MrChromebox UEFI firmware for Librem Devices (unofficial/unsupported)

Several people have asked about this, so figured it deserves its own topic.

For years now, I’ve provided highly optimized/customized builds of coreboot/Tianocore (UEFI) for
Chromebooks/Chromeboxes. Once I started working for Purism, I added support for Librem laptops too (and as of today, the Mini as well). These firmware images are built from my personal tree, which adds a lot of fixes/tweaks/optimizations for running Windows (and in some cases, MacOS) which aren’t suitable for merge into upstream coreboot. They do not in any way negatively impact running Linux, and in some cases there are benefits as well.

These builds are free, unofficial, and unsupported. You can revert to the official Purism firmware at any time.

You will need to install a UEFI capable OS, or at the very least install a UEFI bootloader (systemdboot, grub-efi-amd64, rEFInd, etc) but that’s not something I plan on providing support for.

The UEFI firmware can be installed via my Firmware Utility Script. You can revert to the official Purism firmware using Purism’s coreboot utility script.

and yes, expect the Librem 14 to be supported once it is released.

I’m using your UEFI on my Acer C720P Chromebook and have been for some time now. Actually, I even think I emailed you for assistance a year or two back and you were really helpful.
This was before I even knew about Purism, I just happened upon your site when I wanted to remove that Chrome logo from the boot screen.
Thanks for your software/firmware!

I suppose the obvious question would be … when will there be official UEFI support across the Purism ecosystem? I’m not expecting you personally to answer that question.

We see enough posts in this forum along the lines of “I’m trying to install PureOS on random computer X and it is failing horribly” (because computer X uses UEFI by default) perhaps followed by “Ubuntu / <insert other random distro> worked fine” … It’s just one more thing to go wrong / one hassle for the user.

Whether Purism wants to change over to default and official UEFI support on Purism devices is another question though. (Presumably that would mean ensuring Pureboot had the necessary functionality too.)

we’ve had internal discussions on PureOS supporting UEFI, and it will likely happen eventually, just no official commitment nor timeline.

Official Purism coreboot/Tianocore images are an entirely separate discussion, and one that depends on PureOS having UEFI support.

Pureboot is unaffected by PureOS supporting UEFI; OSes installed under Pureboot are still installed in legacy mode. OS installed under UEFI mode should be bootable provided a dedicated boot partition is used (so would need /boot, /, and /EFI).

Generating offset file out/asm-offsets.h
  Compiling (16bit) out/romlayout.o
  Building ld scripts
/bin/sh: 1: python: not found
make[2]: *** [Makefile:168: out/romlayout16.lds] Error 127
make[1]: *** [Makefile:92: build] Error 2
make: *** [payloads/external/Makefile.inc:65: payloads/external/SeaBIOS/seabios/out/bios.bin.elf] Error 2

Error building coreboot

Getting this error on my new 14. any idea why? also can’t flash from USB because it doesn’t show up as an option. why machine broken? what do fix?

Looks like it can’t find python.

@Sachio222 please don’t post for help in unrelated topics. You question has nothing to do with my coreboot/UEFI community release

So I used MrChrombox’s firmware for my Lenovo Thinkpad x131e chromebook which now has no ChromeOS and has MX-Linux installed. MrChromebox’s firmware replaced previous replacement firmware I got from John Lewis which is no longer supported or maintained. Although there are not a lot of options available in the MrChromebox firmware, it is working great for me.

So, I know this is really about the firmware for Librem devices, I just wanted to acknowledge how useful MrChromebox’s firmware for Chromebooks is.

in context of UEFI on l14, it seems to reasonable to add tianocore as official bios.
why?
with seabios on cometlake cpu there is an issue - early boot messages from kernel are not visible due to lack of real VGA legacy bios for intel graphics card.
memtest86+ suffer same issue simply not boot.

Apart of that, Seabios works like a charm.
technically we can even think to move heads to uefi app model and combine it with secureboot capabilities of uefi. but that is a topic for separate discussion.
anyway @MrChromebox nice piece of work

Adding support for UEFI booting via Tianocore isn’t nearly as simple as you think, because there needs to be support on the OS side as well, and we have to manage users who want to migrate between SeaBIOS/Tianocore/Pureboot.

There’s no reason we couldn’t use a VGA BIOS for display init with SeaBIOS, but since the open-source coreboot implementation works well enough, no need to use a blob.

Tianocore doesn’t have secureboot implemented currently for the coreboot payload target (UefiPayloadPkg) and adding support is non-trivial. Moving Heads to an EFI app is not going to happen, the whole point of it is to leverage the tools already available for Linux, rather than having to recreate them for another environment (EFI).

incontext of HEADS: i totally agree, just shared idea. i have personal “dislike” to kexec - it’s not a problem of tool, but problem with drivers quality in general causing kexec less usable that it should.

in context of seabios vs tianocore…
sooner or later we will have no other choice, as hardware vendors will stop supporting legacy bios.
it’s already visibe on L14 - try to invoke grub and run memtest86+ , it will simply not boot.
no mater PureBOOT/Seabios pyload will not be able to boot this, because there is lack of full vga bios support.

i did build tianocore based bios for l4 from purism source, works for me.

from os perspective well no conversion needed at all, only grub-uefi , you don’t even have to have fat partition, tianocore is able boot from ext3 it’s just a matter of creating corect filestructure in /boot/

it took me 10 minutes to figure this out, so i have pureos 10 bios/uefi compatibile system, with single bootloader config

it doesn’t work with a VGA BIOS either

of course it does, we even provide the build config for it. we’ve been testing it since the very L14 prototype.

while true, it’s not EFI spec compliant. And you completely missed my point: Purism as a company has to support all of the L14’s already shipped with PureOS installed in a legacy config. So we either need to automate the conversion to a UEFI-bootable OS, or provide instructions to do so. Either option increases the burden on our support staff, so not something we can just casually decide to do.

and for ever user like you, there’s 10 that can’t and will increase our support burden

w8 one step back.

you misunderstood me too.

i am not arguing, i not say we should switch all users to UEFI.
SeaBIOS does its job well. Pureboot probably soon too.
what i am saying is that there is an 3rd option, and maybe we should consider to publish that option too.

However, technically fact that there are ready to use configs in repo, one who is capable of compiling bios for them self, probably will be able to convert system to UEFI.

which is also an argument.

doesn’t work with a VGA BIOS either

read intel specs for SFP package you are ussing, intelvga in this cpu will simply not work with Legacy BIOS
it’s not fault of seabios, just binary blob is for uefi.
i was fighting with similar issue to make coreboot PXE working with latest intel cards. simply new firmware require efi to boot correctly.

simply chip vendors slowly drop legacy support.
that’s all,
thanks for your work. that was my initial intention. not arguing with you.

and my argument against doing so is the increased support load due to users switching between UEFI and legacy capable firmware, and not being able to boot their installed OS afterwards.

Currently, if one installs an OS under SeaBIOS or Pureboot, then switching to the other is not problematic. But switching to/from UEFI would be. hence the support issue.

I’ve installed UEFI firmware using your script. There are no options other than boot options in UEFI menu. Secure Boot isn’t activated on Windows even though it’s UEFI booted. Is there anything I can do inside the OS or in UEFI menu?

no, what you see is what you get. Tianocore does not support UEFI secure boot when used as a coreboot payload. It’s being worked on, along with TPM support and a few other things

Good to know. Can you tell me in a nutshell what we gain by using this rather than Coreboot+Seabios?

Anything for security in particular?

It’s faster, more flexible for booting multiple OSes, and runs Windows/MacOS better. Security wise, there’s little difference

I was not happy to see my Coreboot+Seabios was not write protected before I flashed it with your script. I checked it again and it’s still not protected. Is there any reason for that?

Or is there anything I can do to write protect it? (especially since I need to use Windows -even without secure boot- rather than PureOS for a while)

support for enabling/setting write protection via the flash chip registers is still a WIP effort for flashrom. Not only that, you have to structure the firmware in a way such that the parts that need to change are outside of the WP range(s). If you just WP the entire chip, things can/will break