2023-06-13 11:09:01 +00:00
|
|
|
#!/usr/bin/env sh
|
2023-09-25 01:19:30 +00:00
|
|
|
# SPDX-License-Identifier: GPL-3.0-only
|
2022-11-14 00:51:12 +00:00
|
|
|
# SPDX-FileCopyrightText: 2022 Caleb La Grange <thonkpeasant@protonmail.com>
|
2023-06-13 11:09:01 +00:00
|
|
|
# SPDX-FileCopyrightText: 2022 Ferass El Hafidi <vitali64pmemail@protonmail.com>
|
2023-09-25 01:27:26 +00:00
|
|
|
# SPDX-FileCopyrightText: 2023 Leah Rowe <leah@libreboot.org>
|
2022-11-14 00:51:12 +00:00
|
|
|
|
2023-08-23 17:56:31 +00:00
|
|
|
. "include/err.sh"
|
2023-09-27 20:46:20 +00:00
|
|
|
. "include/option.sh"
|
2023-05-14 04:42:59 +00:00
|
|
|
|
2023-10-15 10:22:43 +00:00
|
|
|
nvmutil="util/nvmutil/nvm"
|
|
|
|
|
|
|
|
eval "$(setvars "" archive rom modifygbe nukemode release new_mac)"
|
blobs/inject: fix checksum validation if no-ucode
on e6400_4mb, the release build scripts remove nvidia's vga
rom which is used on dgpu models. however, microcode is also
removed in separately copied rom images
the inject script was inserting vgaroms directly into these
no-microcode roms, but the microcode blob is bigger than the
vga rom, and cbfstool inserts into the first available free
spot within cbfs, so it was inserting into the spot where
cpu microcode went. this caused the rom checksum to not match
what was generated during build/release/roms being executed
the only real fix is to guarantee offsets within cbfs for all
files, by recording what offsets were used and then calculating
that during insertion
so this patch is a workaround, but fixes the issue. the workaround
is: don't insert blobs directly on no-microcode roms, instead
insert only on microcode-based roms, then re-copy those roms
and remove microcode in aptly named copies
it's a bit more convoluted, but works perfectly fine.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-09-09 19:05:11 +00:00
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
main()
|
|
|
|
{
|
2023-08-23 17:56:31 +00:00
|
|
|
[ $# -lt 1 ] && err "No options specified."
|
2023-08-27 13:14:49 +00:00
|
|
|
[ "${1}" = "listboards" ] && \
|
2023-10-19 22:36:56 +00:00
|
|
|
items config/coreboot && exit 0
|
2022-11-14 00:51:12 +00:00
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
archive="${1}"
|
|
|
|
|
2023-10-14 05:30:31 +00:00
|
|
|
while getopts n:r:b:m: option; do
|
2023-07-29 06:24:18 +00:00
|
|
|
case "${option}" in
|
2023-10-14 02:30:52 +00:00
|
|
|
n) nukemode="${OPTARG}" ;;
|
2023-09-26 00:34:10 +00:00
|
|
|
r) rom=${OPTARG} ;;
|
|
|
|
b) board=${OPTARG} ;;
|
|
|
|
m) modifygbe=true
|
|
|
|
new_mac=${OPTARG} ;;
|
2023-07-29 06:24:18 +00:00
|
|
|
esac
|
2023-05-14 04:42:59 +00:00
|
|
|
done
|
2022-11-14 00:51:12 +00:00
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
check_board
|
|
|
|
build_dependencies
|
2023-10-06 23:57:55 +00:00
|
|
|
inject_vendorfiles
|
2023-10-14 02:30:52 +00:00
|
|
|
[ "${nukemode}" = "nuke" ] && return 0
|
2023-08-16 23:43:34 +00:00
|
|
|
printf "Friendly reminder (this is *not* an error message):\n"
|
|
|
|
printf "Please always ensure that the files were inserted correctly.\n"
|
2022-11-14 00:51:12 +00:00
|
|
|
}
|
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
check_board()
|
|
|
|
{
|
2023-08-27 08:25:50 +00:00
|
|
|
if ! check_release "${archive}" ; then
|
2023-08-21 18:41:49 +00:00
|
|
|
[ -f "${rom}" ] || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "check_board: \"${rom}\" is not a valid path"
|
2023-10-07 04:36:52 +00:00
|
|
|
[ -z "${rom+x}" ] && \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "check_board: no rom specified"
|
2023-08-21 18:41:49 +00:00
|
|
|
[ ! -z ${board+x} ] || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
board=$(detect_board "${rom}")
|
2023-05-14 04:42:59 +00:00
|
|
|
else
|
2023-10-15 10:22:43 +00:00
|
|
|
release="y"
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
board=$(detect_board "${archive}")
|
2022-11-14 00:51:12 +00:00
|
|
|
fi
|
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
boarddir="${cbcfgsdir}/${board}"
|
2023-09-30 19:04:02 +00:00
|
|
|
[ -d "${boarddir}" ] && return 0
|
|
|
|
err "check_board: board ${board} not found"
|
2022-11-14 00:51:12 +00:00
|
|
|
}
|
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
check_release()
|
|
|
|
{
|
2023-08-21 18:41:49 +00:00
|
|
|
[ -f "${archive}" ] || return 1
|
|
|
|
[ "${archive##*.}" = "xz" ] || return 1
|
|
|
|
printf "%s\n" "Release archive ${archive} detected"
|
2022-11-14 00:51:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# This function tries to determine the board from the filename of the rom.
|
|
|
|
# It will only succeed if the filename is not changed from the build/download
|
2023-05-14 04:42:59 +00:00
|
|
|
detect_board()
|
|
|
|
{
|
2023-08-27 08:25:50 +00:00
|
|
|
path="${1}"
|
2023-04-03 00:06:46 +00:00
|
|
|
filename=$(basename ${path})
|
2022-11-14 00:51:12 +00:00
|
|
|
case ${filename} in
|
2023-07-29 06:24:18 +00:00
|
|
|
grub_*)
|
2023-08-21 18:41:49 +00:00
|
|
|
board=$(echo "${filename}" | cut -d '_' -f2-3) ;;
|
2023-07-29 06:24:18 +00:00
|
|
|
seabios_withgrub_*)
|
2023-08-21 18:41:49 +00:00
|
|
|
board=$(echo "${filename}" | cut -d '_' -f3-4) ;;
|
2023-07-29 06:24:18 +00:00
|
|
|
*.tar.xz)
|
2023-04-03 00:06:46 +00:00
|
|
|
_stripped_prefix=${filename#*_}
|
2023-08-21 18:41:49 +00:00
|
|
|
board="${_stripped_prefix%.tar.xz}" ;;
|
2023-07-29 06:24:18 +00:00
|
|
|
*)
|
2023-10-20 03:10:50 +00:00
|
|
|
err "detect_board $filename: could not detect board type"
|
2022-11-14 00:51:12 +00:00
|
|
|
esac
|
2023-08-23 18:56:01 +00:00
|
|
|
[ -d "${boarddir}/" ] || \
|
2023-10-01 05:33:43 +00:00
|
|
|
err "detect_board: dir, ${boarddir}, doesn't exist"
|
2023-09-09 22:27:44 +00:00
|
|
|
printf "%s\n" "${board}"
|
2022-11-14 00:51:12 +00:00
|
|
|
}
|
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
build_dependencies()
|
|
|
|
{
|
2023-10-19 23:17:30 +00:00
|
|
|
[ -d "${cbdir}" ] || x_ ./update trees -f coreboot default
|
2023-10-13 02:20:33 +00:00
|
|
|
if [ ! -f "${cbfstool}" ] || [ ! -f "${ifdtool}" ]; then
|
2023-10-19 23:17:30 +00:00
|
|
|
x_ ./update trees -b coreboot utils default
|
2023-10-13 02:20:33 +00:00
|
|
|
fi
|
2023-10-14 07:57:11 +00:00
|
|
|
[ -z "${new_mac}" ] || [ -f "${nvmutil}" ] || x_ make -C util/nvmutil
|
2023-10-14 02:30:52 +00:00
|
|
|
[ "${nukemode}" = "nuke" ] && return 0
|
2023-10-19 23:17:30 +00:00
|
|
|
x_ ./vendor download ${board}
|
2023-05-14 04:42:59 +00:00
|
|
|
}
|
2023-05-06 20:21:42 +00:00
|
|
|
|
2023-10-06 23:57:55 +00:00
|
|
|
inject_vendorfiles()
|
2023-05-14 04:42:59 +00:00
|
|
|
{
|
2023-10-20 03:10:50 +00:00
|
|
|
if [ "${release}" != "y" ]; then
|
|
|
|
patch_rom "${rom}"
|
|
|
|
return 0
|
|
|
|
fi
|
2023-10-15 10:22:43 +00:00
|
|
|
printf "patching release images\n"
|
2023-10-03 11:59:35 +00:00
|
|
|
patch_release_roms
|
2023-04-03 00:06:46 +00:00
|
|
|
}
|
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
patch_release_roms()
|
|
|
|
{
|
2023-09-05 00:49:35 +00:00
|
|
|
_tmpdir="tmp/romdir"
|
2023-10-01 05:33:43 +00:00
|
|
|
x_ rm -Rf "${_tmpdir}"
|
|
|
|
x_ mkdir -p "${_tmpdir}"
|
2023-10-20 03:10:50 +00:00
|
|
|
tar -xf "${archive}" -C "${_tmpdir}" || \
|
|
|
|
err "patch_release_roms: !tar -xf \"${archive}\" -C \"${_tmpdir}\""
|
2023-05-14 04:42:59 +00:00
|
|
|
|
2023-08-27 08:25:50 +00:00
|
|
|
for x in "${_tmpdir}"/bin/*/*.rom ; do
|
2023-09-09 22:31:20 +00:00
|
|
|
printf "patching rom: %s\n" "$x"
|
2023-10-20 03:10:50 +00:00
|
|
|
patch_rom "${x}"
|
2023-04-03 00:06:46 +00:00
|
|
|
done
|
blobs/inject: fix checksum validation if no-ucode
on e6400_4mb, the release build scripts remove nvidia's vga
rom which is used on dgpu models. however, microcode is also
removed in separately copied rom images
the inject script was inserting vgaroms directly into these
no-microcode roms, but the microcode blob is bigger than the
vga rom, and cbfstool inserts into the first available free
spot within cbfs, so it was inserting into the spot where
cpu microcode went. this caused the rom checksum to not match
what was generated during build/release/roms being executed
the only real fix is to guarantee offsets within cbfs for all
files, by recording what offsets were used and then calculating
that during insertion
so this patch is a workaround, but fixes the issue. the workaround
is: don't insert blobs directly on no-microcode roms, instead
insert only on microcode-based roms, then re-copy those roms
and remove microcode in aptly named copies
it's a bit more convoluted, but works perfectly fine.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-09-09 19:05:11 +00:00
|
|
|
for x in "${_tmpdir}"/bin/*/*_nomicrocode.rom ; do
|
|
|
|
[ -f "${x}" ] || continue
|
|
|
|
[ -f "${x%_nomicrocode.rom}.rom" ] || continue
|
|
|
|
|
2023-10-22 11:31:55 +00:00
|
|
|
cp "${x%_nomicrocode.rom}.rom" "${x}" || \
|
|
|
|
err "patch_r: !cp \"${x%_nomicrocode.rom}.rom\" \"${x}\""
|
2023-10-01 05:33:43 +00:00
|
|
|
x_ "${cbfstool}" "${x}" remove -n cpu_microcode_blob.bin
|
blobs/inject: fix checksum validation if no-ucode
on e6400_4mb, the release build scripts remove nvidia's vga
rom which is used on dgpu models. however, microcode is also
removed in separately copied rom images
the inject script was inserting vgaroms directly into these
no-microcode roms, but the microcode blob is bigger than the
vga rom, and cbfstool inserts into the first available free
spot within cbfs, so it was inserting into the spot where
cpu microcode went. this caused the rom checksum to not match
what was generated during build/release/roms being executed
the only real fix is to guarantee offsets within cbfs for all
files, by recording what offsets were used and then calculating
that during insertion
so this patch is a workaround, but fixes the issue. the workaround
is: don't insert blobs directly on no-microcode roms, instead
insert only on microcode-based roms, then re-copy those roms
and remove microcode in aptly named copies
it's a bit more convoluted, but works perfectly fine.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-09-09 19:05:11 +00:00
|
|
|
done
|
2023-04-03 00:06:46 +00:00
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
(
|
2023-10-20 03:10:50 +00:00
|
|
|
x_ cd "${_tmpdir}/bin/"* # TODO: very dodgy, re-write accordingly
|
2023-09-09 15:39:26 +00:00
|
|
|
|
|
|
|
# NOTE: For compatibility with older rom releases, defer to sha1
|
2023-10-14 02:30:52 +00:00
|
|
|
[ "${nukemode}" = "nuke" ] || \
|
|
|
|
sha512sum --status -c vendorhashes || \
|
2023-10-06 23:57:55 +00:00
|
|
|
sha1sum --status -c vendorhashes || \
|
|
|
|
sha512sum --status -c blobhashes || \
|
blobs/inject: fix checksum validation if no-ucode
on e6400_4mb, the release build scripts remove nvidia's vga
rom which is used on dgpu models. however, microcode is also
removed in separately copied rom images
the inject script was inserting vgaroms directly into these
no-microcode roms, but the microcode blob is bigger than the
vga rom, and cbfstool inserts into the first available free
spot within cbfs, so it was inserting into the spot where
cpu microcode went. this caused the rom checksum to not match
what was generated during build/release/roms being executed
the only real fix is to guarantee offsets within cbfs for all
files, by recording what offsets were used and then calculating
that during insertion
so this patch is a workaround, but fixes the issue. the workaround
is: don't insert blobs directly on no-microcode roms, instead
insert only on microcode-based roms, then re-copy those roms
and remove microcode in aptly named copies
it's a bit more convoluted, but works perfectly fine.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-09-09 19:05:11 +00:00
|
|
|
sha1sum --status -c blobhashes || \
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
err "patch_release_roms: ROMs did not match expected hashes"
|
2023-04-03 00:06:46 +00:00
|
|
|
)
|
|
|
|
|
2022-11-14 00:51:12 +00:00
|
|
|
if [ "${modifygbe}" = "true" ]; then
|
2023-08-27 08:25:50 +00:00
|
|
|
for x in "${_tmpdir}"/bin/*/*.rom ; do
|
|
|
|
modify_gbe "${x}"
|
2023-04-03 00:06:46 +00:00
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
2023-10-01 05:33:43 +00:00
|
|
|
[ -d bin/release ] || x_ mkdir -p bin/release
|
|
|
|
x_ mv "${_tmpdir}"/bin/* bin/release/
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
|
|
|
|
printf "Success! Your ROMs are in bin/release\n"
|
2023-04-03 00:06:46 +00:00
|
|
|
|
2023-10-01 05:33:43 +00:00
|
|
|
x_ rm -Rf "${_tmpdir}"
|
2023-04-03 00:06:46 +00:00
|
|
|
}
|
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
patch_rom()
|
|
|
|
{
|
|
|
|
rom="${1}"
|
|
|
|
|
blobs/inject: fix checksum validation if no-ucode
on e6400_4mb, the release build scripts remove nvidia's vga
rom which is used on dgpu models. however, microcode is also
removed in separately copied rom images
the inject script was inserting vgaroms directly into these
no-microcode roms, but the microcode blob is bigger than the
vga rom, and cbfstool inserts into the first available free
spot within cbfs, so it was inserting into the spot where
cpu microcode went. this caused the rom checksum to not match
what was generated during build/release/roms being executed
the only real fix is to guarantee offsets within cbfs for all
files, by recording what offsets were used and then calculating
that during insertion
so this patch is a workaround, but fixes the issue. the workaround
is: don't insert blobs directly on no-microcode roms, instead
insert only on microcode-based roms, then re-copy those roms
and remove microcode in aptly named copies
it's a bit more convoluted, but works perfectly fine.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-09-09 19:05:11 +00:00
|
|
|
# we don't process no-microcode roms; these are
|
|
|
|
# instead re-created at the end, after re-inserting
|
|
|
|
# on roms with microcode, by copying and then removing,
|
|
|
|
# so that the hashes will match (otherwise, cbfstool
|
2023-10-06 23:57:55 +00:00
|
|
|
# may sometimes insert certain vendor files at the wrong offset)
|
blobs/inject: fix checksum validation if no-ucode
on e6400_4mb, the release build scripts remove nvidia's vga
rom which is used on dgpu models. however, microcode is also
removed in separately copied rom images
the inject script was inserting vgaroms directly into these
no-microcode roms, but the microcode blob is bigger than the
vga rom, and cbfstool inserts into the first available free
spot within cbfs, so it was inserting into the spot where
cpu microcode went. this caused the rom checksum to not match
what was generated during build/release/roms being executed
the only real fix is to guarantee offsets within cbfs for all
files, by recording what offsets were used and then calculating
that during insertion
so this patch is a workaround, but fixes the issue. the workaround
is: don't insert blobs directly on no-microcode roms, instead
insert only on microcode-based roms, then re-copy those roms
and remove microcode in aptly named copies
it's a bit more convoluted, but works perfectly fine.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-09-09 19:05:11 +00:00
|
|
|
# (unless nomicrocode is the only config provided)
|
|
|
|
[ "${rom}" != "${rom%_nomicrocode.rom}.rom" ] && \
|
|
|
|
[ -f "${rom%_nomicrocode.rom}.rom" ] && \
|
2023-10-15 10:22:43 +00:00
|
|
|
[ "${release}" = "y" ] && return 0
|
blobs/inject: fix checksum validation if no-ucode
on e6400_4mb, the release build scripts remove nvidia's vga
rom which is used on dgpu models. however, microcode is also
removed in separately copied rom images
the inject script was inserting vgaroms directly into these
no-microcode roms, but the microcode blob is bigger than the
vga rom, and cbfstool inserts into the first available free
spot within cbfs, so it was inserting into the spot where
cpu microcode went. this caused the rom checksum to not match
what was generated during build/release/roms being executed
the only real fix is to guarantee offsets within cbfs for all
files, by recording what offsets were used and then calculating
that during insertion
so this patch is a workaround, but fixes the issue. the workaround
is: don't insert blobs directly on no-microcode roms, instead
insert only on microcode-based roms, then re-copy those roms
and remove microcode in aptly named copies
it's a bit more convoluted, but works perfectly fine.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-09-09 19:05:11 +00:00
|
|
|
|
2023-10-01 05:33:43 +00:00
|
|
|
x_ check_defconfig "${boarddir}"
|
2023-09-29 21:34:34 +00:00
|
|
|
|
2023-05-14 04:42:59 +00:00
|
|
|
set -- "${boarddir}/config/"*
|
2023-08-31 16:16:54 +00:00
|
|
|
. "${1}" 2>/dev/null
|
2023-05-14 04:42:59 +00:00
|
|
|
|
2023-08-21 18:41:49 +00:00
|
|
|
[ "$CONFIG_HAVE_MRC" = "y" ] && \
|
2023-10-14 05:30:31 +00:00
|
|
|
inject "mrc.bin" "${CONFIG_MRC_FILE}" "mrc" "0xfffa0000"
|
2023-08-21 18:41:49 +00:00
|
|
|
[ "${CONFIG_HAVE_ME_BIN}" = "y" ] && \
|
2023-10-14 05:30:31 +00:00
|
|
|
inject "IFD" "${CONFIG_ME_BIN_PATH}" "me"
|
2023-08-21 18:41:49 +00:00
|
|
|
[ "${CONFIG_KBC1126_FIRMWARE}" = "y" ] && \
|
2023-10-14 05:30:31 +00:00
|
|
|
inject "ecfw1.bin" "$CONFIG_KBC1126_FW1" "raw" \
|
|
|
|
"${CONFIG_KBC1126_FW1_OFFSET}" && \
|
|
|
|
inject "ecfw2.bin" "$CONFIG_KBC1126_FW2" "raw" \
|
|
|
|
"${CONFIG_KBC1126_FW2_OFFSET}"
|
|
|
|
[ ! -z "${CONFIG_VGA_BIOS_FILE}" ] && \
|
|
|
|
[ ! -z "${CONFIG_VGA_BIOS_ID}" ] && \
|
|
|
|
inject "pci${CONFIG_VGA_BIOS_ID}.rom" \
|
|
|
|
"${CONFIG_VGA_BIOS_FILE}" "optionrom"
|
2023-08-21 18:41:49 +00:00
|
|
|
[ "${CONFIG_INCLUDE_SMSC_SCH5545_EC_FW}" = "y" ] && \
|
2023-10-14 05:30:31 +00:00
|
|
|
[ ! -z "${CONFIG_SMSC_SCH5545_EC_FW_FILE}" ] && \
|
|
|
|
inject "sch5545_ecfw.bin" "$CONFIG_SMSC_SCH5545_EC_FW_FILE" raw
|
2023-10-15 10:22:43 +00:00
|
|
|
[ "${modifygbe}" = "true" ] && ! [ "${release}" = "y" ] && \
|
2023-10-14 05:30:31 +00:00
|
|
|
inject "IFD" "${CONFIG_GBE_BIN_PATH}" "GbE"
|
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-08-24 19:19:41 +00:00
|
|
|
|
|
|
|
printf "ROM image successfully patched: %s\n" "${rom}"
|
2023-05-14 04:42:59 +00:00
|
|
|
}
|
|
|
|
|
2023-10-14 05:30:31 +00:00
|
|
|
inject()
|
2023-05-14 04:42:59 +00:00
|
|
|
{
|
2023-10-14 05:30:31 +00:00
|
|
|
[ $# -lt 3 ] && \
|
|
|
|
err "inject $@, $rom: usage: inject name path type (offset)"
|
|
|
|
|
|
|
|
eval "$(setvars "" cbfsname _dest _t _offset)"
|
|
|
|
cbfsname="${1}"
|
|
|
|
_dest="${2##*../}"
|
|
|
|
_t="${3}"
|
|
|
|
[ $# -gt 3 ] && _offset="-b ${4}" && [ -z "${4}" ] && \
|
|
|
|
err "inject $@, $rom: offset passed, but empty (not defined)"
|
|
|
|
|
|
|
|
[ -z "${_dest}" ] && err "inject $@, ${rom}: empty destination path"
|
|
|
|
[ ! -f "${_dest}" ] && [ "${nukemode}" != "nuke" ] && \
|
|
|
|
err "inject_${dl_type}: file missing, ${_dest}"
|
|
|
|
|
|
|
|
[ "$nukemode" = "nuke" ] || \
|
|
|
|
printf "Inserting %s/%s into file: %s\n" \
|
|
|
|
"${cbfsname}" "${_t}" "$rom"
|
|
|
|
|
|
|
|
if [ "${_t}" = "GbE" ]; then
|
|
|
|
x_ mkdir -p tmp
|
2023-10-20 03:10:50 +00:00
|
|
|
cp "${_dest}" "tmp/gbe.bin" || \
|
|
|
|
err "inject: !cp \"${_dest}\" \"tmp/gbe.bin\""
|
2023-10-14 05:30:31 +00:00
|
|
|
_dest="tmp/gbe.bin"
|
2023-10-20 03:10:50 +00:00
|
|
|
"${nvmutil}" "${_dest}" setmac "${new_mac}" || \
|
|
|
|
err "inject ${_dest}: can't change mac address"
|
2023-10-14 02:30:52 +00:00
|
|
|
fi
|
2023-10-14 05:30:31 +00:00
|
|
|
if [ "${cbfsname}" = "IFD" ]; then
|
|
|
|
if [ "${nukemode}" != "nuke" ]; then
|
2023-10-20 03:10:50 +00:00
|
|
|
"${ifdtool}" -i ${_t}:${_dest} "${rom}" -O "$rom" || \
|
|
|
|
err "inject: can't insert $_t ($dest) into $rom"
|
2023-10-14 05:30:31 +00:00
|
|
|
else
|
2023-10-20 03:10:50 +00:00
|
|
|
"${ifdtool}" --nuke ${_t} "${rom}" -O "${rom}" || \
|
|
|
|
err "inject ${rom}: can't nuke ${_t} in IFD"
|
2023-10-14 05:30:31 +00:00
|
|
|
fi
|
2023-10-14 02:30:52 +00:00
|
|
|
else
|
2023-10-14 05:30:31 +00:00
|
|
|
if [ "${nukemode}" != "nuke" ]; then
|
2023-10-20 03:10:50 +00:00
|
|
|
"${cbfstool}" "${rom}" add -f "${_dest}" \
|
|
|
|
-n "${cbfsname}" -t ${_t} ${_offset} || \
|
|
|
|
err "inject $rom: can't insert $_t file $_dest"
|
2023-10-14 05:30:31 +00:00
|
|
|
else
|
2023-10-20 03:10:50 +00:00
|
|
|
"${cbfstool}" "${rom}" remove -n "${cbfsname}" || \
|
|
|
|
err "inject $rom: can't remove ${cbfsname}"
|
2023-10-14 05:30:31 +00:00
|
|
|
fi
|
2023-05-14 04:42:59 +00:00
|
|
|
|
2023-10-14 02:30:52 +00:00
|
|
|
fi
|
2023-05-14 04:42:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
usage()
|
|
|
|
{
|
|
|
|
cat <<- EOF
|
2023-10-19 23:17:30 +00:00
|
|
|
USAGE: ./vendor inject -r [rom path] -b [boardname] -m [macaddress]
|
|
|
|
Example: ./vendor inject -r x230_12mb.rom -b x230_12mb
|
2023-05-14 04:42:59 +00:00
|
|
|
|
|
|
|
Adding a macadress to the gbe is optional.
|
|
|
|
If the [-m] parameter is left blank, the gbe will not be touched.
|
|
|
|
|
2023-10-19 23:17:30 +00:00
|
|
|
Type './vendor inject listboards' to get a list of valid boards
|
2023-05-14 04:42:59 +00:00
|
|
|
EOF
|
|
|
|
}
|
|
|
|
|
|
|
|
main $@
|