Building coreboot from source (official script)

===== UPDATE =====
We have replaced this script with an updated script that allows you to build from scratch or get pre-built binaries. It also gives you access to precompiled PureBoot binaries. Check out this new forum post for details: https://forums.puri.sm/t/librem-coreboot-utility-script-usage-discussion-and-help

===== Original post below =====

Hello all, I’ve finished writing a build script to build coreboot from scratch. You can grab it from here:

Advantages of this script:

• You’ll build coreboot yourself and be sure that nobody has tampered with it.
• You’ll update your machine to the latest version (see the change log to know what each new version brought). Some of the feature updates include:
  • 2017-08-21: Fix “coreinfo”
  • 2017-10-12: The script now neutralizes and disables the Intel ME.
  • 2018-02-22: VT-d, IOMMU and TPM are now working, and the Linux kernel no longer gives ATA errors with SATA in 6Gbps mode.

You should first install some of the dependencies needed to build coreboot, with this command:
apt install git build-essential bison flex m4 zlib1g-dev gnat libpci-dev libusb-dev libusb-1.0-0-dev dmidecode bsdiff

Those are the dependencies needed to build it, from a freshly installed PureOS—if you run a different distribution, you may need to install different packages (or the same ones but with different package names).

Then simply run the script on your librem itself, and select which machine you have and let it build. It will first ask you if you want to build it for Librem 13 v1, Librem 13 v2, or Librem 15 v1/v2 or Librem 15 v3, then if you want to grab the required binary blobs from your local machine (which I highly suggest, and which is why you should run the script on your librem itself), it will then verify the hashes of all the binary blobs, then it will ask you for the serial number of the machine (it will auto-grab it from your system though, which makes it easier) then it will build the coreboot cross-compiler (which takes about an hour to build) then finally build coreboot itself, then it will verify that the hash of coreboot is what it expects (thanks to coreboot’s reproducible builds, we can do that), making sure 100% that the image you have built is the same as everyone else’s and it’s guaranteed to work. It will then ask you if you want to flash your system (If the image hash doesn’t match what we expect, it won’t ask you if you want to flash it). Make sure your battery isn’t dead and that the power supply is connected, and do not interrupt the process, then it should flash it and on your next reboot, you’ll have the latest coreboot build.

That’s all there is to it.

If you have any issues with the script, let me know, and of course, if it doesn’t say that the final hash matches what it expected and present you with the choice to flash coreboot, then don’t flash the image it produced!

This is huge!

Thank you very much for releasing this!

Permit me to ask a dumbass newbie question: How does one run the script? Thanks.

In this case, you’d want to save the file, then execute it with your terminal by navigating to the directory the script resides in, and running ./build_coreboot.sh.

Make sure that the file is marked as executable first - in Gnome’s file manager, it’s:

• Right click the file, click Properties
• Under the Permissions tab > Allow executing file as program

Make sure you install the dependencies that kakaroto mentioned first! After that, running ./build_coreboot.sh should do the trick.

Hey Kakaroto, thanks for sharing this great script!

Quick question: do you know off-hand how frequently Coreboot gets updated outside of PureOS? I’m curious about how frequently I’d need to run this script to pull in updates.

Thanks for helping me with this. Like I said, I’m an absolute beginner with PureOS so I need to learn the basics. I saved the script using the text editor. I named it cbootscript and put it in my home directory (/home/bent/). I also made the file executable and installed the dependencies. I would be grateful if you would provide me with the specific commands I must enter into Terminal to change the directory and run the script. Thanks again!

For those wondering, for my librem13v2 all the default options were correct.

Hi Ben,

In general if you open up a terminal, you should start in your home directory. You can check this by running pwd (stands for something like “present working directory”, in case that helps you remember for the future) in the terminal, so it would look something like

$ pwd
/home/bent

in your case. Lines that start with a $ are meant to indicate a terminal entry (pretty standard convention, since the default prompt in many terminals is a $ character).

If the script has already been made exectuable, then you can simply do

$ ./cbootscript

since you named it cbootscript.

More generally, the command to change directories is cd </path/to/your/directory>, while the command to examine the contents of a directory is ls </path/to/your/directory>.

So to change to your home directory, you could use

$ cd /home/bent.
Frequently, the ~ character is a shortcurt for one’s home directory, so you could also use
$ cd ~
And just for future reference, the cd command while automatically change to your home directory if you use it without specifying any directory, i.e. the following command will change to your home directory
$ cd

And to check the contents, you could use any of

$ ls /home/bent
$ ls ~
or, if already in your home directory, just
$ ls

Unlike cd, ls without any arguments will display the contents of whatever directory you are currently in.

That was probably overkill, but hope it helps!

I’m assuming that so far, nobody had any issues with the script or any “hash is not what it should have been” issues ?

The script doesn’t grab the git version, it grabs a specific version since it needs to verify the hash for a ‘working known version’. Git gets updates multiple times a day basically, but for “stable versions/released”, I think coreboot releases once every 6 months. I might do updates more often than that, it will really depend on the needs.

is it possible to run the script also with another linux distro without any problem? or work just with pureos?

worked like a charm for me, thanks for your work! coreinfo works fine, now the only thing left seems to be memtest86+ being outdated and better replaced with memtest86.

Thanks so much! The information you provided was very helpful.

yep, I wrote it in the original post :

although, I probably should have said “different distro” instead of “different OS”.

cool. And yeah, memtest seems outdated, it doesn’t recognize DDR4, it thinks it’s DDR3, and it inevitably crashes in SMP mode or whatever that mode is when you press F1. Memtest86+ is however version 5.01, which is the latest release, but dates back from 2013. The memtest86 program seems to not be free, and while they have a ‘free edition’, i don’t see a link to download its source code. I found a ‘src.tgz’ file inside the iso download but I can’t get it to compile… anyways, we’ll see.
The coreinfo issue was a problem in the configuration, the problem with memtest, is that it’s outdated in the coreboot bundle.

@all: it’s good to know that it worked for everyone who tried it so far, but you all missed one feedback… at the end, it just says “Enter your choice (y/N)”, but doesn’t say what the choice is for… the message should have been “Do you want to flash coreboot now (y/N) ?”. It’s minor of course, but any feedback is important. Thanks!

Hi. What should I do if the hash doesn’t match?

I get the following when running the script:

    HOSTCC     cbfstool/cbfstool.o
Makefile.inc:109: recipe for target '/home/arlo/Desktop/coreboot/util/cbfstool/cbfstool.o' failed

Renamed ./coreboot/ to ./coreboot-backup and tried again. This time:

tlsPacket905×180 26.5 KB

I am a little curious, I am the proud owner of a librem 15v3, running PureOS release 8,

>lsb_release -a
No LSB modules are available.
Distributor ID:	PureOS
Description:	PureOS GNU/Linux 8
Release:	8
Codename:	green

with kernel

uname -r
4.12.0-1-amd64

yet @kakaroto mentions the coreboot build allows one to udpate ones machine to the latest version,

yet his post is only 10 days old. Is @kakaroto talking about PureOS 5 kernel 4.6) as the latest version? am I missing something?

Or is this the version of coreboot itself?

In my case the script stopped while grabbing the required binary blobs from my local machine (Librem 13 v2) with this error message:

Found file cpu_microcode_blob.bin at 0x3d1440, type microcode, size 96256
The CPU microcode update on your machine is an outdated version
Please download the latest microcode update from : https://downloadcenter.intel.com/download/26925/Linux-Processor-Microcode-Data-File?product=122139
Then place the intel-ucode/06-4e-03 file from the archive into coreboot/3rdparty/blobs/mainboard/purism/librem13v2/cpu_microcode_blob.bin

I did that, the script continued, but then I got this:

WARNING: Built coreboot image hash does not match the expect reproducible build hash

Maybe I should add that I have version 4.6-00b9f4-Purism-1 while the changelog lists only 4.6-a86d1b-Purism-X versions As I understand it, 4.6-00b9f4 means coreboot version 4.6 until and including commit 00b9f4. If this is correct and 4.6-a86d1b-Purism-1 was the Initial Librem 13 v2 coreboot port as mentioned in the changelog I seem to have a beta version of that initial coreboot port…

Yes it is, see this coreboot blog post.

Humm… if you can compress (gzip/bzip2/rar/zip/7z) the file and upload it somewhere then send me the link in a private message, I can look at the differences and figure out why the hash is different for you, then hopefully figure out how to fix the script.

I have no idea why you’re having that compilation error. was there no other error messages ? Just that one line ? For your second test, it looks like you simply lost internet connection while it was downloading the coreboot repository, I suggest you just delete the coreboot directory and retry the script again.

Yes, that’s the coreboot version. You can see it with the command ‘dmidecode -t 0’

yeah… for some reason, you do seem to have a machine running an older coreboot version. I have no idea why,I didn’t realize any of the machines were flashed with that version. Either way, it’s good that you can update it now.
The fact that that’s what you have locally shouldn’t in any way affect the resulting build, so once you send me your build and I figure out why it’s hash is different from what it should be, then you should be able to update your machine.

Thanks everyone for testing.