After reading some articles on the puri.sm site and the heads wiki I understand the basic working of Pureboot/Heads (TPM checks firmware, if okay releases secret, heads uses secret to generate HOTP code, Librem key generates HOTP code, they are compared).
However, I could not quite figure out what does Heads/Pureboot use the public RSA key for?
So the libem key generates a keypair and the public key is incorparated into the Heads firmware, correct?
Furthermore, you are backing it up on a USB drive. For what exactly? So you can use the keypair also for other stuff?
Lastly, what files are actually signed with the public key? Is it /boot?
RSA cryptocard kan keep only private key.
so usb drive is to keep copy of public key.
if you lose copy of public key, and you didn’t publish it, there is no way to substract that public key from private key stored in RSA card… so privatekey become useless.
public key is being stored in bios, right, but gpg key is not only for heads, you can use it to other stuff, then keeping public key on thumbdrive becomes handy.
all files in /boot that taking part of system bootup, so grub.config , kernel initrd , etc.
and as opposed to my first post, not the public key in heads but the signing-private-key on the librem key is used for signing /boot. The public key in Heads is for authenticating that.
So basically the private-keys in your librem key are only of use regarding PureBoot when /boot files change and need to be resigned. That means most of the time you are using the Librem key only for validation of the HOTP secret.
I wonder after all this hardening of systems to deepening levels over time, are were all going to end up like the guy at the end of Atlas Shrugged, because there will be no one left who remembers how to make a locomotive run? (I’m talking decades here.)
I ask this philosophically, not knowing the technical details.
That would make for an excellent thread of its own. Replying as a linked topic to reference what sparked the thought if desired but its own thread none the less.
