I Have A Serious Question - Librem Key/Pure Boot

To start, I’m not asking this with a mocking or sarcastic tone. I just legitimately want to know the full intention/functionality of a feature and see if there is a part of it I’m just not fully comprehending. My question is:

What is the purpose of the Librem Key/Pure Boot?

I understand that it will “tell me if my bios has been tampered with”. But in all reality, is this useful for anything other than indicating I’ve been hacked by someone who had the specific intention of “changing my bios” - (disclaimer, I have no idea what a bios is). If my computer is physically stolen it seems that the disk encryption password would keep someone out of the system. If I was remotely hacked, this would have to happen when the computer was on, correct? So any hacking taking place would be after I’ve already booted the system with key. So I would only know something had changed after damage was done and I had reset my computer. At which point I wouldn’t know what specifically was different or who had done it, just that something had changed. Say someone hacks my computer and steals my banking info. Does this have anything to do with the “bios”? Would this in any way trigger the key to flag the computer on a boot? I’m assuming it wouldn’t.

If the Librem Key physically prevented a boot without it’s presence I can see how this would add an additional layer of protection to my computer following a physical theft. But I know it doesn’t function in this way.

Basically I’m just trying to understand if the key does anything other than tell me that after I’ve come home someone has cleanly broken into my house (without wrecking the place) and has changed the settings on my air conditioner without my consent. (Poor analogy, but you get the point)

Thank you in advance for your thoughts and explanations.

Two scenarios:

1. You do banking, email, messaging, social media, digital asset management, etc on your computer. You have disk encryption with a really long passphrase so you feel very secure. But one day, someone tampers with your machine. They change the unencrypted part of your system responsible for booting up your encrypted system. It doesn’t take them long to do it and now your system is accessible remotely and bad people can steal your passwords and other sensitive data. And you are unware of it, so you keep typing your passwords and doing financial transactions and other important stuff. And you eventually find out the hard way.

2. You do banking, email, messaging, social media, digital asset management, etc on your computer. You have disk encryption with a really long passphrase so you feel very secure. But one day, someone tampers with your machine. They change the unencrypted part of your system responsible for booting up your encrypted system. It doesn’t take them long to do it and now your system is accessible remotely and bad people can steal your passwords and other sensitive data. But when you boot up your machine, it turns red and let’s you know that your system was compromised. So you know not to use that laptop to do private things until you clean it up, change your account passwords and fire the sketchy housekeeper you just hired the week before.

For clarification, a simple explanation is that the bios is in charge of initializing the hardware and then turning control over to the operating system. It’s what runs when you hit the power button.

Basic Input/Output System: https://en.wikipedia.org/wiki/BIOS

Thank you. This scenario makes a lot of sense. Once you realize the knife is in you, you can remove it rather than continuing to twist it. Appreciate it.

Sure no problem. It’s something of an impossible problem to prevent tampering if someone has physical access to a machine. So this is kind of a “next best thing” approach.

Speaking in general terms … the purpose of the whole thing is to establish a trusted boot path. What that means is:

When a computer boots, some piece of software has to run first (by definition) and as it runs it eventually loads another piece of software and transfers control to it and … until finally something loads the Linux kernel and transfers control to it.

Once the first piece of corrupt software has run, nothing after that point has any integrity. All bets are off. Therefore you must ensure that every piece of software in the boot path is uncorrupted. The first piece of software must be verifiable as uncorrupted. Before it transfers control to the next piece of software, it must ensure that the next piece of software is uncorrupted and …

You are right that it can’t exactly prevent corruption. The primary purpose is to detect corruption, so that you don’t go ahead and use a system that has been corrupted.

Depending on the exact details, it may well be able to tell you which specific file has been altered. Below that level, it probably won’t be able to tell what in that file has changed and certainly won’t be able to tell you who did it.

Clearly some piece of software has to solicit the disk encryption password from you - and by definition that software isn’t on the encrypted disk (really encrypted partition of the disk).

If that software is corrupted then it can easily store the disk encryption password away somewhere where the bad guys can get it - and then later on, no, the disk encryption password, now available to the bad guys, doesn’t keep them out of the system!

So a trusted boot path goes hand in hand with disk encryption. You need both. In a sense the trusted boot path is giving you integrity (protection against alteration) while the disk encryption is giving you confidentiality (protection against snooping). You need both.

Pureboot basically is the BIOS. Most people would think of BIOS as the code that runs out of flash memory before the first code that runs from the disk.

That isn’t what BIOS originally meant but fewer and fewer computers these days have a real BIOS.

I don’t know whether the Librem Key specifically can do this but you can certainly do that in general terms i.e. with something like an OpenPGP card where the card must be present to decrypt the disk because there is no disk encryption password as such. The password is effectively on the OpenPGP card. So in order to decrypt the disk, the OpenPGP card has to be present and you have to unlock the OpenPGP card with the PIN.

(So conceptually the PIN replaces the disk encryption password. The difference is though that you can make an unlimited number of attempts at the disk encryption password whereas the OpenPGP card will lock itself after 3 incorrect PINs, or some similar small number.)