Libreboot has earned, over the years, a well-deserved reputation among those who want regain control of the boot process and hardware of their teams. With the new version Libreboot 26.01, nicknamed “Magnanimous Max”, the project takes an interesting leap: it expands the range of supported motherboards, thoroughly refines its building system and strengthens the integration with coreboot and GRUB, all while maintaining its philosophy of free and transparent firmware.
Far from being a simple incremental version, Libreboot 26.01 arrives as stable revision after several well-tested RCs (specifically, RC4, which has been declared stable), incorporating months of work since the previous 25.06. This release includes support for new x86 hardware, deep improvements in the automation of the lbmk build system, updates to critical components such as GNU GRUB, SeaBIOS and various utilities, as well as a good number of bug fixes and refactorings aimed at long-term robustness.
Key new features in Libreboot 26.01 “Magnanimous Max”
Issue 26.01, published on January 30, 2026, is presented as a stable successor version of Libreboot 25.06Internally, there's a significant change: the stable 26.01 release is essentially the same as the previous RC4 release, after undergoing additional testing that validated its stability. Anyone who has already flashed 26.01 RC4 doesn't need to reflash, as there are no code changes.
The focus of this installment is on three main fronts: expansion of supported hardware, update of the technical base (coreboot, GRUB, utilities) and a major cleanup of the lbmk build system, focused on both security (less use of eval, better management of temporary files, error control) and performance (better designed Git caches, use of consistent tools such as sbase, libarchive, etc.).
New compatible motherboards and systems
One of the headlines of Libreboot 26.01 is the addition of four new officially supported devices, expanding the range of hardware where the firmware can be installed:
- HP Pro 3500 Series (port by Vesek)
- Topton XE2 N150 / X2E N150 (port by Riku Viitanen)
- Lenovo ThinkPad T580 (port by Johann C. Rode)
- Dell Latitude E7240 (port via Iru Cai)
The incorporation of the Dell Latitude E7240 It's particularly noteworthy because it's a laptop with an Intel Haswell (4th generation) platform, still very common in both work and home environments. Furthermore, this model allows for internal firmware flashing using the tool dell-flash-unlockThis greatly simplifies the installation of Libreboot without having to open the computer or resort to external programmers.
In the case of Topton X2E N150We are dealing with a firewall/appliance based on Alder Lake-N, which gains support thanks to specific FSP integration and Intel ME management adapted to this family. This implies Do not compress the FSP to ensure reliable insertion, disable certain debugging modes and adjust the coreboot configuration for this specific motherboard.
El HP Pro 3500A desktop computer with Sandy Bridge or Ivy Bridge CPUs receives special treatment in version 26.01: the CBFS space is expanded, the ME region is reconfigured, and several security and boot parameters are adjusted to make better use of the ROM. It is, in short, a way of give a second life to hardware that's over a decade old which can still perform well with GNU/Linux or BSD.
Finally, the ThinkPad T580 It joins the already extensive family of supported Lenovo laptops. In addition to the motherboard port itself, aspects such as the Thunderbolt support and audio details, following the line of other Kaby Lake/Coffee Lake models already present in Libreboot.
Improvements to already supported motherboards and configuration changes
In addition to new hardware, Libreboot 26.01 introduces significant changes to previously supported boards, aimed at make better use of ROM space and refine behaviors which in practice caused inconvenience or limitations.
In the case of the HP Pro 3500, several specific measures have been applied: expand the CBFS to match the BIOS regionThis includes using a truncated Intel ME image instead of a simply wiped one, unlocking all flash regions by default, and setting the HAP bit (which disables ME) whenever the hardware allows. Furthermore, the use of SeaGRUB as the payload (booting SeaBIOS first and then GRUB) has been defined as the standard, instead of the reversed configuration initially used.
On Dell Latitude platforms, a patch has been included that disables premature thermal shutdown (to around 87°C), delegating management to the CPU's standard throttling mechanisms. This prevents unexpected shutdowns which, although "safe," could be very annoying in daily use.
The ThinkPad T480/T480s range also receives attention: the headphone jack detection (previously it was necessary to manually change the port with tools like pavucontrol) and Thunderbolt support has been adjusted, including the removal of duplicate or redundant configurations so that the firmware compiles and works correctly with the latest coreboot versions.
Another interesting new feature is the addition of a special configuration for ThinkPad T440p with a 4 MB CBFSThis image is designed to facilitate recovery tasks, as it allows reprogramming only the second 4MB chip without needing to touch the first one; however, if you want to completely disable or "neutered" Intel ME, it is still necessary to flash the entire set.
Features and support deferred to future versions
Not everything on the roadmap has made it in time for Libreboot 26.01. Several features have been intentionally left out of this stable release. to avoid confusion and not expose users to untested configurationsAmong the postponed projects, three lines of work stand out:
- Broad integration of Chromebooks Intel/AMD x86-64 based on coreboot configurations maintained by MrChromebox.
- Migration of some AMD motherboards (such as ASUS KCMA-D8 and KGPE-D16) to the coreboot fork 15h.org.
- Support for additional Intel Alder Lake motherboards beyond those already integrated (such as the Topton X2E N150).
Some of this work already exists in private branches and experimental scripts, including one Chromebook integration tool which automatically adapts MrChromebox configurations to the Libreboot build system. However, details such as the automatic download and integration of Intel ME images for Alder Lake (processed with) remain to be resolved. me_cleaner) and the performance of physical tests on most Chromebooks.
Initially, it was proposed to include these plates in 26.01 but marked as release="n" (no pre-compiled ROMs, only manual build). Finally, the following was chosen: Do not introduce them so as not to create expectations or confusion. to the end user. The project intends to incorporate these changes into the test branches and potential release candidates, starting presumably with Libreboot 26.06 RC1 around April 2026.
Updated technical base: coreboot and GNU GRUB up to date
One of the pillars of this version is the coreboot codebase update Libreboot uses this framework. In version 26.01, the main tree was synchronized with a snapshot from mid-January 2026, bringing Libreboot virtually up to date with the upstream project. Intermediate revisions (April, June, and July 2025) were also adopted throughout the development cycle to gradually integrate improvements and bug fixes.
In parallel, the main payload based on GNU GRUB has been updated to stable version 2.14During development, work was done on version 2.14-rc1, but finally release 26.01 incorporates the stable version with numerous patches. One of the most significant changes is that GRUB now uses a more modern version of libgcrypt integrated as a submodule, which allows, for example, the elimination of internal Argon2 implementations and native support for a wider range of algorithms and ciphers.
Thanks to this modernization, compatibility with LUKS2 and modern encryption schemes GRUB is significantly improved. More ciphers have been added, and the use of BLS (Boot Loader Specification) and UKI (Unified Kernel Image) configurations has been facilitated. Although these have not been exhaustively tested in this version, they should not theoretically present any problems with the current stack.
Besides GRUB, other pieces like SeaBIOS, PCSX-Redux Open BIOS, flashprog and deguard They have been updated to more recent revisions, incorporating bug fixes, compatibility improvements, and minor maintenance changes. Even seemingly minor details, such as updating copyright dates in PCSX-Redux, have been carefully considered to accurately reflect the state of the imported patches in 2025.
Enhanced cryptography and support for encrypted boot systems
One of the practical benefits of upgrading to GRUB 2.14 and the new libgcrypt is a real increase in cryptographic capabilities available directly from the firmware. Libreboot 26.01 activates additional GRUB modules that enable modern ciphers (e.g., BLAKE-based, better integrated Argon2, etc.), resulting in improved compatibility with LUKS2 encrypted volumes.
This reinforcement is especially relevant for those who use disks fully encrypted from bootThis reduces friction between the bootloader and the recent cryptographic configurations of GNU/Linux distributions. In this way, it becomes easier to have a system where, from the first byte read from the disk, everything passes through free and auditably secure paths.
Great cleanup in lbmk: less eval, better TMPDIR handling and more robustness
Much of the work behind Libreboot 26.01 isn't immediately visible, but it has a huge impact on the security and stability of the build system lbmk, which is the tool responsible for coordinating code downloads, patch application, and ROM compilation.
One of the most notable changes is the drastic reduction in the use of eval in POSIX scripts shAlthough no actual vulnerabilities have been identified, the Libreboot team believes that eval It should only be used in very justified cases, as it potentially opens the door to code injection if mistakes are made in the future. Numerous functions have been rewritten, and shorthands such as setcfg and safer techniques based on . (source) and simple macros.
Another important front has been the temporary directory and cache managementPreviously, many "temporary" files ended in cache/which is actually intended to store persistent elements. On 26.01 the system was reorganized to place TMPDIR within the lbmk working directory itself, abandoning the dependency on /tmp (which can be a memory-limited tmpfs). This simplifies all the temporary file logic and eliminates alternative mechanisms like the old variable xbloc.
Related to this, the file locking mechanism and parent/child instance detectionKey information is now written to the lock itself (including the TMPDIR value), permissions are hardened (to prevent accidental deletions), and the flow by which lbmk decides whether it is running on a primary or secondary instance is clarified. This significantly reduces race conditions and prevents two build processes from overlapping the same code tree.
Great care has also been taken in the error handling and early exit of functionsInternal utilities such as x_, fx_ y dx_ They have been strengthened to check arguments and return states, and sensitive commands that were previously chained with uncontrolled pipes (e.g., certain calls to catThey are now wrapped with explicit error handling. This is a significant improvement because if something goes wrong, lbmk will detect it and stop, instead of continuing with corrupted artifacts.
More reliable downloads: Git, hashes, caches, and dependence on external tools
The way Libreboot Download and cache source code for coreboot, GRUB, U-Boot and other projects It has also been considerably modernized in 26.01. A Git caching system has been implemented where each remote (including backup mirrors) is cloned into a separate repository, avoiding mixing multiple sources in the same clone.
The code retrieval functions (get.sh, tree.sh) take advantage now commands like git show instead of git whatchanged (already deprecated), and they more carefully control which revisions are already cached to avoid unnecessary downloads. Flags are introduced such as -f y -F to control whether or not to force an update, with macros like forcepull that facilitate reading the code.
In parallel, the hash system and disposal of ancient artifactsNow, when a project's tree changes, hashes are recalculated and obsolete files are removed in the correct order (first delete, then update the hash) to avoid inconsistent states. The hash management logic for full-tree and target builds has been unified, and the directory structure has been reorganized (for example, by placing target builds under tree/target/) to make selective cleaning easier.
Another key step has been the decision to not to depend on arbitrary host system utilities These can vary between distributions. In 26.01 Libreboot integrates and compiles its own copy of projects such as sbase (from suckless) and libarchive to provide commands like sha512sum, bsdtar, bsdunzip o bsdcpio with predictable behavior on any distro. This leaves tools like unar, unrar o unzip In most cases, reducing discrepancies between environments.
They have been refined equally error messages and diagnostics, making lbmk more verbose when something fails, but without overwhelming the user with false positives (for example, it now avoids reporting "incorrect" hashes in intermediate extractions that are actually part of a process where only the last file matters).
Specific improvements to Intel ME, FSP, and related utilities
Regarding unavoidable blobs like Intel Management Engine and FSPLibreboot 26.01 takes intermediate steps to handle them as cleanly as possible without overly complicating the build system design. An option has been introduced. -p en me_cleaner (included in older versions) so that, when it is checked MEclean="y" In the configuration of a board, ME can be extracted without modifying the original image if required.
In boards like the Topton X2E N150, this flexibility is used to simply set the HAP bit and leave the ME binary intactThis avoids errors related to FPTR checks and reduces the complexity of processing recent Intel images. In the case of the HP Pro 3500, however, a truncated ME is used, freeing up more space in the BIOS region and increasing the CBFS available for additional payloads.
Regarding FSP, several corrections and adjustments have been applied: Do not compress the Alder Lake-N FSP In Topton, allow the use of Alder Lake FSP images in releases without requiring specific repositories, and rename settings such as mode fspgop to make it clear how the graphical part is initialized (integrating it into the image nomenclature without the user having to worry).
Other fixes and minor improvements scattered throughout the code
Throughout the cycle between Libreboot 25.06 and 26.01, a considerable volume of small patches that, added together, improve the overall experience. Among them are:
- Activate SMBIOS type 16/17 for Haswell native RAM initialization, providing the operating system with a more accurate description of the memory.
- Adjust the behavior of libgfxinit to poll EDID twice on problematic adapters, mimicking the Linux kernel strategy.
- Configure the U-Boot menu on GRU Chromebooks (bob/kevin) with a a more reasonable timeout of 8 seconds instead of 30, accelerating unsupervised restarts.
- Introduce new keyboard layouts (for example, for Norway) in GRUB.
- Adjust the default settings of coreboot on Kabylake motherboards to avoid permanently setting the parameter
power_on_after_fail, delegating it to the CBFS backend. - Minor cosmetic touch-ups such as Return the rainbow logo to U-Boot in specific Libreboot builds.
The following have also been updated dependency installation scripts For newer versions of distributions like Fedora 42/43, the Arch Linux dependencies have been adapted to the package split. unifontensuring that the builds function correctly on modern systems.
Availability, GPG keys, and download mirrors
Libreboot 26.01 is available in the directory stable/26.01/ from the official server rsync.libreboot.orgas well as a wide network of HTTP/HTTPS mirrors spread across various countries (Princeton, MIT, University of Kent, koddos.net, cicku, etc.), in addition to "hidden" mirrors accessible via Tor and i2p. The project strongly recommends that official mirrors replicate from the central rsync server and that end users preferentially use HTTPS mirrors.
The Releases are always signed with GPGThis version uses a key with a full fingerprint. 8BB1 F7D2 8CF7 696D BF4F 7192 5C65 4067 D383 B1FFValid for releases after 26/01/2024 and until the end of 2028 unless revoked. Previous keys (such as the fingerprint key) 98CC DDF8 E560 47F4 75C0 44BD D0C6 2464 FA8B 4856(already expired) are still published to verify older releases, including packages with older static executables.
The recommended procedure consists of Download the key, verify the SHA512 checksum file and its GPG signatureand only then proceed with installation. This practice is even more important if using unencrypted mirrors (HTTP/FTP), where channel integrity is not guaranteed; in those circumstances, signature verification is absolutely essential.
From a certain historical point, Libreboot stopped offering static binaries In recent releases, the focus has been on distributing source code and pre-compiled ROMs. The necessary utilities (such as) flashprogThese are built from source code, following the official documentation. For those who need the GPLv2-mandated source code ISOs of older versions, they are still available in the directory. ccsource from the rsync mirrors.
Focus on freedom, the right to repair, and usability for non-experts
Beyond the technical details of this version, the underlying message of Libreboot 26.01 is clear: Open source firmware is a tool for regaining sovereignty over hardwareThe project openly opposes mechanisms like Intel Boot Guard that only run firmware signed by the manufacturer, because they prevent users from modifying their own machines and close the door to free solutions like coreboot.
The team's vision is that the freedom to study, share and modify the software It should be considered a basic right. Associated with this is the right to repair and extend the life of devices: the existence of Libreboot allows users to continue updating and using hardware that manufacturers deem "obsolete," with proprietary firmware that rarely receives security patches after a certain time.
On a practical level, Libreboot aims to ensure that all of this isn't a luxury reserved for developers. The combination of lbmk as an automated compilation system, pre-compiled ROMs, and step-by-step documentation This makes Libreboot a "packaged coreboot" for end users. If someone wants to compile from scratch and fine-tune every detail, they can; but those who simply want free firmware that works "without any hassle" will find Libreboot a ready-to-use alternative.
With Libreboot 26.01 “Magnanimous Max”, the project consolidates its position as leading open-source firmware based on corebootThis release combines a highly updated technical foundation with a substantial array of bug fixes, security enhancements, and new supported motherboards. For those with an HP Pro 3500, a Dell Latitude E7240, a ThinkPad T580, or an appliance like the Topton X2E N150, this version opens the door to getting rid of the proprietary BIOS; for all other users and contributors, it represents another step in the maturation of an ecosystem that unequivocally champions user freedom over their own hardware.
