Heads: Updating TPM after coreboot update


#1

I updated coreboot and didn’t remember I’d need the admin password for my LibremKey. As I didn’t remember that instance I continued without entering my admin key.

As expected now heads complains that my notebook has been tampered with and the LibremKey is blinking red. Amazing piece of software!

Now I came around to look up my admin password for my LibremKey and wanted to update it, but I didn’t find an option that sounded promising in the heads menu.

Do I have to update again to get the dialogue asking for my admin key, did I misunderstand the whole concept or did I oversee the correct menu entry?


#2

See here: https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#change-or-unblock-a-pin-on-the-librem-key

You need to boot into OS level to change the admin PIN of your Librem Key.


#3

I didn’t loose the admin password. I just didn’t enter it when updating coreboot and now my LibremKey complains blinking angrily red about the changed firmware.

I didn’t find a way in heads menu to have it ask me again for my LibremKeys admin password which I now remember.


#4

Hm, coreboot?

Okay, when the system boots you will see the main menu (if you don’t see some kind of error or warning, if you see an error or warning you will have the option to ignore and go to the main menu). At the main menu the top option is “Default boot” but under that is “Settings” and selecting that will open a new menu where you should see an option that says “OEM Factory Reset”.
You should insert your Librem Key and your “Vault” USB (“Librem Drive” USB key) key that came with the laptop, and select that option.


#5

Thanks! I had already seen that, but chosen not to use it. If you look at the picture…

…the warning/explanation says that it would erase my GPG keys on the LibremKey. But I do not want to erase my GPG key since I’m using that key for other stuff, too.


#6

There should be an option to update pgp key stored in bios. I will reboot into pureboot to check it :slight_smile:

It is in Options->GPG options->Replace key & reflash


#7

Default admin password should be 123456. Was for me anyway.


#8

Default? That should be the only password. Very secure. /s


#9

Thanks, this worked - even though from the output on the screen I feared it would have changed my private keys on the LibremKey, but they seem to be o.k.


#10

If it asks you to generate a new key pair, it might means you forget to give it your public key.