Locked myself out changing TPM password

Changed my TPM password from default factory setting with:

Options → TPM/TOTP/HOTP Options → Reset the TPM

Then I followed the prompts.

Now I can’t boot, and it throws me to the recovery shell. See attached. Please advise.


Do you have a PureOS image on a USB drive? You can use it to reflash the boot firmware with Coreboot or PureBoot, which will reset/rescue your situation assuming you can boot from USB.

1 Like

Thanks for the quick response.

I did at one point. Probably still have it on USB as I very recently upgraded the PureBoot.

Will that affect my Fedora 39 install and data or the LUKs encryption?

1 Like

No, it will only affect the boot firmware. If you reflash to Coreboot, then no further steps are needed, but if you want to use PureBoot again, you will need your PGP public key to sign the currently running boot firmware, generate signed hashes for /boot, and so on, which is a more involved process.

1 Like

Thanks. I am out of time. Will be traveling soon. So, I guess I drop to CoreBoot.

I will wait until the morning. Been a long day and I am worried I will make a stupid mistake.


1 Like

I checked. I must have overwritten the USB that I used to flash a new version of Pureboot recently.

Can you please point me to instructions to do it?

There was a thread here somewhere, that was still me, but maybe on a different account. Just lost access to it.




Sorry. That seems to show how to install PureOS. That’s not what I want. I just want to get the PureBoot fixed or Coreboot installed.

Use the latter instructions then:

mkdir ~/updates 
cd ~/updates 
wget https://source.puri.sm/firmware/utility/raw/master/coreboot_util.sh -O coreboot_util.sh 
sudo bash ./coreboot_util.sh

Keep your device plugged in at all times during the reflashing process.

What are the odds I end up bricking the device?

About the same odds of a brownout or blackout happening in your geographical area without a UPS.

So, I execute those from the recovery shell?

No, the latter instructions I provided assume you already have prepared a PureOS image on a USB drive.

Looking at your photo, you use default boot, but you should be able to access Fedora by skipping the tampering check and forcing boot up by avoiding insertion of the Librem Key.

Ah. So, create a PureOS ‘Live’ image on a USB stick and boot to that, but don’t install it. Just open a terminal and then execute those commands to flash Coreboot.

I will try booting without the tampering key now. Think I already tried that though.

1 Like

Correct, having a PureOS image on a USB drive is useful for troubleshooting purposes such as your situation; I use mine frequently for firmware updates or other low-level tasks.

This highlighted selection?


Yes, you should be able to input your LUKS password after selecting Fedora.

That worked!

Thanks for your help! I need to get sleep. Will work on this more in the AM.

Good night.


Which selection?
1 or 2?

I have a spare laptop I am trying this on first.
Main laptop is Librem 15 v4, but this should work the same I assume.