Locked myself out changing TPM password

I went with 2: Build firmware update from source.
Accepted defaults.
For git username and email, I just hit enter. I think it ignored that.
It is building now.

Any idea how long this will take?

@jonathon.hall Are you around to help?

Going to Flash the BIOS now. Wish me luck!

Stuck here.
Going to assume I picked the wrong device for default boot.
Instructions said I could change that. Will reboot to enter bios and pick other device.

I selected 1) since that seems to be the only viable option.
Pretty sure the laptop as a M.2 and a SSD.
OS likely on the one it is not seeing.

The OS is installed on a LUKs partition. That shouldn’t be an issue.

I am stuck.

OK. I went to this menu again, but this time, I just went to change the boot order.
Flashed the bios again. Rebooted. It still won’t boot from hard disk.

What do I do next?


Stuck here.

@Eric_Stanek Sorry, looks like you went down a rabbit hole here, wish I had caught this earlier.

For your current state, it looks like GRUB is somehow not completely installed correctly. This would’ve been unnoticed in PureBoot because it does not actually execute GRUB, it just reads the config and then loads Linux itself directly. Now that you’re on SeaBIOS, it’s actually trying to run GRUB, which is not working.

You have a couple of options:

  1. Re-flash PureBoot from the PureOS Live boot (choose 1 - precompiled image - PureBoot isn’t offered for build from source from the script)
    • Then, OEM reset (it may ask you to do this automatically, if not then continue to the main menu > configuration > OEM reset)
    • Or, if you don’t need tamper detection, you can enable Basic mode
  2. If you want to stick with SeaBIOS, fix GRUB - from a live boot, chroot into your install, then install grub again. If you are not familiar with things like this, then I suggest going the PureBoot route instead :wink:

Of course, problems with /boot signatures could come from tampering. If that is a risk to you, then you need to decide whether the system is safe to use before continuing.


For others coming across this, the original problem was that the signature on /boot was invalid - TPM reset shouldn’t have caused this, unfortunately we can’t figure out why it happened since the BIOS has been flashed already. This could be a sign of tampering if that is a risk for you, if you think it was caused by something else you can re-sign /boot. If anybody has this problem in the future (and you are sure it’s not tampering), I’d suggest:

  1. Re-sign /boot
  2. If it still won’t boot (probably a bug in PureBoot, please report it), OEM reset
  3. If it still won’t boot (really report a bug like this please), flash the PureBoot ROM again from the menu, selecting to erase settings (this erases PB files from /boot, then flashes the new image preserving only your serial number, like you’d get if you were switching from SeaBIOS to PureBoot). Then it will prompt you to OEM reset.

If you want to report a bug in #2 / #3, it’ll be most helpful if you can back up the current ROM and your /boot/kexec* files, and provide any error output (photo of console is OK).


Now that you have flashed Coreboot, you can flash PureBoot over it instead. Choose “Update firmware using precompiled image”, then select PureBoot instead of Coreboot. Keep the power supply connected at all times during the reflashing process.

I am lost on how to proceed. But, not for the reasons described.

I started with a Librem 15v4 with Pureboot and QubesOS preinstalled.
The Librem key was shipped separately for extra security.
I then learned, that it was not possible to use a USB Keyboard/Mouse for security reasons.
That killed my use case (I need a large monitor for my bad eyes) and while I could still connect the external monitor, the laptop would have to be immediately in front of it, so that I could use the laptop keyboard and mousepad. The ergonomics of that were terrible for continuous use for me.
The laptop then sat idle for a few years or so.
Recently, I learned it was possible to upgrade to a newer version of Pureboot / QubesOS, where I should be able to get the USB keyboard and Mouse working, albeit with added security risks - but I am willing to accept those risks.
The changes didn’t work and I ran out of time to resolve them. (I am traveling for months starting in a few days)
So, I went ahead and changed the OS to Fedora, and migrated my data and apps there from my desktop. Murphy’s Law is strong, and my desktop died right after that. Not sure if it is the power supply or motherboard. I will have to wait until spring to figure that out.
Somewhere in there, while installing Fedora on top of PureBoot, I locked myself out changing the TPM password, hence the title of this post.
By now, I had already migrated to the laptop, and could not go back to my desktop.
I really wanted to make sure the BIOS was OK, and hated that I had to use a workaround to select the boot device each time.
With instructions on how to flash the BIOS to Coreboot, I decided to first give it a try on a spare Librem 15v3 first, because I didn’t want to break the currently ‘working’ laptop.
Glad I did that, because It won’t boot now.

I am a smart guy. I consider myself advanced at Linux Sys Admin. Given what I do, I worry I am targeted to be hacked. That’s a way more risky scenario than a ‘drive by malware’ infection. Hence my interest in PureBoot/TPM/Librem Key and QubesOS.

However, it now seems I have 2 options;

  1. Have a super secure PureBoot/QubesOS laptop, because I can’t even boot it myself, let alone use a normal keyboard and mouse.


  1. Buy a ‘standard’ laptop, with proprietary BIOS, and install Linux.

Extremely Frustrating to say the least.

1 Like

Sorry. I can’t risk it now.

I am going to limp along with the BIOS boot device selection menu for now, and when I get to the new city, I will buy a standard laptop there.

At that point, I will have 2 laptops, and can risk trying once more with the BIOS update.

1 Like

Sure, as long as the “standard” laptop fits all of your security needs with your threat model.

What I would really hate to happen, is if this new laptop I end up buying, won’t support Coreboot/Pureboot/QubesOS. Because once the dust settles, I STILL want to try and make QubesOS work.

Any recommendations? I see the ‘approved hardware’ list online, but choices there seem limited or older machines. Maybe I am wrong about that.

1 Like

To briefly summarize the situation, very few devices support Coreboot/PureBoot with Qubes OS out of the box.

I should add a few more important details:

  • The Librem 14 is the only laptop that has hardware kill switches on the list above. Every other laptop has to have the actual camera and microphone physically removed in the factory, if that is an option to begin with.
  • The Dashero firmware has a subscription model called Dashero Entry Subscription in order to continue supporting its development, in contrast with PureBoot, where it is already financially supported free of charge.
  • One product missing from the list, for whatever reason, is the NitroPC Pro, which is based on the FidelisGuard Z690. These are desktop products, but this information may have value if you wish to consider them.

If you like the idea of acquiring the Librem 14, but do not want to wait for it due to being currently on backorder and an additional 3 week lead time, I have one I am willing to sell if you are interested.


Somewhere in there, while installing Fedora on top of PureBoot, I locked myself out changing the TPM password, hence the title of this post.

Ah, now I see how it got here. PureBoot signs the contents of /boot to provide anti-tampering guarantees. Installing Fedora changed /boot, so the signatures were no longer valid.

PureBoot didn’t want to boot this because /boot had been altered. It can’t tell whether you did this intentionally or the system was tampered. Ordinarily it says this to you and asks if you want to re-sign /boot; if it failed to do this that might be an issue that needs to be fixed, maybe this failed in a particular way that sent you to the recovery shell.

You can have PureBoot’s anti-tampering guarantees with Fedora, you don’t have to use Qubes. Many people like to use both PureBoot and Qubes to get the security benefits of both, but they do have learning curves, and PureBoot works with most Linux distributions.

If you want to wait until you have a second computer to troubleshoot any further, I totally understand. Whenever you would like to continue, I recommend the following:

  1. Make a live USB - either PureOS or Fedora is fine (coreboot_util.sh supports Fedora)
  2. Boot the live USB and use coreboot_util.sh to flash PureBoot from the precompiled image. (You can flash firmware from your installed OS too, but this ensures the live USB actually works as a backup.)
  3. Do an OEM reset in PureBoot when it prompts you at boot

It’s best to keep the laptop plugged in while flashing, but on the off chance power goes out, it’ll continue flashing on battery. As long as your battery is charged, there is little chance of bricking.

1 Like

Good points. Thanks for the reminder. Sorry, but a 14" screen is way too small for my eyes, even on a temp basis while I connect to a separate monitor. Getting old sucks.

1 Like

Thank you again for the feedback. For the little time I had to play with QubesOS on the Librem 15v4, I did notice it was a bit sluggish. That makes sense. QubesOS spinning up VMs for apps is designed for security, not resource efficiency. So, perhaps if I get a new extremely powerful laptop, QubesOS will be much snappier. Of course, I will have lots of research to do to make sure the hardware is compatible etc.

I will revisit this thread in a few weeks when I am settled in the new city. Thanks everyone!

1 Like