"TPM not detected" then signature fail on kexec boot

Was able to follow directions for initial setup with the PureBoot Bundle but the font was so small on the display I missed some information. I rebooted to explore the boot menu options. Upon rebooting, I noticed a concerning line: “TPM not detected”

Probably should have stopped there and asked for assistance, but instead I tried a factory reset. I set a password, followed the instructions for setting up GPG and exported the public key to a USB. After another reboot, the following errors are given:

+++ Found verified kexec boot params
gpg: verify signatures failed: Unknown system error
Invalid signature on kexec boot parms
!!! Failed default boot
!!! Starting recovery shell


Documenting for anyone curious about response/ resolution.

Following the instructions for how to contact support, I sent an email with subject line “[Purism_(invoice number)] TPM not detected” to support@puri.sm (very late in the evening).

Less than 2 hours later I had a response from Purism support with valuable information and steps to try. Most valuable might be the tip to remove the Librem Key and Vault and use [ctrl]+[alt]+[del] to restart + NOT inserting Key before hitting [OK] to get back to the PureBoot Boot Menu.

A second important tip was steps to follow from boot menu to skip anti-tampering checks if needed in order to boot OS.

After following the steps to get to the boot menu, instructions said to NOW insert both Key/Vault, THEN select Options from the boot menu, choose “Update checksums and sign all files in /boot” (which probably would work for most cases, but something got mangled from the first attempt at an OEM factory reset).

Just to test out booting minus the Librem Key (skipping tamper detection), I removed the Key and Vault, used [ctrl]+[alt]+[del] to restart, pressed [OK] without the keys to return to the boot menu and selected Options > Boot options > Ignore tamper and boot > Continue > Enter. The resulting terminal display had a red background (nice touch) and eventually prompted for the LUKS key for decryption of the disk. After that a normal boot of the OS proceeded. This could be useful for some users as they may need the fuctionality of their device before they sorted out the GPG key situation.

After another email to support@puri.sm explaining that the Update checksum and sign all files in /boot did not work as hoped, they again quickly responded with instructions to return to boot menu and select Options > OEM factory reset > Continue. Instructions said to respond with “n” to custom password, user info prompts and respond with “y” to export public key to USB prompt. If prompted for admin pin, use default, 12345678.

I have NOT done the factory reset just yet, but will try and get back to update after that happens.


Sorry to take so long to provide the resolution of my questions. :upside_down_face:

Also, I appologise for placing this topic in the PureOS category and as it is clear to me that it belongs in the Librem Key category (or a PureBoot category, if there is one).


  1. An email from support@puri.sm has informed me that the Pure Mini does not have a Trusted Platform Module (TPM). So that issue is a non-issue.

  2. Upon skipping the tampering checks during boot, it was a simple process to use a Terminal window to set up the Librem Key. Any new questions will be directed to Purism Support directly.

1 Like