Librem 13 v4 with librem key fails verification on first boot?

I just received a librem 13 v4 with a librem key.

I put in the librem key, selected “default boot” and I get a message saying /boot/grub/grubenv failed the verification process and if I’d like to update my checksums now.

Is that expected? Do I need to set something up on the first boot?

I tried searching for documentation on this is issue, but I didn’t find anything. I feel foolish, but it seems like a disconcerting message to get with a brand new laptop.

No. But it doesn’t seem to be that bad. Here is the documentation for that file which says in the end “grub-mkconfig uses this facility to implement ‘GRUB_SAVEDEFAULT’”.

I can’t remember that there is a different use.

Anyway it would be interesting to know when and how that change took place.

You could use the rescue shell of heads to look at the disk and display information about the file using ls -l /boot/grub/grubenv to show size and filedaty and/or cat /boot/grub/grubenv to show its content.

The file should have a size of 1024 bytes and if not used contain two lines like this:

# GRUB Environment Block
#######################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

You could even delete it to make sure there is no evil coming from it (you would have to sign for that change also).

Hi @Iwant2believe I believe you have contacted us via email today. Like i said my reply i was contacting the developers of Pureboot to check on the information you sent us.

But if you wish we can continue that in this forum thread.

Thanks Chris! The file seems harmless and it’s 1024b as expected.

From the rescue shell, I can’t delete because it’s a read only file system.

When I exit the recovery shell, it causes a kernel panic. I tried it several times and I get the same result.

Anyway, I signed the changes and pureos booted. I put in my info and on reboot initrd was changed (as expected).

So things seem fine… Still curious about why the grubenv was generated though…

You’re welcome!

Yes, you could have re-mounted /boot to make it writeable, but this way you really could have broken things to the point your notebook would’nt have been able to boot any more.

Maybe this is a bit tinfoil-y, but are you sure your computer wasn’t tampered with and that’s why the librem key failed to authenticate?

He didn’t even state he paid for anti interdiction services. The wording seems to imply both parts came in one shipment. Which makes me think the key was not “paired” with the laptop beforehand.

Maybe so, and I’m sure that happens. Call me paranoid, but I’d reinstall if it failed to authenticate upon unboxing.

1 Like

@Gavaudan you’re paranoid :wink:

But I’m with you, reinstall seems a reasonable course of action.

I mean, maybe so :sweat_smile:. I like to think of it as a practice run in case something actually DOES happen.

1 Like

What I meant was, if you don’t pay for the service you just get two unpaired devices and can’t expect to get a green light on first boot, as nobody prepared that. It’s not automatic.

With the message asking to update the checksum the implication is that they were paired and are out of sync. I would expect a non-paired combination to give a different message that is less ambiguous, though you are right that it is a possibility.

Oh I see, I wasn’t aware that they weren’t already “paired” unless the service was purchased.

A lot of good feedback and food for thought! Some additional commentary…

  1. From their docs, https://docs.puri.sm/PureBoot/GettingStarted.html, it seems like I should not have received any warnings

Once you select “Default boot” the PureBoot firmware will scan all of the files in the /boot partition for any tampering and then boot into the OS. On the very first boot you should not expect to see any warnings or alerts about modified files.

  1. The key and laptop were ordered together. I didn’t see any option to get them shipped separately but that might be a good option for them to offer.

  2. I’m strongly considering reinstalling bios, but where does it end?

I would have preferred not to see any warnings. It doesn’t inspired confidence in a product purchased for privacy. That said, I don’t think what the purism folks are doing is easy and I strongly support their efforts no matter what. I want to believe we can make products that provide us with privacy to think freely.

Now to be sure, did you select the PureBoot bundle (laptop + librem key + additional usb stick), which is a precondition mentioned in the document you linked?

1 Like

Yes, that is what I selected.

This topic is discussed here and now Purism offers PureBoot Bundle Plus with separated shipping of notebook and LibremKey.

In the spirit of Positive friendly mistrust I’d suggest the following to anybody receiving one of these bundles:

  • after verifying your notebook after reception put a new GPG private key on your LibremKey to make sure you’re the only person knowing that private key
  • adjust your setup of PureBoot/coreboot to use your new GPG key pair
  • re-encrypt your disk to make sure you’re the only person knowing the masterkey for disk encryption (which is not the password you provide)

Take responsibility. Purism provides you with the fundament to really be in possession of your data, but it is your responsibility to really take it and make bullet proof that you’re the only person knowing the keys and secrets used to protect it.

BTW: Has your disk already been protected using your LibremKey when your notebook arrived? There is still no easy way I know of to validate the software on your notebook if the disk shipped unprotected - even though my argument is that changing the software is not the preferred way to get a hold of your data.

Hi Joao, any word from engineers as to why grubenv appeared? Any hypotheses as to what would cause that file to be generated?

I must have missed that option by a hair.

Your suggestions are reasonable although they take time. If I was truly responsible I’d be building my laptop by hand, but alas, I don’t have the time :wink: I also don’t think purism can make anything bullet proof. My NIC could have been replaced and there would be no way for me to know or verify that.

I don’t believe my disk was protected prior to shipment as I didn’t notice any decryption upon first login. But I don’t know that for a fact.

I asked Joao to clarify with the engineers why that file would appear.

If it would have just appeared you wouldn’t have been noticed by heads about it.

If you had the warning it existed before /boot was signed and changed before you saw the warning.