Updating PureBoot/Heads


#1

Hello,

I have recently updated firmware to the beta 6 version of Heads with Librem Key. I enjoy the process of learning about and installing firmware/BIOS but as a programming novice I wanted to share some issues I had in order to help others and to potentially help advance the firmware towards a stable release.

First I downloaded the image from https://source.puri.sm/coreboot/releases/tree/master/librem_13v4 through the browser interface. I noticed ‘commit SHA’ on this page but the value did not match the output of SHA1 or SHA256 of either the .gz file or the extracted .rom file. It made me a little nervous to flash the BIOS without knowing for sure it was downloaded correctly. Is there a better way of downloading and verifying the rom prior to flashing?

I flashed the beta 6 Heads via USB via the Heads GUI. So far so good. The key was no longer synchronized with TPM as expected. First I tried to refresh the TOTP/HOTP but this did not help. I wondered if my public GPG key was erased during flash, I did not get a prompt that it needed a GPG key but I thought maybe this is the problem. I reflashed the BIOS from within Heads adding the GPG key from USB. At this point I attempted to refresh TOTP/HOTP again without success. I then reset the TPM and the key is now green. I was not able to boot the OS however.

This is the part I want to point out for debugging purposes. The code flashed on the screen pretty quickly but it seemed to be failing because of an error where a string cannot be longer than 32 characters. Maybe trying to refresh TOTP/HOTP prior to initializing the TPM that the PCRs might be getting over-filled? I reset the TPM again. Once I verified the /boot partition I was able to boot. It may be worth checking out how Heads behaves when you refresh TOTP/HOTP prior to initializing TPM, this seemed to be the source of my problem. It was easy to fix but a little confusing for a while. Also I am curious if I actually needed to reflash Heads with my GPG key or if that was an unnecessary step.

I have had the Librem 13 v4 for a couple of months and really am enjoying it so far. Hopefully this is helpful to someone else trying to install Heads/PureBoot and the dev team as well.

Have a good weekend,
Lee


#2

that’s certainly not the ideal way to do it, and not how the instructions say to. The best way is to follow the instructions at https://puri.sm/coreboot and run the handy coreboot utility/update script. It will automatically download the current file for your device, verify the checksum, and configure it as needed (persist the serial number, set the boot order, etc). I’m not sure what checksum you used to validate, or what you validated against, but the checksums for the files in the releases repo are in the update script, and matched to a specific commit hash, not to the “master” branch.

we’re aware of the occasional base32 length error, and it will be fixed in the beta7 release (out as soon as we finish testing)

no, simply refreshing the TOTP/HOTP is all that’s normally needed, it just failed in your case due to a (now fixed) bug.

thanks for the feedback, hopefully the next update will go more smoothly for you :slight_smile:


#3

Thank you for the feedback and tips @MrChromebox. I promise I did read the instructions but admittedly not closely enough. I thought the utility was for updating coreboot and heads was updated by USB from within heads. I did not realize the checksums were validated through the utility, I will use it going forward for all firmware changes. Thanks for your hard work.


#4

yes and no - the utility will download either the coreboot/SeaBIOS (standard) or coreboot/Heads (PureBoot) firmware per user selection. If running the standard firmware, then the option to flash is offered. If running PureBoot, then the user is advised to copy the file to USB for updating via the Heads menu option.

We know the documentation isn’t perfect, so if there is something that tripped you up / can be improved, please let us know :slight_smile: