I am getting ready to download Zorin Pro OS onto the Librem 14. I have a LIbrem Key. Any idea if it can be safely downlaoded and if there are any issues to be aware of ahead of time so that I can maintain dual boot for both Zorin and Pure OS? Thank you!
1 Like
It depends on your threat model.
1 Like
Since you did mention with Librem Key, I assume that you want to use the PureBoot firmware for tamper detection? That creates a problem with dual-booting OSes on a single machine: you can have the system fully setup for only one OS at a time, because of the shared secret between the TPM and the LK HOTP-capable Dongle.
Other than needing a sealed TPM secret (TOTP / HOTP) matching the one inside the USB dongle (HOTP in this case), the payload’s scripts (HEADS) are using some static variables for HOTP computation, which are kept inside the unencrypted /boot partition. And this static variable is increased each time there is a successful firmware measurement run and verification matched with the LK.
In other words, one or the other OS would get out of sync and when you switch OS, HOTP would be out of sync and giving you a warning for failing verification of the boot chain.
The fact is that you can guarantee tamper detection only on the OS you last sealed HOTP with.
Switching to the other OS (in case of dual-boot) would give you a warning (HOTP verification unsuccessful/error) until you re-sealed the secret on this second OS once again.
Hence, you can - at one point in time - guarantee proper tamper detection on one OS; but cannot guarantee that the other installed OS was not forged in some way when you switch back to it…
2 Likes