I put in the librem key, selected “default boot” and I get a message saying /boot/grub/grubenv failed the verification process and if I’d like to update my checksums now.
Is that expected? Do I need to set something up on the first boot?
I tried searching for documentation on this is issue, but I didn’t find anything. I feel foolish, but it seems like a disconcerting message to get with a brand new laptop.
No. But it doesn’t seem to be that bad. Here is the documentation for that file which says in the end “grub-mkconfig uses this facility to implement ‘GRUB_SAVEDEFAULT’”.
I can’t remember that there is a different use.
Anyway it would be interesting to know when and how that change took place.
You could use the rescue shell of heads to look at the disk and display information about the file using ls -l /boot/grub/grubenv to show size and filedaty and/or cat /boot/grub/grubenv to show its content.
The file should have a size of 1024 bytes and if not used contain two lines like this:
Hi @Iwant2believe I believe you have contacted us via email today. Like i said my reply i was contacting the developers of Pureboot to check on the information you sent us.
But if you wish we can continue that in this forum thread.
Yes, you could have re-mounted /boot to make it writeable, but this way you really could have broken things to the point your notebook would’nt have been able to boot any more.
He didn’t even state he paid for anti interdiction services. The wording seems to imply both parts came in one shipment. Which makes me think the key was not “paired” with the laptop beforehand.
What I meant was, if you don’t pay for the service you just get two unpaired devices and can’t expect to get a green light on first boot, as nobody prepared that. It’s not automatic.
With the message asking to update the checksum the implication is that they were paired and are out of sync. I would expect a non-paired combination to give a different message that is less ambiguous, though you are right that it is a possibility.
Once you select “Default boot” the PureBoot firmware will scan all of the files in the /boot partition for any tampering and then boot into the OS. On the very first boot you should not expect to see any warnings or alerts about modified files.
The key and laptop were ordered together. I didn’t see any option to get them shipped separately but that might be a good option for them to offer.
I’m strongly considering reinstalling bios, but where does it end?
I would have preferred not to see any warnings. It doesn’t inspired confidence in a product purchased for privacy. That said, I don’t think what the purism folks are doing is easy and I strongly support their efforts no matter what. I want to believe we can make products that provide us with privacy to think freely.
Now to be sure, did you select the PureBoot bundle (laptop + librem key + additional usb stick), which is a precondition mentioned in the document you linked?
This topic is discussed here and now Purism offers PureBoot Bundle Plus with separated shipping of notebook and LibremKey.
In the spirit of Positive friendly mistrust I’d suggest the following to anybody receiving one of these bundles:
after verifying your notebook after reception put a new GPG private key on your LibremKey to make sure you’re the only person knowing that private key
adjust your setup of PureBoot/coreboot to use your new GPG key pair
re-encrypt your disk to make sure you’re the only person knowing the masterkey for disk encryption (which is not the password you provide)
Take responsibility. Purism provides you with the fundament to really be in possession of your data, but it is your responsibility to really take it and make bullet proof that you’re the only person knowing the keys and secrets used to protect it.
Your suggestions are reasonable although they take time. If I was truly responsible I’d be building my laptop by hand, but alas, I don’t have the time I also don’t think purism can make anything bullet proof. My NIC could have been replaced and there would be no way for me to know or verify that.
I don’t believe my disk was protected prior to shipment as I didn’t notice any decryption upon first login. But I don’t know that for a fact.
I asked Joao to clarify with the engineers why that file would appear.