Hello, I got a new Librem laptop with pureboot, and in my excitement to try it out, I did something careless:
0. Didn’t start by reading any instructions
- Did the PureOS set up at first boot, which modifies /boot/initrd(blahblah)
- Restarted and immediately tried the USB Boot with an Ubuntu live usb
- Tried to boot PureOS again and was confronted with the “boot hash mismatch” error.
As I understand it, I SHOULD have gotten the message at step 3, since step 1 modified the boot image. But I don’t think I have a way to be sure that the boot image wasn’t also changed by step 2.
Is there a way to revert back to the starting state to have pureboot verify the system again? It’s my understanding that a factory reset won’t do this, because it assumes whatever is on /boot at the time of reset is trusted. Seems like my only option is to choose a method of PureOS installation that I trust and reinstall. But maybe there is some audit trail or signature somewhere showing that the boot image change came from PureOS? Or maybe are the images that ship with the laptop available for download so I could replace it and the hash would match again?
This isn’t a huge problem for me, since the live Ubuntu USB I booted is the one I already trust with my privacy, but if nothing else this is an interesting exercise in how to recover from ANY sort of suspected tampering or mistake.
Thank you!