PureBoot and PureOS Kernel Update to 4.19.0-9-amd64

Hey guys and gals :sunglasses:

We had a big update come through PureOS Amber today that included a new kernel. Since we’ve got a quite a few folks who’ve recently gotten new Librem laptops with PureBoot, thought I’d remind everyone that any changes (legitimate or not) made in /boot or to grub.cfg will then prompt you when you reboot your Librem laptop. Since the kernel has been updated, this is one of those legitimate changes so one can go ahead and resign everything. Just remember your Librem Key User PIN and READ all the prompts.

If you get stuck, check out our PureBoot Docs or post questions about it below.

4 Likes

Do you mind posting more detailed instructions here?

I am specifically encountering errors:

When I hit “default boot” I get

“ERROR: Boot Entry Has Changed”
The list of boot entries has changed
Please set a new default

Then when I get to "Choose the boot option [1-11, a to abort] I hit the top one.

Then I get “Boot PureOS GNU/Linux” and “Make PureOS GNU/Linux the default”.

At that point I don’t make it my default.

It boots fine, but the next time I boot I will run into the same process. Can you tell me what I should be doing here? I don’t want to accidentally do something that is hard or impossible to reverse.

Thanks!

Just select to make it the default and follow instructions :slight_smile:

1 Like

Select that and then kernel 4.19.0-9-amd64 as the default, that’s it.

Nothing is irreversible (can always do an OEM Factory Reset or even reflash PureBoot) nor will PureBoot ever lock you out of your computer. If you absolutely have to, when on the main PureBoot menu go to OptionsBoot OptionsIgnore tampering and force a boot (Unsafe!) to get into PureOS.

Full disclosure, I had to unblock my User PIN on my Librem Key, after doing some testing elsewhere, so had to use the Ignore tampering to get in, unlock the PIN and goes through it again.

4 Likes

Thank you so much, Richard.

The wonderful, helpful attitude of people here including yourself has made it easier for me as a first-time LInux OS user. This is why I keep recommending Librem to everyone I know. Thanks!!

3 Likes

But you could have booted into a live system, unblocked your PIN from there with the gpg --card-edit and then booted without ignoring tampering, no? Once you ignore tampering, will it prompt you again the next time? I guess if you are going to sign the changes anyway and it will prompt you again, it’s fair enough to boot by ignoring it, unlock your key, and then reboot again.

Yes if you have the hardware at hand the moment you need it that could also be an option, yes.

1 Like

i’ll remember to come back to this thread once i have the v5 … whenever that is

Hi, I did everything you said. And my PureBoot was fine. But this morning when I turned it on I got:

The following files failed the verification process:
./vmlinuz-4.19.0-2amd64
./grub/grub.cfg
./config-4.19.0-2-amd64
./initrd.img-4.19.0-2-amd64
./System.map-4.19.0-2-amd64

Have I been hacked? Or is was this in response to an update yesterday? Please let me know how to proceed. I will not boot my computer until then.

Thanks.

Kernel linux-image-4.19.0-2-amd64 was auto removed from your computer as per /etc/apt/apt.conf.d/01autoremove-kernels. See quote below from it and the file itself for more info:

In the common case this results in two kernels saved (booted into the second-latest kernel, we install the latest kernel in an upgrade), but can save up to four. Kernel refers here to a distinct release, which can potentially be installed in multiple flavours counting as one kernel.

So because it was removed, PureBoot saw the change and asked to verify it. Make sense?

1 Like

Thanks. I was just confused by the timing. Many thanks!!