The documentation about the user PIN and master PIN for the Librem Key / Nitrokey is missing a lot of important details. I had to spend several hours of debugging to get PureBoot working and most users would probably not make it.
gpg allows me to set a long PIN (maybe 64 was the max size given by the Librem Key), but Heads will fail completely to accept a PIN of size > 20 characters.
Also you need to warn that there is a maximum number of tries of 3 attempts before the Librem Key will get locked (in my opinion it’s a ridiculously low number of attempts).
My Librem Key got locked because my master PIN had more than 20 characters and I had 3 failed attempts with Heads. Then I could only save the Librem Key by completely resetting it with “gpg-connect-agent < reset.txt” approach and then setting up the Librem Key again from scratch.
Also the special character ‘’ (backslash) and possibly also ‘|’ (pipe) can be used in gpg when setting the user PIN or master PIN but will not work in Heads. Had to change my PIN again to not include this character. Probably due to the know bug that the keyboard mapping for the pipe | backslash \ key in Librem laptops is wrong.
The documentation should also say that you can install an app on your phone to do the authentication with TOTP code. It’s good to have another option to verify the secure boot, even if the user owns a Librem Key.
Also Heads does not allow me to specify a USB drive as the default boot device and do the measured boot from the USB device. You can only specify things like /dev/sda1 or /dev/sda2, but it doesn’t let you choose /dev/sdb1, /dev/sdc1, etc. This is bad because the user might want to have the option of installing their main operating system on USB drive instead of SSD. The user might want to have Tails as the main operating system, for example. Or move to something similar to the “stateless laptop” idea proposed by Joanna Rutkowska.