New computer - downloaded updates- ERROR on boot

Hi there

Can you help. This has just arrived, loaded up fine, I then downloaded the automatic updates and when the computer restarted the following dialogue box appeared:

“ERROR: Boot Hash Mismatch
The following files failed the verification process: /boot/initrd.img-4. 19.0-5-amd64
This could indicate a compromise!
Would you like to update your checksums now?”

I hit NO. Can you advise on recommended next steps to avoid any compromise? What steps need to be done? Am new to linux and Purism OS and the computer has just arrived so step by step instructions pls. Definitely want to avoid compromise…

Any help would be greatly appreciated
Thank you v much in advance
Kind regards, T

It’s probably a good idea to email support@puri.sm about this, I think they usually answer fairly soon.

yep, just sent them an email too. Waiting to hear back…thanks

I believe this is a feature of Purism’s boot security stack called Pureboot. Basically, the system monitors all changes to the system and compares against the previous state, because changes could be indicative of a malicious attack where someone added/modified the code to spy on you, etc.

However, normal system updates will also change the files. So since you know that you ran a system update, you can know with reasonable certainty that the changes were caused by you, and are thus safe.

In this case, you DO want to update your checksums, so that these changes get “approved” by you.

4 Likes

I think @wctaylor described it accurately - what you’re seeing is Pureboot in action, specifically the ‘heads’ element. Heads is a “secure BIOS replacement that provides tamper-evident features to detect when the BIOS or important boot files have been modified” and is part of Pureboot along with coreboot.

What’s happening is that you’ve updated important boot files on your system, perhaps grub or the kernel, and consequently those files have new checksums. Heads uses the checksums to help detect tampering but it cannot tell the difference between an intended file change and a malicious file change, so it asks you if you approve of the changes. Updating the checksums is your way of telling heads, “yeah, I just updated some boot files, please update the checksums.”

If you hadn’t mentioned that you just updated, I would be much more suspicious, but you in fact should see such messages as you did - it means heads is working.

2 Likes

Maybe the message is not quite right, based on one new user’s experience.

Random suggestion:

“WARNING: Boot Hash Mismatch
The following files failed the verification process: /boot/initrd.img-4.19.0-5-amd64
This could indicate a compromise! or it may be that you just applied updates to your system.
Would you like to update your checksums now?”

I wonder also whether this impacts on the release strategy (fixed interval + required security updates v. rolling). The more updates, the harder it will be for the user to keep track of “oh, did I just apply updates to my system?”, bearing in mind that it may only be on the next boot that the hash mismatch is highlighted. People may be using standby or hibernate that may increase the delay between update and boot.

I wonder whether it would be possible for the updater to be more strident if and where it detects that hashes will have been invalidated and encourages the user to reboot immediately, rather than leaving it until later, which will often be more convenient for the user.

1 Like

thank you very much for the response, much appreciated. I did try to go ahead and update checksums and was asked to enter GPG pin. Not sure I entered the right pin- was a tad confused what it referred to (login password, labrum admin pin 123456, etc). I tried rebooting again with the labrum key pin and got the following messages…am new to linux and this OS and no sure how to interpret it at this stage. I’ve definitely had multiple computer inferences (hence switching computers) so not sure if this is normal or malicious already. Am trying to set it up and get things working…can you help? Attached are the screen grabs

Thanks so much again
T