Downloading and installing coreboot on Purism Librem devices

Coreboot is a modern and lightweight replacement for computers’ proprietary firmware (BIOS or UEFI). It is designed to perform only the minimum number of tasks necessary to load and run a modern operating system, such as PureOS. It brings increased performance and security, avoiding widespread security issues (see “What the CIA Vault 7 Documents Mean“, follow-up posts #1, #2, #3, etc.), and will allow us to provide Heads as part of our product offering in the future.

Since the summer of 2017, our coreboot port is factory-installed on all new Librem laptops. We also have an experimental (but fairly easy to use) installer/flashing script for the Librem 13 v1/v2 and Librem 15 v3. The script allows you to (re)flash our coreboot port, with proper checks and safeguards in place (but remember: we still consider it “experimental”), and various options you can choose:

  • With or without the Intel ME neutralized
  • With or without CPU microcode updates applied
  • The default storage boot order, boot menu delay, presence of MemTest86+ as a boot option or not, etc.

If your OS was installed in UEFI mode, you will need to reinstall it, or migrate it (see further below) before applying our coreboot image.

(Note: ROM download links are not shown here yet, because we’re still doing Q.A. — we don’t want users accidentally bricking their hardware by flashing development versions; in the meantime you might be curious to check out some of our recently merged code contributions to coreboot, and the timeline of our long-term involvement with the coreboot project)

Since coreboot initializes the bare hardware, it must be ported on a case-by-case basis to every chipset and motherboard—and thus every Purism Librem model. The porting work to other Librem devices is ongoing. You can see our progress through our coreboot timeline page and our freedom roadmap. Don’t forget to keep things in perspective!

Migrating a UEFI-based install

If your existing operating system was installed in UEFI mode (our coreboot installer script will warn you about that), you would not be able to boot it after installing coreboot on your Librem, because the coreboot+SeaBIOS combination does not use UEFI. Additionally, UEFI is using a gpt partition layout, and if you were to simply switch to the old msdos layout, everything on the disk would be lost, so don’t do that! Please follow the instructions below instead, to switch from UEFI to a compatible boot scheme, where GRUB can boot from a gpt partitioned disk without UEFI (using a special 1 MB partition at the start of the disk). Here are the steps:

  1. Back up your data. (disclaimer: the steps below have had only limited testing so far, exercise caution)
  2. Using gparted, prepare the new target partition with one of these two approaches:
    • Shrinking your EFI partition 1 MiB smaller, then creating a new partition in the newly freed 1 MiB space, or;
    • Reformating your EFI partition.
  3. Using gparted, apply the “bios_grub” flag to the new target partition.
  4. Remove the old EFI partition from /etc/fstab
  5. Reinstall GRUB with one of these two commands, where X is the physical storage device’s identifier:
    • If your OS is installed on a NVMe M.2 SSD:
      sudo grub-install /dev/nvmeX
      (most likely /dev/nvme0n1)
    • If your OS is installed on a SATA drive in the 2.5″ slot:
      sudo grub-install /dev/sdX
      (most likely /dev/sda)

You can find more advanced techniques or explanations in the GRUB documentation on Arch Linux’s wiki or AskUbuntu question #360543.

Building coreboot on your own machine

Purism offers an easy way to build and update coreboot on your Librem. The advantages of this method are:

  • You’ll build coreboot yourself and be sure that nobody has tampered with it.
  • You’ll update your machine to the latest version (see the change log to know what each new version brought).

The instructions are:

  1. Make sure you are running this on the Librem you want to update.
  2. Open a terminal. Click Activities, then type Terminal or Tilix.
  3. Download the build script.
    mkdir building-coreboot && cd building-coreboot && wget
  4. Install the required dependencies:
    sudo apt install git build-essential bison flex m4 zlib1g-dev gnat libpci-dev libusb-dev libusb-1.0-0-dev dmidecode bsdiff python2.7 pv
  5. Run the script on your Librem machine:
    chmod +x && ./
  6. Select your correct Librem laptop revision (Librem 13v1, Librem 13v2, Librem 13v3, Librem 15v1/15v2, or Librem 15v3). The model and version number are written on the bottom cover of your machine. If nothing is written there, it’s either a 13v1 (for 13-inch machines) or a 15v2 (for 15-inch machines).
  7. When prompted for
    How do you want to extract binary blob files:

    type 1 and press Enter, in order to select the option

    1 - Extract from the current machine
  8. Follow the instructions on the screen, and give it time to build the image. This should take about one hour.
  9. Once done, if the build was successful, it will ask you if you want to flash the newly built image. If the hash does not match, the script will not suggest flashing the image, and you should not do it manually either, as it can brick the machine.
  10. Make sure you are not running low on battery, make sure you are on AC power, and select Yes. Do not interrupt the process in any way – do not suspend or shut down the machine, do not close the lid, do not close the terminal. Otherwise, you risk bricking the machine.
  11. Flashing should take about a minute or two to complete. Reboot your machine once the flashing process is done.

If you have any questions, or if you just want to know more about the build script, you may also want to check out the main forum thread about our coreboot build script, where discussion and testing has been going on for over a year.

Confirming the presence of the correct coreboot image

If you want to feel warm and fuzzy by confirming you have coreboot installed properly after you see the cool Purism logo during boot, here are a few tips to confirm coreboot booted and was installed properly.

# NOTE: these steps are only if you want to confirm coreboot booted or installed properly
# grab coreboot source
git clone
# change to the cbmem tool directory
cd coreboot/util/cbmem
# build cbmem
# run cbmem to confirm coreboot booted
sudo ./cbmem -c | egrep -i "coreboot-|purism|librem"
coreboot-4.5-1035-g6a02eeb Mon Feb 20 17:34:53 UTC 2017 romstage starting...
coreboot-4.5-1035-g6a02eeb Mon Feb 20 17:34:53 UTC 2017 ramstage starting...
Root Device (Purism Librem 13)
Found mainboard Purism Librem 13

Checking whether or not the Intel ME is neutralized in your image

If you flashed the neutered-me rom you can confirm the ME condition by utilizing the same command as above, the most important lines are the first 7 match these output:

coreboot/util/cbmem$ sudo ./cbmem -c | grep ^ME
ME: FW Partition Table : OK
ME: Bringup Loader Failure : NO
ME: Firmware Init Complete : NO
ME: Manufacturing Mode : YES
ME: Boot Options Present : NO
ME: Update In Progress : NO
ME: Current Working State : Recovery

Disclaimer: ME neutralization and disablement is an ongoing and repeated effort requiring tailored work across different models and chipsets (for example, we once found the ME cleaner tool to cause problems with Wi-Fi on Skylake, and had to solve that first). As such, in the interest of not delaying your order, sometimes the ME may or may not be factory-disabled at the time of shipment (so please don’t panic if it isn’t); in such situations, we typically provide coreboot image updates that address the issue once we solve it soon after.

Checking whether microcode updates are applied or not in your image

If you flashed the no-microcode rom you can confirm the absence of microcode updates simply by noticing it does not exist from /proc/cpuinfo, if you did have microcode it would show the microcode version, without microcode updates applied there is no version and no microcode line, as demonstrated below.

cat /proc/cpuinfo | grep microcode | wc
 0 0 0

Running with or without microcode updates applied comes down to personal preference. Microcode updates from the CPU vendor are meant to fix stability and performance issues, such as this one or this one (for the sake of the example). Purism applies microcode updates in the factory-preloaded coreboot images to ensure system stability, while offering versions of the coreboot images without microcode updates applied, for those who seek them.