2023-06-13 11:09:01 +00:00
|
|
|
#!/usr/bin/env sh
|
2021-05-18 12:56:12 +00:00
|
|
|
|
|
|
|
# helper script: generate release archive (ROM images)
|
|
|
|
#
|
2023-04-23 05:11:09 +00:00
|
|
|
# Copyright (C) 2020,2021,2022,2023 Leah Rowe <info@minifree.org>
|
2021-05-18 12:56:12 +00:00
|
|
|
#
|
2023-05-20 18:15:50 +00:00
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
2021-05-18 12:56:12 +00:00
|
|
|
#
|
2023-05-20 18:15:50 +00:00
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
2021-05-18 12:56:12 +00:00
|
|
|
#
|
2023-05-20 18:15:50 +00:00
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2021-05-18 12:56:12 +00:00
|
|
|
#
|
|
|
|
|
|
|
|
[ "x${DEBUG+set}" = 'xset' ] && set -v
|
|
|
|
set -u -e
|
|
|
|
|
2023-08-23 17:56:31 +00:00
|
|
|
. "include/err.sh"
|
|
|
|
|
2021-05-18 12:56:12 +00:00
|
|
|
projectname="$(cat projectname)"
|
|
|
|
version="version-unknown"
|
|
|
|
versiondate="version-date-unknown"
|
2023-08-16 20:34:21 +00:00
|
|
|
tree="default"
|
2023-05-20 18:33:29 +00:00
|
|
|
target=""
|
|
|
|
CONFIG_HAVE_MRC=""
|
|
|
|
CONFIG_HAVE_ME_BIN=""
|
|
|
|
CONFIG_KBC1126_FIRMWARE=""
|
NEW BOARD: Dell Precision T1650
Very nice ivybridge board that supports ECC RAM.
NOTE: I couldn't get onboard graphics working yet, but
this was confirmed working with a graphics card (in my
case nvidia quadra k420) booted in text mode on the SeaBIOS
payload. The GRUB payload also works, when loaded from SeaBIOS.
Therefore, this is a SeaBIOS-only board (as far as first payload
is concerned), but you can pick GRUB from the menu.
You could make it "GRUB-only" in practise by setting SeaBIOS
boot order to only load GRUB, and disable the SeaBIOS menu.
We refer to this as "SeaGRUB".
I've made lbmk use biosutilities and uefiextract, to
get at the SMSC SCH5545 Environmental Control (EC) firmware.
This firmware is needed for fan control. This is automatically
downloaded and extracted, from Dell UEFI firmware updates.
As with other blobs such as Intel ME, this firmware is then
scrubbed by the release build scripts. The blobutil "inject"
script can be used to re-insert it.
Of note: there is no fixed offset, but no other blobs to
be inserted in CBFS either, so the offset when re-inserting
on release ROMs should still be the same, and thus the ROM
checksums should match, when running blobutil inject.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-11 13:50:17 +00:00
|
|
|
CONFIG_INCLUDE_SMSC_SCH5545_EC_FW=""
|
2023-08-16 20:34:21 +00:00
|
|
|
ifdtool="cbutils/${tree}/ifdtool"
|
|
|
|
cbfstool="cbutils/${tree}/cbfstool"
|
only remove microcode in build/release/roms
libreboot's build system, lbmk, *is* available to use
in releases aswell (use the _src tarball), but it is
mostly intended for development, in lbmk.git
well, there's not much point wasting time / disk space
generating no-microcode roms within lbmk
they should be generated only at release time, alongside
the default ones
this patch implements that, thus speeding up the build
process and saving disk usage during development
the other alternative was to add a new option in
build/boot/roms, -m, that would opt in to removing them,
but this is extra complexity for something that is ill
advised and only provided to appease certain people
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-31 21:00:13 +00:00
|
|
|
microcode_required="y"
|
2023-05-20 18:33:29 +00:00
|
|
|
|
|
|
|
main()
|
|
|
|
{
|
|
|
|
printf "Building ROM image archives for version %s\n" "${version}"
|
|
|
|
|
|
|
|
init_check
|
|
|
|
|
|
|
|
for romdir in bin/*; do
|
only remove microcode in build/release/roms
libreboot's build system, lbmk, *is* available to use
in releases aswell (use the _src tarball), but it is
mostly intended for development, in lbmk.git
well, there's not much point wasting time / disk space
generating no-microcode roms within lbmk
they should be generated only at release time, alongside
the default ones
this patch implements that, thus speeding up the build
process and saving disk usage during development
the other alternative was to add a new option in
build/boot/roms, -m, that would opt in to removing them,
but this is extra complexity for something that is ill
advised and only provided to appease certain people
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-31 21:00:13 +00:00
|
|
|
[ -d "${romdir}" ] || continue
|
2023-05-20 18:40:31 +00:00
|
|
|
make_archive "${romdir}"
|
2023-05-20 18:33:29 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
printf "\nROM archives available at release/%s/roms/\n\n" "${version}"
|
|
|
|
}
|
|
|
|
|
|
|
|
init_check()
|
|
|
|
{
|
2023-08-31 16:47:56 +00:00
|
|
|
[ -f version ] && \
|
2023-05-20 18:33:29 +00:00
|
|
|
version="$(cat version)"
|
|
|
|
[ -f versiondate ] && \
|
|
|
|
versiondate="$(cat versiondate)"
|
|
|
|
[ ! -d "bin/" ] && \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "init_check: no ROMs built yet (error)"
|
|
|
|
[ -d "release/" ] || \
|
|
|
|
mkdir -p release/ || \
|
|
|
|
err "init_check: !mkdir -p release/"
|
|
|
|
[ -d "release/${version}/" ] || \
|
|
|
|
mkdir -p "release/${version}/" || \
|
|
|
|
err "init_check: !mkdir -p release/${version}/"
|
|
|
|
[ ! -d "release/${version}/roms/" ] || \
|
|
|
|
rm -Rf "release/${version}/roms/" || \
|
|
|
|
err "init_check: !rm -Rf release/${version}/roms/"
|
|
|
|
|
|
|
|
if [ ! -d "release/${version}/roms/" ]; then
|
|
|
|
mkdir -p "release/${version}/roms/" || \
|
|
|
|
err "init_check: !mkdir -p release/${version}/roms/"
|
|
|
|
fi
|
2023-05-20 18:33:29 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
make_archive()
|
|
|
|
{
|
only remove microcode in build/release/roms
libreboot's build system, lbmk, *is* available to use
in releases aswell (use the _src tarball), but it is
mostly intended for development, in lbmk.git
well, there's not much point wasting time / disk space
generating no-microcode roms within lbmk
they should be generated only at release time, alongside
the default ones
this patch implements that, thus speeding up the build
process and saving disk usage during development
the other alternative was to add a new option in
build/boot/roms, -m, that would opt in to removing them,
but this is extra complexity for something that is ill
advised and only provided to appease certain people
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-31 21:00:13 +00:00
|
|
|
builddir="${1}"
|
|
|
|
romdir="$(mktemp -d -t coreboot_rom.XXXXXXXXXX)" || \
|
|
|
|
err "make_archive: cannot create tmpdir"
|
|
|
|
rm -Rf "${romdir}" || err "make_archive: can't remove tmpdir"
|
|
|
|
target="${builddir##*/}"
|
|
|
|
romdir="${romdir}/bin/${target}"
|
|
|
|
mkdir -p "${romdir}" || \
|
|
|
|
err "make_archive: can't mkdir tmpdir"
|
|
|
|
cp "${builddir}"/* "${romdir}" || \
|
|
|
|
err "make_archive: cannot copy ROM images directory -> ${romdir}"
|
2022-12-05 02:21:28 +00:00
|
|
|
|
|
|
|
echo ${target}
|
only remove microcode in build/release/roms
libreboot's build system, lbmk, *is* available to use
in releases aswell (use the _src tarball), but it is
mostly intended for development, in lbmk.git
well, there's not much point wasting time / disk space
generating no-microcode roms within lbmk
they should be generated only at release time, alongside
the default ones
this patch implements that, thus speeding up the build
process and saving disk usage during development
the other alternative was to add a new option in
build/boot/roms, -m, that would opt in to removing them,
but this is extra complexity for something that is ill
advised and only provided to appease certain people
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-31 21:00:13 +00:00
|
|
|
|
|
|
|
[ -f "resources/coreboot/${target}/target.cfg" ] || \
|
|
|
|
err "make_archive: ${target}: target.cfg is missing"
|
|
|
|
|
|
|
|
. "resources/coreboot/${target}/target.cfg"
|
|
|
|
[ "${microcode_required}" = "y" ] || \
|
|
|
|
[ "${microcode_required}" = "n" ] || microcode_required="y"
|
2022-12-05 02:21:28 +00:00
|
|
|
|
2023-03-18 15:20:03 +00:00
|
|
|
CONFIG_HAVE_MRC="y"
|
2022-12-05 02:21:28 +00:00
|
|
|
CONFIG_HAVE_ME_BIN="y"
|
2023-04-23 05:11:09 +00:00
|
|
|
CONFIG_KBC1126_FIRMWARE="y"
|
NEW BOARD: Dell Precision T1650
Very nice ivybridge board that supports ECC RAM.
NOTE: I couldn't get onboard graphics working yet, but
this was confirmed working with a graphics card (in my
case nvidia quadra k420) booted in text mode on the SeaBIOS
payload. The GRUB payload also works, when loaded from SeaBIOS.
Therefore, this is a SeaBIOS-only board (as far as first payload
is concerned), but you can pick GRUB from the menu.
You could make it "GRUB-only" in practise by setting SeaBIOS
boot order to only load GRUB, and disable the SeaBIOS menu.
We refer to this as "SeaGRUB".
I've made lbmk use biosutilities and uefiextract, to
get at the SMSC SCH5545 Environmental Control (EC) firmware.
This firmware is needed for fan control. This is automatically
downloaded and extracted, from Dell UEFI firmware updates.
As with other blobs such as Intel ME, this firmware is then
scrubbed by the release build scripts. The blobutil "inject"
script can be used to re-insert it.
Of note: there is no fixed offset, but no other blobs to
be inserted in CBFS either, so the offset when re-inserting
on release ROMs should still be the same, and thus the ROM
checksums should match, when running blobutil inject.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-11 13:50:17 +00:00
|
|
|
CONFIG_INCLUDE_SMSC_SCH5545_EC_FW="y"
|
2023-08-21 18:41:49 +00:00
|
|
|
grep "CONFIG_HAVE_ME_BIN=y" "resources/coreboot/${target}/config/"* || \
|
|
|
|
CONFIG_HAVE_ME_BIN="n"
|
|
|
|
grep "CONFIG_HAVE_MRC=y" "resources/coreboot/${target}/config/"* || \
|
|
|
|
CONFIG_HAVE_MRC="n"
|
2023-05-20 18:33:29 +00:00
|
|
|
grep "CONFIG_KBC1126_FIRMWARE=y" \
|
2023-08-21 18:41:49 +00:00
|
|
|
"resources/coreboot/${target}/config"/* || \
|
|
|
|
CONFIG_KBC1126_FIRMWARE="n"
|
NEW BOARD: Dell Precision T1650
Very nice ivybridge board that supports ECC RAM.
NOTE: I couldn't get onboard graphics working yet, but
this was confirmed working with a graphics card (in my
case nvidia quadra k420) booted in text mode on the SeaBIOS
payload. The GRUB payload also works, when loaded from SeaBIOS.
Therefore, this is a SeaBIOS-only board (as far as first payload
is concerned), but you can pick GRUB from the menu.
You could make it "GRUB-only" in practise by setting SeaBIOS
boot order to only load GRUB, and disable the SeaBIOS menu.
We refer to this as "SeaGRUB".
I've made lbmk use biosutilities and uefiextract, to
get at the SMSC SCH5545 Environmental Control (EC) firmware.
This firmware is needed for fan control. This is automatically
downloaded and extracted, from Dell UEFI firmware updates.
As with other blobs such as Intel ME, this firmware is then
scrubbed by the release build scripts. The blobutil "inject"
script can be used to re-insert it.
Of note: there is no fixed offset, but no other blobs to
be inserted in CBFS either, so the offset when re-inserting
on release ROMs should still be the same, and thus the ROM
checksums should match, when running blobutil inject.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-11 13:50:17 +00:00
|
|
|
grep "CONFIG_INCLUDE_SMSC_SCH5545_EC_FW=y" \
|
2023-08-21 18:41:49 +00:00
|
|
|
"resources/coreboot/${target}/config"/* || \
|
|
|
|
CONFIG_INCLUDE_SMSC_SCH5545_EC_FW="n"
|
2023-05-06 20:21:42 +00:00
|
|
|
|
2023-04-23 05:11:09 +00:00
|
|
|
# remove ME/MRC/EC firmware from ROM images
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
if [ "${CONFIG_HAVE_ME_BIN}" = "y" ] || \
|
only remove microcode in build/release/roms
libreboot's build system, lbmk, *is* available to use
in releases aswell (use the _src tarball), but it is
mostly intended for development, in lbmk.git
well, there's not much point wasting time / disk space
generating no-microcode roms within lbmk
they should be generated only at release time, alongside
the default ones
this patch implements that, thus speeding up the build
process and saving disk usage during development
the other alternative was to add a new option in
build/boot/roms, -m, that would opt in to removing them,
but this is extra complexity for something that is ill
advised and only provided to appease certain people
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-31 21:00:13 +00:00
|
|
|
[ "${target}" = "e6400nvidia_4mb" ] || \
|
|
|
|
[ "${microcode_required}" = "n" ]; then
|
2023-05-20 18:45:08 +00:00
|
|
|
strip_archive "${romdir}"
|
2022-12-05 02:21:28 +00:00
|
|
|
fi
|
|
|
|
|
2023-05-20 18:33:29 +00:00
|
|
|
printf "Generating release/%s/roms/%s-%s_%s.tar.xz\n" \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
"${version}" "${projectname}" "${version}" "${target##*/}"
|
|
|
|
printf "%s\n" "${version}" > "${romdir}/version" || \
|
|
|
|
err "make_archive: can't create ${romdir}/version"
|
|
|
|
printf "%s\n" "${versiondate}" > "${romdir}/versiondate" || \
|
|
|
|
err "make_archive: can't create ${romdir}/versiondate"
|
|
|
|
printf "%s\n" "${projectname}" > "${romdir}/projectname" || \
|
|
|
|
err "make_archive: can't create ${romdir}/projectname"
|
2023-05-20 18:33:29 +00:00
|
|
|
|
only remove microcode in build/release/roms
libreboot's build system, lbmk, *is* available to use
in releases aswell (use the _src tarball), but it is
mostly intended for development, in lbmk.git
well, there's not much point wasting time / disk space
generating no-microcode roms within lbmk
they should be generated only at release time, alongside
the default ones
this patch implements that, thus speeding up the build
process and saving disk usage during development
the other alternative was to add a new option in
build/boot/roms, -m, that would opt in to removing them,
but this is extra complexity for something that is ill
advised and only provided to appease certain people
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-31 21:00:13 +00:00
|
|
|
archivename="${projectname}-${version}_${target##*/}"
|
|
|
|
f="release/${version}/roms/${archivename}"
|
|
|
|
(
|
|
|
|
cd "${romdir%/bin/${target}}" || err "make_archive: can't cd to tmpdir"
|
|
|
|
tar -c "bin/${target}/" | xz -9e > "${archivename}.tar.xz" || \
|
|
|
|
err "make_archive:cant make ${projectname}-${version}_${target##*/}"
|
|
|
|
)
|
|
|
|
cp "${romdir%/bin/${target}}/${archivename}.tar.xz" "${f}.tar.xz" || \
|
|
|
|
err "make_archive: can't copy tarball"
|
|
|
|
rm -Rf "${romdir%/bin/${target}}" || \
|
|
|
|
err "make_archive: can't delete tmpdir"
|
2023-05-20 18:33:29 +00:00
|
|
|
}
|
2021-05-18 12:56:12 +00:00
|
|
|
|
2023-05-20 18:45:08 +00:00
|
|
|
strip_archive()
|
2023-05-20 18:33:29 +00:00
|
|
|
{
|
2023-05-20 18:40:31 +00:00
|
|
|
romdir=${1}
|
|
|
|
|
2023-08-27 08:25:50 +00:00
|
|
|
[ -d "coreboot/${tree}" ] || \
|
2023-08-23 18:56:01 +00:00
|
|
|
./fetch_trees coreboot ${tree} || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "strip_archive: coreboot/${tree}: can't fetch source"
|
2023-08-23 18:56:01 +00:00
|
|
|
./build coreboot utils ${tree} || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "strip_archive: coreboot/${tree}: can't build utils"
|
2023-05-20 18:33:29 +00:00
|
|
|
|
only remove microcode in build/release/roms
libreboot's build system, lbmk, *is* available to use
in releases aswell (use the _src tarball), but it is
mostly intended for development, in lbmk.git
well, there's not much point wasting time / disk space
generating no-microcode roms within lbmk
they should be generated only at release time, alongside
the default ones
this patch implements that, thus speeding up the build
process and saving disk usage during development
the other alternative was to add a new option in
build/boot/roms, -m, that would opt in to removing them,
but this is extra complexity for something that is ill
advised and only provided to appease certain people
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-31 21:00:13 +00:00
|
|
|
if [ "${microcode_required}" = "n" ]; then
|
|
|
|
for romfile in "${romdir}"/*.rom; do
|
|
|
|
[ -f "${romfile}" ] || continue
|
|
|
|
strip_ucode "${romfile}"
|
|
|
|
done
|
|
|
|
for romfile in "${romdir}"/*.tmprom; do
|
|
|
|
[ -f "${romfile}" ] || continue
|
|
|
|
mv "${romfile}" "${romfile%.tmprom}.rom" || \
|
|
|
|
err "can't make no-u rom: ${romfile%.tmprom}.rom"
|
|
|
|
done
|
|
|
|
fi
|
2023-05-20 18:33:29 +00:00
|
|
|
|
|
|
|
# Hash the rom before removing blobs
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
rm -f "${romdir}/blobhashes" || \
|
|
|
|
err "strip_archive: !rm -f ${blobdir}/blobhashes"
|
|
|
|
touch "${romdir}/blobhashes" || \
|
|
|
|
err "strip_archive: !touch ${blobdir}/blobhashes"
|
|
|
|
|
2023-05-20 18:33:29 +00:00
|
|
|
(
|
2023-08-27 08:25:50 +00:00
|
|
|
cd "${romdir}" || err "strip_archive: !cd ${romdir}"
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
sha1sum *.rom >> blobhashes || \
|
|
|
|
err "strip_archive: ${romdir}: !sha1sum *.rom >> blobhashes"
|
2023-05-20 18:33:29 +00:00
|
|
|
)
|
|
|
|
|
2023-08-21 18:41:49 +00:00
|
|
|
for romfile in "${romdir}"/*.rom; do
|
only remove microcode in build/release/roms
libreboot's build system, lbmk, *is* available to use
in releases aswell (use the _src tarball), but it is
mostly intended for development, in lbmk.git
well, there's not much point wasting time / disk space
generating no-microcode roms within lbmk
they should be generated only at release time, alongside
the default ones
this patch implements that, thus speeding up the build
process and saving disk usage during development
the other alternative was to add a new option in
build/boot/roms, -m, that would opt in to removing them,
but this is extra complexity for something that is ill
advised and only provided to appease certain people
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-31 21:00:13 +00:00
|
|
|
[ -f "${romfile}" ] || continue
|
2023-05-20 18:45:08 +00:00
|
|
|
strip_rom_image "${romfile}"
|
2023-05-20 18:33:29 +00:00
|
|
|
done
|
|
|
|
}
|
|
|
|
|
only remove microcode in build/release/roms
libreboot's build system, lbmk, *is* available to use
in releases aswell (use the _src tarball), but it is
mostly intended for development, in lbmk.git
well, there's not much point wasting time / disk space
generating no-microcode roms within lbmk
they should be generated only at release time, alongside
the default ones
this patch implements that, thus speeding up the build
process and saving disk usage during development
the other alternative was to add a new option in
build/boot/roms, -m, that would opt in to removing them,
but this is extra complexity for something that is ill
advised and only provided to appease certain people
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-31 21:00:13 +00:00
|
|
|
strip_ucode()
|
|
|
|
{
|
|
|
|
romfile=${1}
|
|
|
|
|
|
|
|
_newrom_b="${romfile%.rom}_nomicrocode.tmprom"
|
|
|
|
cp "${romfile}" "${_newrom_b}" || \
|
|
|
|
err "strip_rom_image: cp \"${romfile}\" \"${_newrom_b}\""
|
|
|
|
microcode_present="y"
|
|
|
|
"${cbfstool}" "${_newrom_b}" remove -n \
|
|
|
|
cpu_microcode_blob.bin 2>/dev/null || microcode_present="n"
|
|
|
|
if [ "${microcode_present}" = "n" ]; then
|
|
|
|
printf "REMARK: '%s' already lacks microcode\n" \
|
|
|
|
"${romfile}"
|
|
|
|
printf "Renaming default ROM file instead.\n"
|
|
|
|
mv "${romfile}" "${_newrom_b}" || \
|
|
|
|
err "strip_rom_image: can't rename no-u ${romfile}"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2023-05-20 18:45:08 +00:00
|
|
|
strip_rom_image()
|
|
|
|
{
|
|
|
|
romfile=${1}
|
|
|
|
|
2023-08-23 18:56:01 +00:00
|
|
|
[ -f "${romfile}" ] || return 0
|
2023-05-20 18:45:08 +00:00
|
|
|
|
|
|
|
if [ "${CONFIG_HAVE_ME_BIN}" = "y" ]; then
|
only remove microcode in build/release/roms
libreboot's build system, lbmk, *is* available to use
in releases aswell (use the _src tarball), but it is
mostly intended for development, in lbmk.git
well, there's not much point wasting time / disk space
generating no-microcode roms within lbmk
they should be generated only at release time, alongside
the default ones
this patch implements that, thus speeding up the build
process and saving disk usage during development
the other alternative was to add a new option in
build/boot/roms, -m, that would opt in to removing them,
but this is extra complexity for something that is ill
advised and only provided to appease certain people
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-31 21:00:13 +00:00
|
|
|
"${ifdtool}" --nuke me "${romfile}" -O "${romfile}" || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "strip_rom_images: ${romfile}: cannot nuke Intel ME"
|
2023-05-20 18:45:08 +00:00
|
|
|
fi
|
|
|
|
|
2023-08-21 18:41:49 +00:00
|
|
|
if [ "${CONFIG_HAVE_MRC}" = "y" ]; then
|
2023-08-27 08:25:50 +00:00
|
|
|
"${cbfstool}" "${romfile}" remove -n mrc.bin || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "strip_rom_images: ${romfile}: cannot nuke mrc.bin"
|
2023-08-27 08:25:50 +00:00
|
|
|
"${cbfstool}" "${romfile}" print || :
|
2023-05-20 18:45:08 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "${CONFIG_KBC1126_FIRMWARE}" = "y" ]; then
|
2023-08-27 08:25:50 +00:00
|
|
|
"${cbfstool}" "${romfile}" remove -n ecfw1.bin || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "strip_rom_images: ${romfile}: can't nuke ecfw1.bin"
|
2023-08-27 08:25:50 +00:00
|
|
|
"${cbfstool}" "${romfile}" remove -n ecfw2.bin || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "strip_rom_images: ${romfile}: can't nuke ecfw2.bin"
|
2023-05-20 18:45:08 +00:00
|
|
|
fi
|
|
|
|
|
2023-08-21 18:41:49 +00:00
|
|
|
[ "${CONFIG_INCLUDE_SMSC_SCH5545_EC_FW}" != "y" ] || \
|
2023-08-27 08:25:50 +00:00
|
|
|
"${cbfstool}" "${romfile}" remove -n sch5545_ecfw.bin || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "strip_rom_images: ${romfile}: can't nuke sch5545ec fw"
|
NEW BOARD: Dell Precision T1650
Very nice ivybridge board that supports ECC RAM.
NOTE: I couldn't get onboard graphics working yet, but
this was confirmed working with a graphics card (in my
case nvidia quadra k420) booted in text mode on the SeaBIOS
payload. The GRUB payload also works, when loaded from SeaBIOS.
Therefore, this is a SeaBIOS-only board (as far as first payload
is concerned), but you can pick GRUB from the menu.
You could make it "GRUB-only" in practise by setting SeaBIOS
boot order to only load GRUB, and disable the SeaBIOS menu.
We refer to this as "SeaGRUB".
I've made lbmk use biosutilities and uefiextract, to
get at the SMSC SCH5545 Environmental Control (EC) firmware.
This firmware is needed for fan control. This is automatically
downloaded and extracted, from Dell UEFI firmware updates.
As with other blobs such as Intel ME, this firmware is then
scrubbed by the release build scripts. The blobutil "inject"
script can be used to re-insert it.
Of note: there is no fixed offset, but no other blobs to
be inserted in CBFS either, so the offset when re-inserting
on release ROMs should still be the same, and thus the ROM
checksums should match, when running blobutil inject.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-11 13:50:17 +00:00
|
|
|
|
2023-05-20 18:45:08 +00:00
|
|
|
# TODO: replace this board-specific hack
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
if [ "${target}" = "e6400nvidia_4mb" ]; then
|
2023-08-27 08:25:50 +00:00
|
|
|
"${cbfstool}" "${romfile}" remove -n "pci10de,06eb.rom" || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "strip_rom_images: ${romfile}: can't nuke e6400 vga rom"
|
|
|
|
fi
|
2023-05-20 18:45:08 +00:00
|
|
|
}
|
|
|
|
|
2023-05-20 18:33:29 +00:00
|
|
|
main $@
|