When is my screen supposed to be green?

JourneymanJohn · December 28, 2023, 7:30pm

Having recently purchased a Librem 14, and beginning a migration to Linux, I must admit I messed up on the First Boot. Without going into much detail, it was started accidentally and I attempted to flub my way through it, at first without the aid of my other laptop

I don’t remember all the details, however I did get qubes installed and running.

I did get a red screen on 2nd (or was it 3rd, as I thought “Cntrl, Alt, Del”. would back me out of a Gui at one point, instead of restarting… Linux, who’d a thunk it.), but resigned with the other vault USB drive that was sent with the purchase.

Subsequent starts always produce a yellow screen when asking for the LibremKey, then just starts up to the encryption phrase after installing theLK. No green screen.

If the LK is already installed on start up there is no red, green, or yellow screen. She just goes straight to the encryption querry.

Anyway, I think I’m good, as on the Librem Key itself, I get a brief red blink, followed by a number of steady green ones, and I think the documentation states not to trust screen color anyway, but rather the green blinking dongle

Still, being new, and wanting to make sure I’m to get started right after the multiple first boot fiasco, I’m curious as to if this is an indicator I’ve done something seriously incorrectly? I’ve seen the green screen on youtube many times, but the yellow only once.

I thought maybe I have to go in and change the various PINS for that to work correctly (which I would love to set my own), and PGP keys, but from what I have read here, that function either does not, or did not work for a time anyway, so shouldn’t be a factor? Even that confuses me though… because of the pins change, shouldn’t that be indicated by a red screen?? So much to learn…

FranklyFlawless · December 29, 2023, 12:22am

The yellow screen is used to notify you about /boot files being changed. It is normally displayed after installing a new operating system, such as Qubes OS. It is also used when the Librem Key is not inserted into a USB port, as it is a requirement for boot firmware tamper protection.

You can read more about the Librem Key in its respective documentation, although it is not comprehensive. The various PINs are used for changing the configuration on the OpenPGP card itself or generating new keys.

About the Librem Key - Purism

JourneymanJohn · December 29, 2023, 4:56pm

Thx. for the link, and info. Although I get Red when I’ve changed something, instead of yellow, I agree.

I have read that documentation many times, and watched a few of the youtube videos.

It would seem I have that part of it set up correctly, and am slowly working thru other sections. So far, I went thru the new owner and reset the TPM PIN, GPG User PIN, and Admin PIN. It all worked much easier than expected, based on posts I have read here. Everything is still booting fine.

A question I have about that part of the setup, if you don’t mind… at one point, it asked me if I wanted to back up to a USB, I chose yes. What exactly was backed up?? I think a file for the TPM… (essentially a GPG key for verifying with the TPM, not for all the other signing, authenticating, encrypting stuff)?

Looking at the files on the USB (sent with the laptop), I now have three. Two dated before I recieved the computer, and one dated for when I backed it up? What are these three files? One of the two originals were for resigning the Librem Key on 2nd boot, I beleive. Am not sure what the other was/is for. The third would be the one just created, but again, I’m not 100% on what all it contains.

My next step, I think, is generating a new GPG Master Key. Before I do, I must ask, where does the Master Key get stored? Documentation says it does NOT get put on the Librem Key, as it’s used for signing other keys. We are instructed to move the three subkeys to not only the Librem Key, but possibly to back them up as well. Even to delete them from the computer.

I never saw though what becomes of the Master Key. ???

I believe, after that, I still need to update the EC? Update Pureboot too? I’ve read so much stuff, in so many places. Am starting to get dizzy from it all…

Thanks for the help.

FranklyFlawless · December 29, 2023, 9:00pm

The PGP public key: it is used to sign the currently running boot firmware.

I am confident one of them is your old PGP public key in a Librem Vault, and the other is either a PureOS or Qubes OS image on a USB drive.

It is generated as a binary file in /pureos/home/.gnupg/, or within a hidden directory along those lines if you are using PureOS on a USB drive. Otherwise it should be in /.gnupg/.

Here.

JourneymanJohn · January 1, 2024, 2:51pm

These instructions sent me down a rabbithole of uncertainty…

Boot from what Live device?? The PureOS Live I’ve been using till now?? Oh, No… they meant the one I just created (but wouldn’t be recognized by the system was even there with the PureOSLive drive installed as well?)? I can’t count how many times I’ve been thru this now. A little clarity in those instructions would have gone a Looonnngggg Way!!!

What next… It says follow the prompts… to what??? I eventually get the right combination of usb drives installed, and I have a choice to make with 2 different Live options… One failsafe, one not?? I don’t know the ramifications of the different choices. If I choose failsafe, does that make it not permanent? If I don’t choose failsafe, will I do irreperable damage in the event of a mistake? I don’t remember the one I chose that time anymore, I’ve been so frustrated with this whole process!!

So I continue on anyway, completely unsure of if I’m doing it right. Why would I be though… I’ve had to do and redo just about every other step of the process so far multiple times (yes, I read the instructions), so ya know… my confidence level is ‘off the charts high’, ya know.

It fails… reached a spot where it couldn’t communicate with some devices, then I remembered I read in a post somewhere that one needs to have the wifi/bt and cam/micro switches on (this was not in the instructions). I turn them on and all hell breaks loose. Shutdown. Try again…

Multiple more attempts all end in failure, with screen eventually encountering errors and shortly thereafter everything stops with no activity for say maybe 20 minutes or so. So I control, alt, del. again.

Multiple attempts… none succesful. I spent all day on this yesterday. ALL DAY. Dawn to Dusk. Practically in tears. Multiple download failures with the upgrade software over a slow connection that take over an hour each attempt.

I have to give you thanks, as you are the only one so far who has attempted to assist, but I am still getting no where. @FranklyFlawless Two weeks with the laptop, and I still don’t have the basic firmware updated…

The instructions on their site,… even the ones that do end up succeeding, well they don’t seem to follow the script as to what the instructions say to expect. Still, they worked, until now…

FranklyFlawless · January 1, 2024, 3:36pm

It is not clear what actions you have done, which have succeeded or failed, and what you are trying to do. Be clear and explicit, or if you are lost, we can restart the entire process from scratch, but one step at a time instead of all at once.

JourneymanJohn · January 2, 2024, 6:51pm

Thank you.

I am in touch with Official Purism Support.