PureBoot is our high-security boot firmware we offer on our Librem computers. In combination with a Librem Key, PureBoot allows you to detect tampering in the boot firmware itself, and in your OS’s kernel and other boot files.

It detects tampering first by sending measurements of the boot firmware as it boots (containing among other things a trusted GPG keyring corresponding to keys on your Librem Key) at boot time to the computer’s TPM, and if the measurements match, the TPM releases a shared secret that PureBoot converts to a 6-digit HOTP code and sends to the Librem Key. If the code matches what the Librem Key itself generated, the Librem Key blinks green, letting you know the firmware can be trusted. If it doesn’t match, the Librem Key will blink a steady red LED indefinitely, warning you the firmware might be tampered with.

Once the firmware is trusted, PureBoot then will automatically attempt to boot your system. It tests all of the files in the /boot directory against their previously-trusted signatures and if they match, it will automatically boot, otherwise it will alert you to the issue. This verification doesn’t use the TPM, but instead uses GPG signatures in the /boot directory.

The Security Flaw

Our initial releases of PureBoot for the Librem 14 (and only the Librem 14), contained a simple but serious flaw: the measured_boot option was disabled in coreboot, the free software boot firmware that we use to load PureBoot. As a result, measurements weren’t being stored in the TPM yet PureBoot itself was able to communicate with the Librem Key and the Librem Key would report that the boot firmware was OK. This means that if the boot firmware were changed on the Librem 14, PureBoot wouldn’t have detected it. Because this failure was silent, it took some time to detect it. This security flaw only affected tamper detection on the boot firmware, PureBoot would still detect any changes in files in /boot as that relies on the GPG keys on the Librem Key, not the TPM.

All Librem 14 PureBoot users should upgrade to version 18.1 immediately . This release enables measured_boot and will restore boot firmware tamper detection like in PureBoot releases for other Librem computers. To update PureBoot, follow the steps in our official PureBoot documentation to download the latest PureBoot ROM, or otherwise you can download the Librem 14 PureBoot release directly from here. We understand and appreciate the severity of an issue like this and are tightening up our process to ensure something like this doesn’t happen again.

You can also read the official post on our blog here:

Thanks for the info, it is great to see Purism being transparent about this issue.

Do you mind sharing how and when this flaw was initially discovered?

Edit: Also, it seems that PureBoot version 18.1 was released 5 days ago, why am I hearing about this only now?

I learned about this flaw last week due to a member of the community disclosing it to me privately. Others on the team were aware of this before that to my understanding (but I don’t have details on exactly when) and working to publish the fix, which happened shortly afterwards.

So we published the fix in releases to get it out there quickly, and then I started more testing against my own hardware. Normally those steps happen in reverse, but it was a trivial fix on paper so in the interest of getting it out there, we published first. After I finished testing it personally, I started the process of informing people both on our blog and this forum, as well as a subsequent email we’ll send to all Librem 14 customers.

Well, as we went Full disclosure now, I need to point one thing.
Timing. from my initial report about the issue it took couple days, less than a week (quite short), from initial report, to Fix being published.

If someone are curious, why even when i was reporting other issues related to PureBoot on this forum, i didn’t mentioned that Security flaw. Well that is “responsive Hacking”, so i wanted to avoid Public Disclosure until Purism will handle this.

One note, communications with the team, about this and other issues, was extremely fast.
it was quite short journey. But i am happy that i was able to see responsible devs in action.

@Kyle_Rankin so that exam Purism pass with A+++++ Rating

P.S. PureBoot 18.1 solves also igfx vs iommu issue that was causing memory corruption and glitches on highly compositing Desktop envs like KDE/Plasma. reported initially by me on L14