Independently verify checksum of BIOS update

Donniebrasco · February 16, 2025, 9:31am

Downloaded coreboot_util.sh from Update PureBoot - Purism user documentation

The tutorial mentions the download of a .zip however the file downloaded is actually unpacked set of files including a ROM.

I am wanting to verify the hash but there is no checksum or further information from the utility. Had a look at the contents of the shell script, there are checksums but presume these are for the archive before they are unpacked.

I’m wanting to move my ROM to the USB but I can’t verify the file. Any guidance on this?

Model: Purism Librem Mini v2
PureBoot version: PureBoot_Release_18.1

FranklyFlawless · February 17, 2025, 11:10am

#L201-214:

LIBREM_MODELS+=(mini_v2)
PLATFORM_mini_v2="CML"
PRECONFIGURE_SEABIOS_mini_v2=("auto_poweron")
PRECONFIGURE_SEABIOS_mini_v2_DESCRIPTIONS=("Enable automatic power-on")
PRECONFIGURE_HEADS_mini_v2=("basic_usb_autoboot")
PRECONFIGURE_HEADS_mini_v2_DESCRIPTIONS=("Headless - Basic mode, auto power-on, and auto USB boot")
COREBOOT_SEABIOS_VERSION_mini_v2="24.02.01-Purism-1"
PUREBOOT_VERSION_mini_v2="Release-30"
COREBOOT_SEABIOS_IMAGE_mini_v2_SHA="6b8dc04959c95f3291330a379298fd9f5aa3b350458a0d6425976ed4fc54ca0c"
COREBOOT_SEABIOS_IMAGE_mini_v2_auto_poweron_SHA="2f88c54c451763be8b5ad7c7a5876f9e11492bf37407a2d2f6e92c79e9166993"
COREBOOT_HEADS_IMAGE_mini_v2_SHA="e85aa63a447cc7a4181fb91a7f09a996c0d9542d15bdf689fe56f08ddb10fa30"
COREBOOT_HEADS_IMAGE_mini_v2_basic_usb_autoboot_SHA="3b32ad9532070ed8a83c464acad0d59e012bf07818d515ce74f7e300a8f5f816"
COREBOOT_ROM_SHA_mini_v2="6c39646188bdd640ed5b9fe3337f1adabc78d059a635e06117d481e11a3957db"
COREBOOT_ROM_SHA_mini_v2_auto_poweron="e5a88de002aaddc97fd990bc0307f351ba3cdc8ed56cbac664e2bdf0d4d7dd02"

Donniebrasco · February 21, 2025, 10:40am

Thank you so much for taking the time to respond with your input. I will be giving these a go and let you know of how it goes.

Donniebrasco · February 23, 2025, 2:29pm

So quick overview of my experience

Downloaded coreboot util and the ROM with the corresponding checksum. These matched. The updated script showed only change when I VIM diff’d the two scripts.
I through caution to the wind and proceeded with the new script which downloaded a new ROM. I copied it over to a USB, rebooted and used the PureBoot menu to flash. I see that PureBoot verifies the ROM integrity and then I was presented with two options a) proceed with default settings and b) non-default settings

a) The default settings allowed me to generate a new gpg key and export ONLY the public key to a separate USB key. No option to export a revocation certificate or private key.

I then proceed to reflash with the non-default settings as my intention was to have my private master key separate from the Librem and only export encryption, signing and authorising sub-keys to the Librem smartcard. Disappointingly the non-default option any functionality to import or use my own independently and therefore no better than the default option.

I am going to try and use the following tutorial again and hope that I don’t run into the same errors probably as a result of having had an older PureBoot BIOS version.

https://docs.puri.sm/Hardware/Librem_Key/GPG.html

PS - I noticed in the updated ROM Release-30 that it supports zip files whereas the BIOS version I had previously didn’t.

Any other ideas or threads are very welcomed. Thank you for the help so far.