We had a big update come through PureOS Amber today that included a new kernel. Since we’ve got a quite a few folks who’ve recently gotten new Librem laptops with PureBoot, thought I’d remind everyone that any changes (legitimate or not) made in /boot or to grub.cfg will then prompt you when you reboot your Librem laptop. Since the kernel has been updated, this is one of those legitimate changes so one can go ahead and resign everything. Just remember your Librem Key User PIN and READ all the prompts.
If you get stuck, check out our PureBoot Docs or post questions about it below.
Do you mind posting more detailed instructions here?
I am specifically encountering errors:
When I hit “default boot” I get
“ERROR: Boot Entry Has Changed”
The list of boot entries has changed
Please set a new default
Then when I get to "Choose the boot option [1-11, a to abort] I hit the top one.
Then I get “Boot PureOS GNU/Linux” and “Make PureOS GNU/Linux the default”.
At that point I don’t make it my default.
It boots fine, but the next time I boot I will run into the same process. Can you tell me what I should be doing here? I don’t want to accidentally do something that is hard or impossible to reverse.
Select that and then kernel 4.19.0-9-amd64 as the default, that’s it.
Nothing is irreversible (can always do an OEM Factory Reset or even reflash PureBoot) nor will PureBoot ever lock you out of your computer. If you absolutely have to, when on the main PureBoot menu go to Options → Boot Options → Ignore tampering and force a boot (Unsafe!) to get into PureOS.
Full disclosure, I had to unblock my User PIN on my Librem Key, after doing some testing elsewhere, so had to use the Ignore tampering to get in, unlock the PIN and goes through it again.
The wonderful, helpful attitude of people here including yourself has made it easier for me as a first-time LInux OS user. This is why I keep recommending Librem to everyone I know. Thanks!!
But you could have booted into a live system, unblocked your PIN from there with the gpg --card-edit and then booted without ignoring tampering, no? Once you ignore tampering, will it prompt you again the next time? I guess if you are going to sign the changes anyway and it will prompt you again, it’s fair enough to boot by ignoring it, unlock your key, and then reboot again.
Hi, I did everything you said. And my PureBoot was fine. But this morning when I turned it on I got:
The following files failed the verification process:
./vmlinuz-4.19.0-2amd64
./grub/grub.cfg
./config-4.19.0-2-amd64
./initrd.img-4.19.0-2-amd64
./System.map-4.19.0-2-amd64
Have I been hacked? Or is was this in response to an update yesterday? Please let me know how to proceed. I will not boot my computer until then.
Kernel linux-image-4.19.0-2-amd64 was auto removed from your computer as per /etc/apt/apt.conf.d/01autoremove-kernels. See quote below from it and the file itself for more info:
In the common case this results in two kernels saved (booted into the second-latest kernel, we install the latest kernel in an upgrade), but can save up to four. Kernel refers here to a distinct release, which can potentially be installed in multiple flavours counting as one kernel.
So because it was removed, PureBoot saw the change and asked to verify it. Make sense?