Documentation Issues


#1

https://puri.sm/posts/february-2018-coreboot-update/ says to install tpm_tools to verify TPM version, yet no such package exists. tpm-tools is the correct package.

Also, https://puri.sm/coreboot/ is incorrect. Instructions for downloading the build script points to a different source (/coreboot but dead link) than ‘Building coreboot from source (official script)’ post on the forum (/youness.alaoui). Also, the output for checking if ME is disabled and neutralized is wrong - it is displaying what the output would show if the ME was only disabled (the v1 Librems).

Finally, on your article on applying Patches for Meltdown and Spectre, no valid OpenPGP data is found, and I think you’ve given an incorrect or old repo. I can’t figure out how to update the microcode on my Librem, could someone help please?

Thanks!


#2

I opened a ticket on the outdated ME output here.

I am not sure which link you mean, i.e. /coreboot but dead link. I followed these directions to update my Librem 13 a couple of weeks ago, and I do not remember any issues, other than the cbmem output for ME. Perhaps my brain corrected things for me, but I followed the link I think you mean today and I got the script.


#3

Thanks!

Sigh… It’s not letting me post many links because I’m a new user. But the https:// purism slash coreboot link Points to https://source.puri.sm/coreboot/coreboot-files/raw/master/build_coreboot.sh (which wasn’t working for me yesterday, but looks like its up now?)
while ‘Building coreboot from official script forum post’ points to https://source.puri.sm/youness.alaoui/coreboot-files/raw/master/build_coreboot.sh

This should be one unified link IMO

The TPM instructions should be fixed, that’s just a small typo, but other users might not figure it out.

As for the microcode, I can’t figure out what the mistake is.


#4

Thanks for posting the links. I can (and could) access both, so I have not seen the problem you do.

I think both links contain updated scripts, but I used the one in the instructions. If I am not mistaken the second one that points to ‘youness.alaoui’ in the forum thread about coreboot is where it was originally when @kakaroto released it. I have not compared them, but I think they are the same. (Others are welcome to correct me.) They may even be linked “under the covers.”

Unfortunately, the date and version information of the script is not in the actual file. I looked for my Librem model and firmware version, currently 4.8.1-Purism-3, in both before I ran it.


#5

Yeah, I must have been doing something wrong at the time, or Purism has fixed it now, I don’t know.

I would love a statement from a member of the Purism team on the two coreboot scripts, if you know who to tag here (you might already have done that with kakaroto tag).

Can you try the instructions for the microcode? https://puri.sm/posts/purism-patches-meltdown-and-spectre-variant-2-both-included-in-all-new-librem-laptops/

It points to http://deb.wp.puri.sm/pureos/ for the repo, which I don’t think is correct (and I get errors when trying). When I replace with ‘repo.puri.sm’, I get a ‘no valid OpenPGP data’ error when trying to add the Purism repository key to my APT keyring.

Thanks!


#6

The working repo address I have in my apt config for PureOS is

“deb http://repo.puri.sm/pureos/ green main”


#7

Yes, I have the same.

But I am trying to add the contrib non-free repo and key so I can update my microcode for Meltodown and Spectre, can you view the link I posted above/see what you have via those instructions?

Thanks for your help!


#8

The non-free repo comes from Debian so you will have to add the following line to /etc/apt/sources.list

“deb http://deb.debian.org/debian/ buster main non-free contrib”

After that is added you can get the microcode with

“sudo apt full-upgrade”
“sudo apt install intell-microcode”


#9

I can get to the former, but not http://deb.wp.puri.sm/pureos/.

For Meltdown, I believed the last paragraph on the webpage you provided: “All new laptop shipments include Meltdown and Spectre patches.” I received mine several months afterwards, and I have not reinstalled PureOS. In any case, the Linux kernel has been updated since these instructions. If you know otherwise… :slight_smile:

As for the original firmware script, kakaroto is the author, so he would be the one to chime in.


#10

Thank you jamie - are these sources not replicated in the pureOS repo anywhere? This page should really be updated (https://puri.sm/posts/purism-patches-meltdown-and-spectre-variant-2-both-included-in-all-new-librem-laptops/)

Wayne - I can reach the repo.puri.sm/pureos repo as well - my issue is step #2 - adding the Purism non-free repo key to my APT keyring:

The site says to type:

wget -O - https://deb.wp.puri.sm/pureos/key/purism-nonfre-repo.gpg.key | sudo apt-key add -

Which obviously isn’t correct, since it mistypes ‘free’ and gives an incorrect repo

But if I replace with the correct repo, and spell free, I get the error, ‘no valid OpenPGP data’.

I’m just trying to update my microcode. There have been CPU vulnerabilities recently that require microcode updates, specifically CVE-2018-3640, CVE-2018-3639, CVE-2018-3615

I assume this is the case for most librem machines, if their instructions are so old they are pointing to a dead repo


#11

@Kyle_Rankin I’ve seen you post on the forums and know you’re on the Purism team - would really appreciate your help


#12

@jamie - thanks! Your solution worked for now, although I don’t think it will be what the Purism devs should replace the site instructions with.

I know the microcode is proprietary, but I don’t want any other proprietary code on my computer, and I have concerns that adding those repos opens up opportunities for other proprietary code to be installed via dependencies etc.

Also, after running sudo apt-get update and sudo apt-get install intel-microcode (according to https://wiki.debian.org/Microcode), I had tons of more packages besides the microcode, one of which caused an error with an overriding grub configuration file, and many of which were left not upgraded, so ran sudo apt-get dist-upgrade.

There might be a better way to do this


#13

Except for the the contrib & non-free branches of the Debian repo, PureOS & Debian should be basically identical except for a few specific PureOS/Librem packages. Debian makes the packages & the Purism team adds them to their repo afterwards, usually within a few hours, so mixing the two shouldn’t normally hurt anything.

That being said though I should point out that I installed my system from a Debian-testing cd so I could have better control over my base install. I also use apt-pinning to only enable a few packages from PureOS & from Debian-unstable.


#14

I understand and agree, except the fact is that for updating the microcode, I /did/ have to add the Debian contrib non-free branches, which was my concern exactly.


#15

The instructions for adding the non-free repository are correct, except for the url, which is now/should be https://deb.puri.sm instead of https://deb.wp.puri.sm/

Although the intel-microcode package there is out of date currently It is 3.20180703.2 and still vulnerable to some of the newer spectre-like vulnerabilities.

I had to install the debian package to get the latest microcode that is supposed to fix those issues, I just downloaded it manually and ran dpkg -i to install the deb file.

(downloaded the deb from http://ftp.debian.org/debian/pool/non-free/i/intel-microcode/intel-microcode_3.20180807a.2_amd64.deb )

Manually installing that way, will definitely prevent accidently installing more “non-free” stuff.


#16

The instructions for building coreboot on https://puri.sm/coreboot have been up-to-date and accurate for quite some time. I’m not sure why they didn’t work for you when you tried to follow them. Just to be sure I’ve been testing that script on brand new installs over the past few weeks and each time it worked as expected.

That said, the above page is the place to get those documents, the world of coreboot is a fast-moving world so older blog posts (or older posts on this forum) are not the best place to get the most up-to-date documentation on flashing coreboot.