not sure what you are looking for, but I guess this is what you need,

(microcode updates are publicly available and gfx init is open source)

I'd like to have system updated against spectre, and other possible vulnerabilities as much as possible.

If lenovo (or any other vendor) releases updates, which in this case address spectre vulnerability,

then I'd need to get binary blobs from this update, compare them against previous BIOS version blobs and in case they differ, bundle them into coreboot BIOS, then save coreboot onto x220. The extra step I do is intel ME neutralization.

That's why I (believe I) need the blobs from the newest update. Is the reasoning correct, or I could do it more wise?

blobs I've initially taken are: flashregion_0_flashdescriptor.bin flashregion_2_intel_me.bin flashregion_3_gbe.bin

but:

1. If I neutralize me.bin, then maybe updating it does not make sense? Otherwise, maybe I could use MEanalyzer + its database to get newest ME, then neutralize it?

2. as I know spectre fixes reside in CPU microcodes. If so, then maybe coreboot can be compiled with newest CPU microcode for given CPUID (I've found one on CPUmicrocodes @ github). Or maybe the only

place where fixes are possible to appear is CPU microcode?

3. flashdescriptor.bin - can it contain vulnerabilities? If yes, where to get it from?

4. gbe.bin - the same questions here.