testimonials and user stories Tips and tricks User empowerment User experience design User interaction design Videos Website
Purism

3D renders are artist renderings, for illustration purposes. Images and specifications are subject to change depending on manufacturing requirements.

Unless otherwise noted, contents created by the Purism team on this website are copyleft with a CC-by-SA 4.0 license.