Here is a step-by-step guide on how to cryptographically sign your OS files with keys in your control🗝️https://puri.sm/posts/stay-protected-with-librem-14s-latest-pureboot-feature/
@purism Wondering if there’s a way to cut down the few minutes waiting time on the scan by implementing this feature using hypercore (a cryptographically-secure directed acyclic graph) by keeping the OS files in a hyperdrive and mounting that drive at boot. That would involve checking just one hash.
@aral @purism No problem! I also had to work within a few design constraints. The most relevant one here is that I wanted it to be as OS-agnostic as possible (like PureBoot is in general). I write at length about the design constraints and considerations here: https://puri.sm/posts/new-pureboot-feature-scanning-root-for-tampering/