% Safety issues updating Libreboot on Sandybridge/Ivybridge/Haswell % Leah Rowe % 7 July 2023
Please also follow this guide if using Dell Latitude laptops.
If unsure, just follow this guide. If you follow this guide on a board that does not need vendor files, the resulting ROM images will be identical and therefore nothing will have happened. The inject script is designed to insert certain files, only if required on a given mainboard.
NOTE: Libreboot standardises on flashprog now, as of 27 January 2024, which is a fork of flashrom.
UPDATE (21 August 2023): None of the proposals below have yet been implemented, and this page is still relevant for Libreboot 20231021. It applies to any system that requires vendor code to be inserted inside ROM images.
(it also applies to Libreboot 20231101, 20231106, 20240126, 20240225, 20240504, 20240612, 20241008 and 20241206)
UPDATE (16 August 2023): This also applies to the recently added Dell Precision T1650 mainboard.
As I write this post, Libreboot 20230625 recently came out. There's technically nothing unsafe about the release itself, but certain users have been bricking their machines, on the following mainboards:
On these platforms, the following binary vendor files are required:
me_cleaner
to neuter the Intel ME, so that it's disabled after BringUp.When you build Libreboot from source, Libreboot's automated build system (lbmk) automatically downloads these files directly from the hardware vendor, and inserts them into the ROM during build time.
However, these files are not redistributable, so Libreboot's build system (lbmk) automatically scrubs (deletes) these files, from each ROM image, prior to archiving the ROM images for release.
What this means is exactly as implied:
If you simply flash the release ROMs as-is, without modification, you will be flashing them without these required files. This is exactly what some people have been doing.
Instructions are given here, for how to insert these files on release ROMs:
Insert vendor files on Sandybridge/Ivybridge/Haswell
The linked guide makes use of vendor scripts, that handles all firmwares, automatically for each given mainboard. It can automatically download and insert all of the following:
More information is available in the guide.
Like I said, there's technically nothing wrong with recent Libreboot releases.
The main problem is that Libreboot documentation did not prominently warn about this issue. Such warnings were available on Libreboot, but were not prominently displayed. Such warnings are now littered all throughout the Libreboot documentation, even mentioned in bold lettering at the top of the downloads page, so there's no way a user can miss it.
See: https://codeberg.org/libreboot/lbmk/issues/92
In this issue page, I outline ways to further reduce the risk. On the platforms affected by this, the flash is divided into the following regions:
The IFD region configures the machine, and specifies read/write capability for host CPU when flashing all regions, including IFD.
GbE contains NIC configuration, including MAC address, for intel gigabit NIC.
ME region is Intel ME firmware.
BIOS region is coreboot.
Per the issue page, I intend to implement the following regime in future Libreboot releases, on the affected machines:
In this configuration, internal flashing would still be possible, so that you do not have to disassemble the machine, but two flashes would be needed:
Under this configuration, we would still have the reality where some people don't read documentation, but if they don't read documentation, they will then just run flashprog on ROM images as-is, and it won't work. This will cause one of three possible scenarios:
Under this regime, some users may still brick their machines. For example, they might read the instructions for how to unlock regions, and then still flash a ROM image without running vendor scripts on it - there is nothing we can really do to prevent this, short of simply locking all regions, including the IFD region (if we did that, then users would need to externally re-flash their machine when updating).
Libreboot's policy is to make updates as easy as possible, but these extra precautions are required on the newer Intel platforms.
When this is implemented in Libreboot, this page will be updated, and info about it will be added to the installation/update instructions. I'm also considering whether to apply this change retroactively on older release ROMs, for all of these releases: 20221214, 20230319, 20230413, 20230423 and 20230625.
That's all for now. Please take care when updating or installing Libreboot. Libreboot is generally well-tested and with good release engineering, but you must ALWAYS read the documentation. This is true of any software, but it is especially true of Libreboot. Please take care not to brick your machine. Thanks!