Thanks for clarifying.

Thanks for clarifying.

Thanks for clarifying.

@jonas.smedegaard not an issue, the script in question is deprecated, and it's not part of PureOS (nor should it be)

@jonas.smedegaard no to both

@jonas.smedegaard no to both

@MrChromebox Is this still an issue, and is it tied to PureOS?

@MrChromebox Is this an issue, and is it tied to PureOS?

@MrChromebox Do you know if this is still an issue, and if it is tied to PureOS or (as it seems to me) to Purism firmware flashed onto laptops and possibly published directly by Purism as package as well but not shipped with PureOS)?

@kakaroto Is this still an issue?

@kakaroto Is this still an issue?

@kakaroto Is this still an issue?

Is this still an issue, now almost 4 years later?

According to https://tracker.pureos.net/T315#10888 this feature is unneeded and unwanted in PureOS.

Nicely done -- installing on your Mac is pretty cool. :-)

https://nabeards.com/posts/pureos-install/

Understandable and I don't intend to be rude or disrespectful. I have read other posts where this particular request appears to be parked repeatedly. I'm at a desperation point and only intend to imply the desperation and not to offend anyone or hurt anyone's feelings.

I don't think this is the way to request for support. Please be kind and read other issues related with your problem first.

I'm not sure what vboot is, but if we're talking about Intel Boot Guard, it's my understanding that requires physically blowing fuses within the CPU, that then only allows signed UEFI to actually boot/run.

Earlier systems implemented it as a screw or switch on the mainboard. The current solution is an onboard controller (CR50, IIRC) dedicated to debugging and owner control

Oh and btw. how do you intend to detect tampering anyway? Please don't tell me you need a Librem Key. Purism tries to sell the laptops as secure and not secure-with-additional-hardware, right? Or is the Key now part of the laptop shipment? If not, what is your security goal for a humble users without Librem Key?

You seem to be trapped in the thinking that signature verification is bad and measuring is good. Please don't see it like that. They both complement each other very well.

We do not need or want it. Specifically the problem with systems like vboot (and why we went with Heads instead) is that we do not want to require that the BIOS pass a signature check against a key that we control. We want the user to be able to flash with a custom BIOS if they so choose, even if we haven't blessed it with our signature.

Kyle, can you evaluate vboot in terms of security, do we need it, do we want it and all that.. so we can decide if we want to add it or not

I fixed it by using the old commit hash for the previous microcode. I didn't want to update the microcode since that would mean changing the version (so, changing the config, adding a new tag, rebuilding all, changing coreboot final hashes, changelog, etc..) and I'd like to do it later when I update the FSP for the skylake ones as well, but that one needs testing first and I wanted this fix to be out asap.

Humm.. I thought that repo was meant to contain an archive of all microcodes, I didn't realize he deleted old ones when new ones are out.
I'll update the link and use the commit hash, I prefer that than having the script break constantly.

actually, you'd want to change the link to use the latest commit hash, not master, otherwise the script will break again next time the microcode is updated. So instead use:
https://github.com/platomav/CPUMicrocodes/tree/956244154c87316e4e6162f02b17cf3547597b1a/Intel/cpu306D4_platC0_ver0000002**B_2018-03-22_PRD_0B0DD00D**.bin//

I confirm I haven't been able to reproduce the bug after weeks of usage.

I think the issue was found and resolved and tests by Francois haven't been able to reproduce the problem, so i'll consider this done.

From customer email :

Intel SGX is a technology that provides protection of predefined secrets even in a case of system compromise by creating SGX enclaves. I currently need to run several projects that makes use of SGX on the librem and that's why I need it enabled.