How to recover from tampering/carelessness in /boot?

Hello, I got a new Librem laptop with pureboot, and in my excitement to try it out, I did something careless:
0. Didn’t start by reading any instructions :stuck_out_tongue:

  1. Did the PureOS set up at first boot, which modifies /boot/initrd(blahblah)
  2. Restarted and immediately tried the USB Boot with an Ubuntu live usb
  3. Tried to boot PureOS again and was confronted with the “boot hash mismatch” error.

As I understand it, I SHOULD have gotten the message at step 3, since step 1 modified the boot image. But I don’t think I have a way to be sure that the boot image wasn’t also changed by step 2.

Is there a way to revert back to the starting state to have pureboot verify the system again? It’s my understanding that a factory reset won’t do this, because it assumes whatever is on /boot at the time of reset is trusted. Seems like my only option is to choose a method of PureOS installation that I trust and reinstall. But maybe there is some audit trail or signature somewhere showing that the boot image change came from PureOS? Or maybe are the images that ship with the laptop available for download so I could replace it and the hash would match again?

This isn’t a huge problem for me, since the live Ubuntu USB I booted is the one I already trust with my privacy, but if nothing else this is an interesting exercise in how to recover from ANY sort of suspected tampering or mistake.

Thank you!

Restart without Librem Key, get into PureBoot menu, insert your Librem Key and Vault at this point, from the PureBoot menu choose
Options → Update checksums and resign /boot files

Thanks! I’m more wondering if there is a recommended way to verify or revert the initrd changes, since I currently am not sure exactly which step(s) changed it. Restarting the initial setup procedure wouldn’t be a problem for me.

Just found symlinks in the encrypted root volume for initrd.img and initrd.img.old, but they both point to the same image file in /boot

Just found that, in the encrypted root volume, /var/lib/initramfs-tools/(whatever-version) contains a sha1sum of the updated initrd, which matches what’s currently in my /boot.

Good enough for me!