lbmk/script/update/blobs/extract

123 lines
3.1 KiB
Plaintext
Raw Normal View History

#!/usr/bin/env sh
# script to automate extracting blobs from an existing vendor bios
# SPDX-FileCopyrightText: 2022 Caleb La Grange <thonkpeasant@protonmail.com>
# SPDX-FileCopyrightText: 2023 Leah Rowe <leah@libreboot.org>
# SPDX-License-Identifier: GPL-3.0-only
. "include/err.sh"
2023-05-14 08:19:44 +00:00
sname=""
board=""
vendor_rom=""
cbdir="coreboot/default"
cbcfgsdir="config/coreboot"
ifdtool="${cbdir}/util/ifdtool/ifdtool"
mecleaner="me_cleaner/me_cleaner.py"
me7updateparser="util/me7_update_parser/me7_update_parser.py"
boarddir=""
CONFIG_HAVE_MRC=""
CONFIG_ME_BIN_PATH=""
CONFIG_GBE_BIN_PATH=""
CONFIG_IFD_BIN_PATH=""
_me_destination=""
_gbe_destination=""
_ifd_destination=""
2023-05-14 08:19:44 +00:00
main()
{
sname=${0}
[ $# -lt 2 ] && err "Missing arguments (fewer than two)."
2023-05-14 08:19:44 +00:00
board="${1}"
vendor_rom="${2}"
boarddir="${cbcfgsdir}/${board}"
check_board
build_dependencies
extract_blobs
}
check_board()
2023-05-14 08:24:31 +00:00
{
much, much stricter, more verbose error handling lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
if [ ! -f "${vendor_rom}" ]; then
err "check_board: ${board}: file does not exist: ${vendor_rom}"
elif [ ! -d "${boarddir}" ]; then
err "check_board: ${board}: target not defined"
elif [ ! -f "${boarddir}/target.cfg" ]; then
err "check_board: ${board}: missing target.cfg"
fi
2023-05-14 08:24:31 +00:00
}
build_dependencies()
{
much, much stricter, more verbose error handling lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
if [ ! -d me_cleaner ]; then
./update project repo me_cleaner || \
much, much stricter, more verbose error handling lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
err "build_dependencies: can't fetch me_cleaner"
elif [ ! -d "${cbdir}" ]; then
./update project trees coreboot default || \
much, much stricter, more verbose error handling lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
err "build_dependencies: can't fetch coreboot"
elif [ ! -f "${ifdtool}" ]; then
make -C "${ifdtool%/ifdtool}" || \
err "build_dependencies: can't build ifdtool"
fi
}
extract_blobs()
{
2023-05-14 08:19:44 +00:00
printf "extracting blobs for %s from %s\n" ${board} ${vendor_rom}
set -- "${boarddir}/config/"*
. "${1}" 2>/dev/null
. "${boarddir}/target.cfg"
[ "$CONFIG_HAVE_MRC" != "y" ] || \
much, much stricter, more verbose error handling lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
./update blobs mrc || err "extract_blobs: can't fetch mrc"
_me_destination=${CONFIG_ME_BIN_PATH#../../}
_gbe_destination=${CONFIG_GBE_BIN_PATH#../../}
_ifd_destination=${CONFIG_IFD_BIN_PATH#../../}
extract_blob_intel_me
extract_blob_intel_gbe_nvm
# Cleans up other files extracted with ifdtool
much, much stricter, more verbose error handling lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
rm -f flashregion*.bin || err "extract_blobs: !rm -f flashregion*.bin"
[ -f "${_ifd_destination}" ] || err "extract_blobs: Cannot extract IFD"
printf "gbe, ifd, and me extracted to %s\n" "${_me_destination%/*}"
}
extract_blob_intel_me()
{
printf "extracting clean ime and modified ifd\n"
"${mecleaner}" -D "${_ifd_destination}" \
-M "${_me_destination}" "${vendor_rom}" -t -r -S || \
"${me7updateparser}" \
-O "${_me_destination}" "${vendor_rom}" || \
much, much stricter, more verbose error handling lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
err "extract_blob_intel_me: cannot extract from vendor rom"
}
extract_blob_intel_gbe_nvm()
{
printf "extracting gigabit ethernet firmware"
./"${ifdtool}" -x "${vendor_rom}" || \
much, much stricter, more verbose error handling lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
err "extract_blob_intel_gbe_nvm: cannot extract gbe.bin from rom"
mv flashregion*gbe.bin "${_gbe_destination}" || \
much, much stricter, more verbose error handling lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
err "extract_blob_intel_gbe_nvm: cannot move gbe.bin"
2023-05-14 08:19:44 +00:00
}
print_help()
{
printf "Usage: ./update blobs extract {boardname} {path/to/vendor_rom}\n"
printf "Example: ./update blobs extract x230 12mb_flash.bin\n"
2023-05-14 08:24:31 +00:00
printf "\nYou need to specify exactly 2 arguments\n"
}
2023-05-14 08:19:44 +00:00
main $@