PureOS and Secure Boot

I just bought a non-librem laptop and am ready to nuke Windows. I’ve also been looking into PureOS. I had a few questions as I am pretty new to secure boot in Linux:

  1. Is it possible to use PureOS with secure boot on non-librem devices?
  2. If so, is there a guide on how to install/setup or verify installation?
  3. My biggest exposure to secure boot frameworks, at this point, is from Android/LineageOS and Windows. What differences should I expect from the way that each of those handles it, versus the way Linux handles it? For example, when Windows secure boot is enabled, you have to access bios by launching a recovery console from within your Windows session, and from there, launch BIOS.

It depends on whether “secure boot” intends to mean a (the) specific implementation or a general concept.

I think the answers for 1. and 2. are “no” and “not applicable”. Instead you disable “secure boot” in the “BIOS” and away you go (this is the approach on non-Librem devices).

The way PureOS (on Librem devices) handles the general concept of “secure boot” is completely different.

For those Linux distros that do work with “secure boot”, they handle it in a manner that is closer to Windows but still not the same.

The specific implementation of “secure boot” is usually taken to mean: a succession of software images are run where each software image except the first is digitally signed and the signer of one software image is recognized by the previous software image in the sequence and the validity of the software image can be affirmed before transferring control to it.

So for Windows: “BIOS” runs at power on. BIOS loads an image that is purportedly signed by Microsoft and BIOS can recognize that signature and verify that the image has not been tampered with. The rest is Windows.

For Linux distros that support this (like Ubuntu): “BIOS” runs at power on. BIOS loads a shim image that is purportedly signed by Microsoft, and verified as above. The shim image then loads and verifies some part of Linux (usually GRUB). GRUB loads the Linux kernel.

Any self-respecting Linux user would at least have pause for thought over the idea that the entire thing depends on the goodwill of Microsoft.

Which isn’t really what anyone who only wants to run Linux wants!!!

I think the answer for Linux distros that support “secure boot” is that this is on the GRUB menu. So: BIOS to shim to GRUB to BIOS.

I don’t speak for Purism but I think Purism’s approach and philosophy is that anything that is dependent on something being centrally signed, even signed by Purism itself, is flawed.

Purism’s approach to ensuring a secure boot process (tamper detection) uses an external hardware device called the Librem Key, which also provides secure protected storage for encryption keys.

HEADS is still in beta as is written on the official CoreBOOT/PureBOOT page …