How to boot Debian installer from PureBoot?

NineX · September 22, 2021, 3:17pm

@w4key standard isntaller will sadly not working. and it’s problem that is out of our range.
challenge here is kexec framebuffer passing - In order to render interface pureboot have i915drmfb (intel framebuffer direct rendering) compiled in kernel.
so when kexec loads new kernel it assumes new kernel will have it compiledin.
Problem is that i915 driver is not even present in Debian default initrd.
so there is no way to reinitialise display.
even if you chose graphical installer, debian installer uses vesafb.

there is a workaround - one iso that uses different initrd, is actually debian livecd - that will boot into graphical interface, and let you install os.

other workaround is to reflash temprary bios to seabios, install desired iso, then make sure that initrd have drm and i915 modules embedded and are set to load, then flash PureBOOT back.

Sadly Securing things is not always easy, we can’t force any distro to have i915 driver embedded as deffault.
and actually mechanics that allow to boot one linux from another already running is complicated.

we can only control PureOS devs
speaking of witch - @jeremiah - can we alter PureOS default kernel to have i915 + drm compiled in kernel instead of modules? currently PureOS loads those on initrd stage, which means if there is issue before initrd initialise , user is blind. (that affects only PureBoot users, as seabios users will get display set by grub gfxpyload)
that would be small change in default config

-CONFIG_DRM=m
+CONFIG_DRM=y
-CONFIG_DRM_KMS_HELPER=m
+CONFIG_DRM_KMS_HELPER=y
-CONFIG_DRM_I915=m
+CONFIG_DRM_I915=y
-CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=m
+CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y

w4key · September 22, 2021, 8:26pm

Thanks for that @NineX, so basically, if I want to run Kali linux, I need to do so from the Live USB installer?

Which is unfortunate as they got rid of that functionality some time ago (I tried to install Calamares seperatly on a live instance but was met with lots of errors as you can imagine).

I shall have to find a work around on my return. Thanks again for the help.

NineX · September 23, 2021, 6:19am

well, PureBoot primary function is to protect firmware + installed on disk linux.
if you wish to run kali as primary system, then problem is easy to solve: flash SeaBios, perform installation.
partition shema MBR ,1GB /boot formated with ext4. rest up to your preferences.
then utilize purism coreboot_util.sh to flash PureBOOT and perform signing of your /boot
same approach will work with other Linux Distros.
if you are seeking for temporary/occasional run kali, then much more handy approach is to use VM …
but that’s my opinion.

what i don’t get is how is possible that Pentester/Hacker don’t know linux basics. (eg.how to modify kernel?)
what i mean here is: installers , based on debian distro don’t load intel framebuffer, they mostly use Vesa driver , that utilize gfx payload from grub.
it’s being done for best compatibility.
challenge here is: it won’t work with kexec - which is actually one of core functionalities allowing heads/Pureboot to load different kernel and boot it.

PureBoot is nothing more than small linux fit into bios chip, that do crypto-verificcation of system then kernel from disk via kexec, and boot it.

linux boot differs slightly as most of hardware is already initialized. i915 card will not fallback to vesa, so debian installer that will not load i915 driver will simply boot with no screen.

there are 2 ways of fixing that, but booth require some tampering with installer image;

replace kernel in installer image for kernel that actually have i915 driver compiled in.
inject i915 module and it dependencies into initrd , and modify startup scripts to load i915 module.

booth approach require some skills that common linux user does not have.

so best thing i can advise is:
temporary reflash your device with standard seabios based bios (you can do this back and forth)
install preferred linux, then flash back Pureboot
for flashing bios there is automated tool:

that automates whole flashing process.

if you are planning juggling linux distros, then PureBoot is simply not for you, then simply leave lapbop bios on standard Coreboot/Seabios

note flashing bios not void warranty

w4key · September 23, 2021, 7:16am

I consider my self educated.

so best thing i can advise is:
temporary reflash your device with standard seabios based bios (you can do this back and forth)
install preferred linux, then flash back Pureboot
for flashing bios there is automated tool:

GitLab

firmware / utility

coreboot utility and updater script

I work in security management (leadership), penetration testing is more of a hobby and something that I’m study for personal development. Nobody can know everything.

NineX · September 23, 2021, 7:44am

i am sorry i am not criticizing, just trying to open as many doors as possible. to make this journey easier.

w4key · October 16, 2021, 1:52pm

After sticking with my work around for a while I started on getting this device to a place where I want it, but again wasn’t as easy as I hoped and ran into so some issues.

@NineX I tried to use this tool to create a rom to flash to core boot, but keep getting this error:

flashrom-20211016-143117.log
flashrom v1.2-116-gc64486b on Linux 5.10.0-8parrot1-amd64 (x86_64)
flashrom was built with libpci 3.7.0, GCC 10.2.1 20210110, little endian
Command line (7 args): ./tools/flashrom/flashrom -p internal:ich_spi_mode=hwseq -w ./firmware/coreboot-librem_14-4.14-Purism-1.rom -V -o ./flashrom-20211016-143117.log
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Initializing internal programmer
Found candidate at: 00000500-00000528
Found coreboot table at 0x00000500.
Error accessing high tables, 0x100000 bytes at 0x0000000099b6d000
/dev/mem mmap failed: Operation not permitted
Failed getting access to coreboot high tables.
Using Internal DMI decoder.
Error accessing DMI Table, 0x1000 bytes at 0x0000000099b38000
/dev/mem mmap failed: Operation not permitted

I followed the commands in the guide:

mkdir ~/updates
cd ~/updates
wget https://source.puri.sm/coreboot/utility/raw/master/coreboot_util.sh -O coreboot_util.sh
sudo bash coreboot_util.sh

Selected 1 for update, 9 for Librem14, 1 for coreboot/seabios. 1 to automate serial number, Enter for default boot order.

After some research, its pointing me down a path to start disabling things… so keen to speak to the experts before I go rogue.

MrChromebox · October 16, 2021, 2:18pm

simply add iomem=relaxed to your grub boot params, either at boot time or by editing /etc/default/grub and then running sudo update-grub

w4key · October 16, 2021, 9:42pm

Worked perfectly! Thank you.

What an amazing script, I hope putting it back to pureboot is just as easy.

Really appreciate the help.

NineX · October 17, 2021, 8:25am

putting it back to pureboot will be easy…
one point worth noting, if you have librem key initialized and you have your public key on thiumbdrive…
then when you flash pureboot on first boot it will try do factory reset (that erases librem key and generates new keys) , as i am using keys to more than just signing bios/drive encryption… on first screen i select cancel.
as we don’t wish to reset libremkey.
then add public key to bios, then reset TPM … and that’s all

if you are not using gnupg key on librem key to anything other , then just follow factory reset… as it’s simplest route.

w4key · October 17, 2021, 9:03am

I think I broke it…

After the factory reset I get the following error…

Error importing GPG key.
gpg: Total number processed 0.

What have I done now…

NineX · October 17, 2021, 9:57am

redo factory reset.
just pay attention on communicates. you have to generate keys, when system will ask if store public key on thumbdrive, say yes (it’s important to have it, later).
during the process it will reflash bios with keys stored within.

or.
go
options -> gpg options -> generate gpg keys manually on librem key (remember store copy of public key on thumdrive
then
options -> gpg options -> add gpg key to running bios and reflash.

however factory reset is the safest way if you are not expert.

means bios have empty keyring.
what you need to do is to simply generate keys, then import them to bios, as trusted.
this is covered by oem factory reset.

w4key · October 17, 2021, 11:10am

Edit: when doing a factory reset I get an error saying:

Unable to mount USB on /media ( no idea what I did to change a location)

Mount: mounting /dev/sda on /media failed: no medium found.

On the second advices instructions:

When I go to options -> gpg options -> generate gpg keys manually on librem key.

It asks for me to type admin and then generate.

I ask it to replace the existing keys by selecting: y.

It then errors and says:

Gpg error clearing forced signature pin flag: no pinentry.

At no point did I see when I should have entered my pin (which is currently default)

NineX · October 17, 2021, 7:41pm

you have to have thumbdrive formated fat32 connected
to store public key