I am in the process of installing Qubes on a new Librem 14 laptop. When I rebooted for the first time after beginning the install, I get a window that says:
“Error: Missing Hash File”.
The window advises me to update my list of checksums, so I click okay to do that. At which point I get the following:
Please confirm that your GPG card is inserted [Y/n]
It’s not clear if the “GPG card” is my Librem Key or the gold usb drive containing my GPG key. With both the Librem Key and usb drive inserted, I choose Y and hit enter. At which point it says:
/boot/kexec_rollback.txt does not exist; creating new TPM counter
TPM password:
…what is the TPM password? How do I proceed from here?
@Kyle_Rankin emailed me a link to https://docs.puri.sm explaining how to use the Librem Key, but there is no documentation on how to configure the key for a new install of Qubes and no documentation for the Librem 14.
Okay,… so I figured out how to get everything set up.
I’m not sure why, but I needed to reset my TPM password to complete the steps necessary to re-sign the boot partition and sync the key to the new system configuration. The nitrokey documentation got me started in the right direction.
If anyone knows why the TPM chip was involved in an OS install, I’d love to know. I assumed the TPM chip would only need to be accessed/changed for firmware updates or other low level config.
Glad you got it working. To answer your question, the reason the TPM was involved is that when you installed a new OS it overwrote /boot and inside boot is a few files PureBoot relies on. One if them is the HOTP incrementing counter, and another is that kexec_rollback.txt file, which implements an “anti-rollback” feature using the TPM.