2023-06-13 11:09:01 +00:00
|
|
|
#!/usr/bin/env sh
|
2022-11-14 00:51:12 +00:00
|
|
|
# script to automate extracting blobs from an existing vendor bios
|
|
|
|
|
|
|
|
# SPDX-FileCopyrightText: 2022 Caleb La Grange <thonkpeasant@protonmail.com>
|
2023-05-14 08:09:14 +00:00
|
|
|
# SPDX-FileCopyrightText: 2023 Leah Rowe <leah@libreboot.org>
|
2022-11-14 00:51:12 +00:00
|
|
|
# SPDX-License-Identifier: GPL-3.0-only
|
|
|
|
|
2023-08-23 17:56:31 +00:00
|
|
|
. "include/err.sh"
|
|
|
|
|
2023-05-14 08:19:44 +00:00
|
|
|
sname=""
|
|
|
|
board=""
|
|
|
|
vendor_rom=""
|
|
|
|
|
2023-05-14 08:39:25 +00:00
|
|
|
cbdir="coreboot/default"
|
2023-09-04 01:36:41 +00:00
|
|
|
cbcfgsdir="config/coreboot"
|
2023-05-14 08:39:25 +00:00
|
|
|
ifdtool="${cbdir}/util/ifdtool/ifdtool"
|
2023-05-14 08:57:34 +00:00
|
|
|
mecleaner="me_cleaner/me_cleaner.py"
|
2023-09-04 02:24:46 +00:00
|
|
|
me7updateparser="util/me7_update_parser/me7_update_parser.py"
|
2023-05-14 08:57:34 +00:00
|
|
|
|
2023-05-14 08:39:25 +00:00
|
|
|
boarddir=""
|
|
|
|
|
2023-05-14 08:50:48 +00:00
|
|
|
CONFIG_HAVE_MRC=""
|
|
|
|
CONFIG_ME_BIN_PATH=""
|
|
|
|
CONFIG_GBE_BIN_PATH=""
|
|
|
|
CONFIG_IFD_BIN_PATH=""
|
|
|
|
|
|
|
|
_me_destination=""
|
|
|
|
_gbe_destination=""
|
|
|
|
_ifd_destination=""
|
|
|
|
|
2023-05-14 08:19:44 +00:00
|
|
|
main()
|
|
|
|
{
|
|
|
|
sname=${0}
|
2023-08-23 17:56:31 +00:00
|
|
|
[ $# -lt 2 ] && err "Missing arguments (fewer than two)."
|
2022-11-14 00:51:12 +00:00
|
|
|
|
2023-05-14 08:19:44 +00:00
|
|
|
board="${1}"
|
|
|
|
vendor_rom="${2}"
|
2023-05-14 08:39:25 +00:00
|
|
|
boarddir="${cbcfgsdir}/${board}"
|
|
|
|
|
|
|
|
check_board
|
|
|
|
build_dependencies
|
|
|
|
extract_blobs
|
2022-11-21 03:14:22 +00:00
|
|
|
}
|
|
|
|
|
2023-05-14 08:39:25 +00:00
|
|
|
check_board()
|
2023-05-14 08:24:31 +00:00
|
|
|
{
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
if [ ! -f "${vendor_rom}" ]; then
|
|
|
|
err "check_board: ${board}: file does not exist: ${vendor_rom}"
|
|
|
|
elif [ ! -d "${boarddir}" ]; then
|
|
|
|
err "check_board: ${board}: target not defined"
|
|
|
|
elif [ ! -f "${boarddir}/target.cfg" ]; then
|
|
|
|
err "check_board: ${board}: missing target.cfg"
|
|
|
|
fi
|
2023-05-14 08:24:31 +00:00
|
|
|
}
|
|
|
|
|
2023-05-14 08:39:25 +00:00
|
|
|
build_dependencies()
|
|
|
|
{
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
if [ ! -d me_cleaner ]; then
|
2023-09-01 07:30:08 +00:00
|
|
|
./update project repo me_cleaner || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "build_dependencies: can't fetch me_cleaner"
|
|
|
|
elif [ ! -d "${cbdir}" ]; then
|
2023-09-01 07:30:08 +00:00
|
|
|
./update project trees coreboot default || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "build_dependencies: can't fetch coreboot"
|
|
|
|
elif [ ! -f "${ifdtool}" ]; then
|
|
|
|
make -C "${ifdtool%/ifdtool}" || \
|
|
|
|
err "build_dependencies: can't build ifdtool"
|
|
|
|
fi
|
2022-11-14 00:51:12 +00:00
|
|
|
}
|
|
|
|
|
2023-05-14 08:39:25 +00:00
|
|
|
extract_blobs()
|
|
|
|
{
|
2023-05-14 08:19:44 +00:00
|
|
|
printf "extracting blobs for %s from %s\n" ${board} ${vendor_rom}
|
|
|
|
|
2023-05-14 08:39:25 +00:00
|
|
|
set -- "${boarddir}/config/"*
|
2023-08-31 16:16:54 +00:00
|
|
|
. "${1}" 2>/dev/null
|
2023-08-16 20:34:21 +00:00
|
|
|
. "${boarddir}/target.cfg"
|
2022-11-14 00:51:12 +00:00
|
|
|
|
2023-08-21 18:41:49 +00:00
|
|
|
[ "$CONFIG_HAVE_MRC" != "y" ] || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
./update blobs mrc || err "extract_blobs: can't fetch mrc"
|
2023-03-18 15:20:03 +00:00
|
|
|
|
2022-11-14 00:51:12 +00:00
|
|
|
_me_destination=${CONFIG_ME_BIN_PATH#../../}
|
|
|
|
_gbe_destination=${CONFIG_GBE_BIN_PATH#../../}
|
|
|
|
_ifd_destination=${CONFIG_IFD_BIN_PATH#../../}
|
|
|
|
|
2023-05-14 08:50:48 +00:00
|
|
|
extract_blob_intel_me
|
|
|
|
extract_blob_intel_gbe_nvm
|
|
|
|
|
|
|
|
# Cleans up other files extracted with ifdtool
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
rm -f flashregion*.bin || err "extract_blobs: !rm -f flashregion*.bin"
|
2023-05-14 08:50:48 +00:00
|
|
|
|
2023-08-27 08:25:50 +00:00
|
|
|
[ -f "${_ifd_destination}" ] || err "extract_blobs: Cannot extract IFD"
|
|
|
|
printf "gbe, ifd, and me extracted to %s\n" "${_me_destination%/*}"
|
2023-05-14 08:50:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
extract_blob_intel_me()
|
|
|
|
{
|
2022-11-14 00:51:12 +00:00
|
|
|
printf "extracting clean ime and modified ifd\n"
|
2023-05-14 08:57:34 +00:00
|
|
|
|
2023-08-27 08:25:50 +00:00
|
|
|
"${mecleaner}" -D "${_ifd_destination}" \
|
|
|
|
-M "${_me_destination}" "${vendor_rom}" -t -r -S || \
|
|
|
|
"${me7updateparser}" \
|
|
|
|
-O "${_me_destination}" "${vendor_rom}" || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "extract_blob_intel_me: cannot extract from vendor rom"
|
2023-05-14 08:50:48 +00:00
|
|
|
}
|
2022-11-14 00:51:12 +00:00
|
|
|
|
2023-05-14 08:50:48 +00:00
|
|
|
extract_blob_intel_gbe_nvm()
|
|
|
|
{
|
2022-11-14 00:51:12 +00:00
|
|
|
printf "extracting gigabit ethernet firmware"
|
2023-08-27 08:25:50 +00:00
|
|
|
./"${ifdtool}" -x "${vendor_rom}" || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "extract_blob_intel_gbe_nvm: cannot extract gbe.bin from rom"
|
2023-08-27 08:25:50 +00:00
|
|
|
mv flashregion*gbe.bin "${_gbe_destination}" || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "extract_blob_intel_gbe_nvm: cannot move gbe.bin"
|
2023-05-14 08:19:44 +00:00
|
|
|
}
|
2022-11-14 00:51:12 +00:00
|
|
|
|
2023-05-14 08:39:25 +00:00
|
|
|
print_help()
|
|
|
|
{
|
2023-08-17 10:55:38 +00:00
|
|
|
printf "Usage: ./update blobs extract {boardname} {path/to/vendor_rom}\n"
|
|
|
|
printf "Example: ./update blobs extract x230 12mb_flash.bin\n"
|
2023-05-14 08:24:31 +00:00
|
|
|
printf "\nYou need to specify exactly 2 arguments\n"
|
|
|
|
}
|
|
|
|
|
2023-05-14 08:19:44 +00:00
|
|
|
main $@
|