Expectations for Updating PureBoot

I’m trying to get some guidance on what realistic expectations are for the average user to update PureBoot on the Librem 14. I have a few issues with what I’ve seen so far:

1. The Getting Started Guide provides very little detail
2. The firmware Releases README has very strong language discouraging users from updating their firmware in this manner (“The files in this repo are not intended for end users. They are intended to be used by official Purism update
   mechanisms (eg, coreboot utility script), or downloaded
   and applied manually when directed by Purism support staff.
   Direct flashing or other use by end users without specific
   instruction to do so is highly discouraged.”)
3. The recommended option is to install a bunch of dependencies*, run a shell script, and compile the firmware? Seriously? What if users don’t want to install dependencies just to update their firmware?

*Several of these don’t appear to be in Fedora 37. I realize Librem 14 doesn’t come with Fedora installed, but I don’t believe these would be available in Qubes OS either, which you can get from Purism.

It sounds as though I can just download the ROM from firmware releases, extract it, put it on a USB, and install through PureBoot menu. Is that the case? If so, why the strong wording discouraging people from doing this? What would I lose or risk by going this route as opposed to running the coreboot utility and updater script

I totally agree. See my post with complaints: How to update coreboot offline.

@notsopure the script has two usage options and one of them downloads the correct firmware from the releases for you without building it form source at all. It just tries to check which purism laptop you have and then gets you the correct one. This usage also results in less dependencies that need to be installed for it to run.
The Fedora/Qubes packages are by the way listed in the script it self;
git gcc g++ make xz bzip2 pciutils-devel see line 15
I think the reason why purism is discouraging you to chose the pureboot/coreboot file your self is if you mess up you will probably brick your laptop, which should be fixable but will require special hardware.

Isn’t the script already checking for the hardware before reflashing? It could easily say “no file found for your hardware”.

@fsflover exactly that why they tell the users to use the script instead of downloading the coreboot or pureboot releases yourself.
I think this is not as important with the Librem14 only being one version, but with the Librem15 and 13 this was probably very important since the different versions are quite difficult to tell apart.

@Manuel, @fsflover. Sorry if I missed something, but I’m wondering:

1. If the script can and does download precompiled firmware, what’s the point in the rest of the script compiling said firmware?
2. If I wanted to do this manually, is this the correct firmware for Librem 14 with PureBoot (https://source.puri.sm/firmware/releases/-/tree/master/librem_14)?
3. Where are the instructions for installing the firmware? If I look at the files in releases, I see 4 files: an ISO and three rom.gz files. What am I supposed to be doing these? I would assume burning the ISO to a flash drive, but what about the rom.gz files?

I’m having a hard time understanding why this isn’t “If you have X, take this Y and install it.”

@notsopure I’ll try to answer each of your points from my perspective.

1. its all about choice in this case being able to build pureboot from scratch, can and does provide trust and also modification options for people that are interested in that.
2. this is what the scrip is gonna tell you, based on the hash values within the script. The actual update procedure is done within pureboot. There is also be the newest Embedded Controller firmware in that folder as well. Seems like that’s what the live ISO is for
3. the instructions are within that script which AFAIK also takes care extracting the right .gz file and tells you what to do with it.

Because it’s not that easy especially with the different librem 13 and 15 versions.

By the way there is also an outdated update instruction within that EC update post on how to update pureboot that points to pureboot v18.