Librem 14 and Librem key

Hi everyone,
Please excuse my total newness to the world of the Pureboot security that my Purism laptop came with. I have a question that is probably a basic thing, but not for me.

When I got the laptop (with qubes) it booted up properly with the Librem Key. It did its blinking, then blinked green etc and I was satisfied that everything was ok. Since then I’ve been using the laptop, not using the key to boot up, just skipping the process. I’ve been configuring the laptop with the restoration of some qubes from my other machine, I have updated things (eg from Fedora 34 to Fedora 36) and added a little bit of software. Not that much really.

So now when I insert the Librem Key to boot it blinks red telling me that the environment has changed. I can vouch that no one has been at my laptop as its been in my possession since I bought it and it has been secure.

So I follow the prompts (which I am listing from memory as I am actually using the laptop). I went into the option to refresh or renew keys, it prompted me to insert the gpg card (which I assume is my Librem Key and it accepts the password for this and it progresses after I have confirmed that the keys etc are ok. Eventually I get back to the boot sequence again and things progress but the blinking red light does not go away, even on a reboot.

Now, I am no expert at all on this stuff. But I do like the idea of being able to verify the integrity of the boot environment. I have checked out the Pureboot documentation which really didn’t help me with my skills.

Does anyone have any idea as to what I need to do to get this key to blink green to verify things are ok?

Thanks for any help I may get.

Can you find in the documentation a section about re-signing the boot files? I believe that is what you need.

But I will also add that if you aren’t using the key all the time then you’re really not getting any use out of it. If an attacker has messed with your boot files and then you update the kernel or something, how will you really know why its blinking red now?

1 Like

This. It is really important you use the key at every boot. The fact you are using Qubes suggests your privacy is important and the key is an important component of this. Basically, assuming your machine has not been interfered with, after each time Dom0 updates in Qubes you will need to re-sign the boot files, otherwise it will continue to blink red, in stead of green.

1 Like