Librem V4, Qubes, Heads and Librem Key

Hi @randy.rowland,

i ran this for my root drive and it works fine. I’m curious if it would work on newly added ssd devices.

@solr1, you ran the smartcard-key-luks script on QubesOS?

The script looks like it is expecting a Debian based system but dom0 is based on Fedora. With the sys-usb VM enabled on my Qubes system, my dom0 does not see the Librem Key to be able to generate the secret key.

If you are indeed using Qubes, how did you get the script or Librem Key to unlock your luks root drive?

@randy.rowland,

Actually I tried the script on PureOS. I didn’t get a chance to run this on a QubesOS.

I have a 15v4 with Pureboot, and I have been struggling with installing another OS. the OS installs (Fedora 32, Debian 10, Ubuntu 20.04, etc). but the LK, or Heads or whatever it is cannot detect a /boot sector. I can’t seem to get Pureboot setup to detect and the boot from the boot drive?!

@MrChromebox, you mention in this post that “… Pureboot + LK + Qubes (or any other distro) works perfectly well” I’m struggling with getting past PB.

I’ve reset TPM, generated new TOTP/HOTP secrets (sometimes this will fail), changed the /boot drive in the configuration settings, I’ve even tried the option of just “ignore tampering and boot anyway” but, either it get dumped to a recovery shell, or the system hangs or it returns me back to boot options?!

any ideas from anyone, I’m pretty frustrated at this point? what do I need to do with Pureboot and LK to run another OS?

thanks in advance!

Or, maybe if I can ask it more properly.
Is there a particular sequence that needs to be followed when installing a new OS on a Librem 15v4 with Pureboot?

  1. boot from USB drive to install the OS
  2. on reboot, I need to reset the TPM pwd right?
  3. Then generate a new TOTP / HOTP secret?
  4. Update the Checksums
  5. Then I should be able to use default boot right? But, this is what is not working for me. I can’t seem to get the default boot to work?

@zks1 seems like you are in a similar situation to
@kyz in his thread : ERROR Cannot mount boot
maybe my advice to him could help you out as well at least in your case we know it’s pureboot with a librem key.

Thanks @Manuel. I read your response on the other thread.

I did play with different custom partitioning choices in trying to install the different OS’s. None of them seemed to work. I would create a 1024MB partition and set it’s mount point to /boot. Then set the rest of the drive as a primary partition with a mount point of /

I also kept all partitions unencrypted also. But, for some reason Heads is not able to recognize or read the /boot partition. I was wondering does it matter what bootloader is loaded in the /boot partition? Is there an incompatibility with Heads? and the GPG keys and signatures Heads checks for those partitions?

I’ve run into a similar situation when trying to install a UEFI OS onto a MBR system. I’m not sure if that’s applicable to your situation, though, as I don’t own a librem. Hopefully someone else can verify or disprove that statement.

are Fedora 32 or Debian 10 or ubuntu 20.04 UEFI OSes? I wouldn’t think so. These are the ones I’ve tried installing and have not been able to get past the boot screens because of the /boot partition not being readable or not finding the bootloader files PureBoot is looking for.

Depends what that means. It is more that a computer is either BIOS or UEFI, depending on its firmware (and potentially its firmware settings). An operating system installing itself under one or the other should then ideally make itself compatible.

If it helps, Ubuntu 20.04 on my computer (not a Librem laptop) has two partitions

  • 512M EFI System partition, containing a fat32 file system, mounted on /boot/efi
  • xG Linux filesystem partition, containing an ext4 file system, mounted on /

defined in a gpt partition table.

Hence note that the partition table type (MBR traditional v. GPT) is an additional variable.

The disk also contains a protective MBR, with a single partition, covering the whole disk excluding the MBR itself and with partition type EE (GPT protective MBR). (The disk is not large enough to require any additional hackery.)

1 Like

And that EFI partition means its in UEFI mode. I think the installer will tell youbwhat its installing as, but its been a hot minute since I last installed Ubuntu (and never Fedora). If it’s there, it’ll be at the part that tells you what partitions are being created and what their mount points are.

1 Like

thanks @kieran, yeah, on my librem 15v4 I had the same partition structure for ubuntu. 512M EFI and the root partition mounted on /

but, not to go down the rabbit hole of UEFI and MBR, etc. I guess my basic question in the context of this forum, is does Purism, Librem, Librem Key, Pureboot, etc. support these other OSes? in the documentation, FAQ’s etc. they do state that other OSes can be installed, but is that with Pureboot or does it require coreboot / seaBIOS? In these forum postings people have said other OSes can be installed with PureBoot and LK. So, I’m just wondering then are there special procedures that need to be followed which just haven’t been documented? I"m not finding any documentation I can folow. Or, is it possible I do have osme hardware issue with my laptop? Or have there been changes to the Fedora or ubuntu, etc such that the latest versions of these OSes are not compatible with PureBoot and LK?

I’m just trying to understand where the disconnect is from what what I have read as it should be possible, and my own experiences.

@zks1
I think that’s the problem you need to have a BIOS installation instead of an EFI since AFAIK seaBios as well as pureBoot need to have the Boot files provided like a Bios setup instead of a EFI setup.
Maybe you could try the Bios explanation describe in this article, was one of the first hits when searching for ubuntu and bios installation.

The essence of freedom is choice. Purism would not be doing anything to prevent you from installing absolutely any operating system you like. However that does not and cannot mean that Purism can do much or anything to make the other operating system work.

“Support” means that Purism claims that it works and Purism would, within your consumer rights, make it so when it does not. Hence “support” really only means PureOS.

“Preventing” you from installing other operating systems is like the crappy secure boot path that some other computers have where, without getting keys loaded onto the mobo by the manufacturer, you can only install one operating system (M$); or like completely locked bootloaders on phones; or like keeping hardware interfaces secret and/or closed source, which intentionally or otherwise discourages or prevents you from using Linux or some other choice of operating system.

Purism doesn’t want to do any of that.

Pureboot and the Librem Key are an additional variable.

Maybe @2disbetter can shed light on whether Ubuntu 20.04 + Librem laptop works with Coreboot+SeaBIOS or works with Pureboot or works with both, and whether it is being used with a Librem Key etc.

1 Like

and dare i add to that also transparency. PureOS is a pure OS out-of-the-box. namely it is free-software through and through. from the firmware to the GNU programs that come install with it to the desktop-environment most of us use to interact with the drivers which interact with the firmware which interacts with the hardware. this ultimately means that every piece of code is available and documentation is available for the hardware.

it isn’t perfect but it’s getting there … SLOWLY > https://puri.sm/learn/freedom-roadmap/

thanks for the link @reC and I do agree with you and @kieran. I am excited to own a Purism product. I’m waiting on the Librem 5 also and am excited that it runs on PureOS also. I’m just trying to get to know my hardware.

I run QubesOS on my desktop and I’ve loved it and had thought of running it on the 15v4. I’m just trying to understand how to work with the Librem Key with other OSes. I’m happy to keep PureOS on the laptop and Qubes on the desktop. Just trying to figure out how best to configure my devices to meet my operational needs.

I appreciate the feedback and help!

I have a Librem Key but do not have a TPM chip, and so I’ve never even tried putting Pureboot on my L13. Sorry. :sob:

1 Like

after reading this thread I think some of the confusion is due to the multiple uses of the librem key.
1 librem key pureboot verification
2 librem key LUKS root decryption

I already use the librem key with pureboot on my system to verify boot. Will qubes decrypt a LUKS root partition using the librem key?

The qubes + LUKS custom example doesn’t address the librem key (as it’s a generic setup). I can create an encrypted qubes root with LUKS but will it then always prompt for the passphrase? https://www.qubes-os.org/doc/custom-install/#example-custom-luks-configuration

How much hacking on the process am I going to have to do to get the librem key working in this use case?

1 Like

that’s a good attempt at being helpful, yet it’s not. The LUKS decryption was never a problem for me, because I don’t use it(!), yet putting new operating system(s) has been problematic. Since the world moved to x86_64 OSes, both proprietary software and FOSS have converged on UEFI. Even Apple! I’ve done a few hackintoshes and learned more about EFI than I wanted to know, firs through rEFIt and then the delightful rEFInd from Rod Smith. Anyways, nearly all x86_64 bit OSes, not just linux, expect the user to be dealing with EFI, even if just erasing it. Often there’s options to use MBR and not GPT, but pretty much all recent linux distro intros, assume the user has Windows 10, and therefore has EFI partition booting on their PC, even if they are not aware of it. Not using EFI; instead using the linux distro HEADS as a replacement for EFI software, and also with each new install: resetting the TPM pwds, generating a new TOTP / HOTP secret, and updating the checksums (all of which I’ve done several times more than I desired). That’s confusing and frustrating. I don’t see anywhere in the previous posts any problem with LUKS. Nice guess that it might be a problem, but there’s no reason to think it is (four months after the actual posts and questions!) Sorry, I just couldn’t let this thread end like that. Also, I want to say, I’d rather see Librem tackle UEFI security, instead of using HEADS and/or seaBIOS. It was a difficult transition to EFI, and for multibooting, GRUB 2 isn’t the most elegant solution (maybe you remember legacy GRUB, LILO, even BURG). I understand there are security issues, but can’t we come up with at least a pseudo-UEFI boot? Especially that noobies can use when installing a different OS? Something that displays information maybe when a Linux EFI distro is booted from USB?

AFAIK heads (under pureboot) only works with grub at this point but it is a linux environment so booting kernels on EFI seems feasible. I see mentions of efi in the source code. There is a dependency on grub.cfg which bit me for months because the OS installers were not generating grub.cfg if the grub-install to MBR/partition was skipped.

I came across this thread bc I also wanted to use heads/pureboot with the librem key and Qubes with LUKS. This thread is the only place to find information on using Qubes with Pureboot and the Librem key. As you are experiencing the normal Purism response is lacking. Though they say that they have docs for pureboot, the docs are inaccurate and incomplete in a few places, repeated requests (to clarify, fix, or update) from myself and others have been ignored. My Librem 15 was unusable for half of 2020 and I wrestled with PureOS for the other half. I like the Purism philosophy and strategy but I fear the company is too small to effectively execute its ambitions at this time.

These reasons led me to improving docs with the upstream heads project. The default standard at heads is Qubes. I am adding OS install guides for other distros–including PureOS.

2 Likes