Also, https://puri.sm/coreboot/ is incorrect. Instructions for downloading the build script points to a different source (/coreboot but dead link) than ‘Building coreboot from source (official script)’ post on the forum (/youness.alaoui). Also, the output for checking if ME is disabled and neutralized is wrong - it is displaying what the output would show if the ME was only disabled (the v1 Librems).
Finally, on your article on applying Patches for Meltdown and Spectre, no valid OpenPGP data is found, and I think you’ve given an incorrect or old repo. I can’t figure out how to update the microcode on my Librem, could someone help please?
I am not sure which link you mean, i.e. /coreboot but dead link. I followed these directions to update my Librem 13 a couple of weeks ago, and I do not remember any issues, other than the cbmem output for ME. Perhaps my brain corrected things for me, but I followed the link I think you mean today and I got the script.
Thanks for posting the links. I can (and could) access both, so I have not seen the problem you do.
I think both links contain updated scripts, but I used the one in the instructions. If I am not mistaken the second one that points to ‘youness.alaoui’ in the forum thread about coreboot is where it was originally when @kakaroto released it. I have not compared them, but I think they are the same. (Others are welcome to correct me.) They may even be linked “under the covers.”
Unfortunately, the date and version information of the script is not in the actual file. I looked for my Librem model and firmware version, currently 4.8.1-Purism-3, in both before I ran it.
Yeah, I must have been doing something wrong at the time, or Purism has fixed it now, I don’t know.
I would love a statement from a member of the Purism team on the two coreboot scripts, if you know who to tag here (you might already have done that with kakaroto tag).
It points to http://deb.wp.puri.sm/pureos/ for the repo, which I don’t think is correct (and I get errors when trying). When I replace with ‘repo.puri.sm’, I get a ‘no valid OpenPGP data’ error when trying to add the Purism repository key to my APT keyring.
But I am trying to add the contrib non-free repo and key so I can update my microcode for Meltodown and Spectre, can you view the link I posted above/see what you have via those instructions?
For Meltdown, I believed the last paragraph on the webpage you provided: “All new laptop shipments include Meltdown and Spectre patches.” I received mine several months afterwards, and I have not reinstalled PureOS. In any case, the Linux kernel has been updated since these instructions. If you know otherwise…
As for the original firmware script, kakaroto is the author, so he would be the one to chime in.
Which obviously isn’t correct, since it mistypes ‘free’ and gives an incorrect repo
But if I replace with the correct repo, and spell free, I get the error, ‘no valid OpenPGP data’.
I’m just trying to update my microcode. There have been CPU vulnerabilities recently that require microcode updates, specifically CVE-2018-3640, CVE-2018-3639, CVE-2018-3615
I assume this is the case for most librem machines, if their instructions are so old they are pointing to a dead repo
@jamie - thanks! Your solution worked for now, although I don’t think it will be what the Purism devs should replace the site instructions with.
I know the microcode is proprietary, but I don’t want any other proprietary code on my computer, and I have concerns that adding those repos opens up opportunities for other proprietary code to be installed via dependencies etc.
Also, after running sudo apt-get update and sudo apt-get install intel-microcode (according to https://wiki.debian.org/Microcode), I had tons of more packages besides the microcode, one of which caused an error with an overriding grub configuration file, and many of which were left not upgraded, so ran sudo apt-get dist-upgrade.
Except for the the contrib & non-free branches of the Debian repo, PureOS & Debian should be basically identical except for a few specific PureOS/Librem packages. Debian makes the packages & the Purism team adds them to their repo afterwards, usually within a few hours, so mixing the two shouldn’t normally hurt anything.
That being said though I should point out that I installed my system from a Debian-testing cd so I could have better control over my base install. I also use apt-pinning to only enable a few packages from PureOS & from Debian-unstable.
I understand and agree, except the fact is that for updating the microcode, I /did/ have to add the Debian contrib non-free branches, which was my concern exactly.
Although the intel-microcode package there is out of date currently It is 3.20180703.2 and still vulnerable to some of the newer spectre-like vulnerabilities.
I had to install the debian package to get the latest microcode that is supposed to fix those issues, I just downloaded it manually and ran dpkg -i to install the deb file.
The instructions for building coreboot on https://puri.sm/coreboot have been up-to-date and accurate for quite some time. I’m not sure why they didn’t work for you when you tried to follow them. Just to be sure I’ve been testing that script on brand new installs over the past few weeks and each time it worked as expected.
That said, the above page is the place to get those documents, the world of coreboot is a fast-moving world so older blog posts (or older posts on this forum) are not the best place to get the most up-to-date documentation on flashing coreboot.
