vendor.sh: Use the new deguard for 3050micro

I'm adding ThinkPad T480 support next, which requires
the new revision of deguard. Mate Kukri changed the way
deguard is used, in a rewrite of the project, so lbmk
has to change too.

Signed-off-by: Leah Rowe <leah@libreboot.org>
m920qwip
Leah Rowe 2024-12-01 00:39:52 +00:00
parent 7f6e47d27c
commit 28d8dc93a5
3 changed files with 47 additions and 39 deletions

View File

@ -1,3 +1,3 @@
rev="fc4c59ac35e6f38c195214d71340a6adade2689f" rev="de176a7f20650b272a01efb633931a63128c1647"
url="https://review.coreboot.org/deguard" url="https://review.coreboot.org/deguard"
bkup_url="https://codeberg.org/libreboot/deguard" bkup_url="https://codeberg.org/libreboot/deguard"

View File

@ -1,4 +1,10 @@
DL_hash="976bbb1e625f64df276d8343757d910c88b8a781f953bc2c41a7dd15184ec70d55f8081de2a0aaa83cddb8e73bdc2df6288fde6e0897e4928c48ca4bb30bea2d" DL_hash="976bbb1e625f64df276d8343757d910c88b8a781f953bc2c41a7dd15184ec70d55f8081de2a0aaa83cddb8e73bdc2df6288fde6e0897e4928c48ca4bb30bea2d"
DL_url="https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip" DL_url="https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip"
DL_url_bkup="https://web.archive.org/web/20230822134231/https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip" DL_url_bkup="https://web.archive.org/web/20230822134231/https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip"
ME_bootguard="me11disreguard"
# We will use deguard to disable the Intel Boot Guard:
ME11bootguard="y"
ME11delta="optiplex_3050" # subdirectory under deguard's data/delta/
ME11version="11.6.0.1126"
ME11sku="2M"
ME11pch="H"

View File

@ -23,7 +23,8 @@ eval `setvars "" EC_url_bkup EC_hash DL_hash DL_url_bkup MRC_refcode_gbe vcfg \
E6400_VGA_romname SCH5545EC_DL_url_bkup SCH5545EC_DL_hash _dest tree \ E6400_VGA_romname SCH5545EC_DL_url_bkup SCH5545EC_DL_hash _dest tree \
mecleaner kbc1126_ec_dump MRC_refcode_cbtree new_mac _dl SCH5545EC_DL_url \ mecleaner kbc1126_ec_dump MRC_refcode_cbtree new_mac _dl SCH5545EC_DL_url \
archive EC_url boarddir rom cbdir DL_url nukemode cbfstoolref vrelease \ archive EC_url boarddir rom cbdir DL_url nukemode cbfstoolref vrelease \
verify _7ztest ME_bootguard IFD_platform ifdprefix $cv` verify _7ztest ME11bootguard ME11delta ME11version ME11sku ME11pch \
IFD_platform ifdprefix cdir sdir _me _metmp mfs $cv`
vendor_download() vendor_download()
{ {
@ -106,20 +107,31 @@ extract_intel_me()
{ {
e "$mecleaner" f not && $err "$cbdir: me_cleaner missing" e "$mecleaner" f not && $err "$cbdir: me_cleaner missing"
_me="$PWD/$_dest"; cdir="$PWD/$appdir" cdir="$PWD/$appdir"
if [ "$ME_bootguard" = "me11disreguard" ]; then _me="$PWD/$_dest"
# run mkukri's util to extract me.bin and disable bootguard _metmp="$PWD/tmp/me.bin"
# for Dell OptiPlex 3050 Micro, using the deguard util.
extract_deguard_me "$cdir" "$_me" mfs="" && [ "$ME11bootguard" = "y" ] && mfs="--whitelist MFS" && \
return 0 chkvars ME11delta ME11version ME11sku ME11pch
[ "$ME11bootguard" = "y" ] && x_ ./mk -f deguard
x_ mkdir -p tmp
extract_intel_me_bruteforce
if [ "$ME11bootguard" = "y" ]; then
apply_me11_deguard_mod
else
mv "$_metmp" "$_me" || $err "!mv $_metmp" "$_me"
fi fi
# All other ME setups are extracted with brute force and me_cleaner: }
[ $# -gt 0 ] && _me="${1}" && cdir="$2" extract_intel_me_bruteforce()
{
[ $# -gt 0 ] && cdir="$1"
e "$_me" f && return 0 e "$_metmp" f && return 0
sdir="$(mktemp -d)"; [ -z "$sdir" ] && return 0 [ -z "$sdir" ] && sdir="$(mktemp -d)"
mkdir -p "$sdir" || $err "extract_intel_me: !mkdir -p \"$sdir\"" mkdir -p "$sdir" || $err "extract_intel_me: !mkdir -p \"$sdir\""
set +u +e set +u +e
@ -127,18 +139,19 @@ extract_intel_me()
[ "${cdir#/a}" != "$cdir" ] && cdir="${cdir#/}" [ "${cdir#/a}" != "$cdir" ] && cdir="${cdir#/}"
cd "$cdir" || $err "extract_intel_me: !cd \"$cdir\"" cd "$cdir" || $err "extract_intel_me: !cd \"$cdir\""
for i in *; do for i in *; do
[ -f "$_me" ] && break [ -f "$_metmp" ] && break
[ -L "$i" ] && continue [ -L "$i" ] && continue
if [ -f "$i" ]; then if [ -f "$i" ]; then
"$mecleaner" -r -t -O "$sdir/vendorfile" \ _r="-r" && [ -n "$mfs" ] && _r=""
-M "$_me" "$i" && break "$mecleaner" $mfs $_r -t -O "$sdir/vendorfile" \
"$mecleaner" -r -t -O "$_me" "$i" && break -M "$_metmp" "$i" && break
"$me7updateparser" -O "$_me" "$i" && break "$mecleaner" $mfs $_r -t -O "$_metmp" "$i" && break
"$me7updateparser" -O "$_metmp" "$i" && break
_7ztest="${_7ztest}a" _7ztest="${_7ztest}a"
extract_archive "$i" "$_7ztest" || continue extract_archive "$i" "$_7ztest" || continue
extract_intel_me "$_me" "$cdir/$_7ztest" extract_intel_me_bruteforce "$cdir/$_7ztest"
elif [ -d "$i" ]; then elif [ -d "$i" ]; then
extract_intel_me "$_me" "$cdir/$i" extract_intel_me_bruteforce "$cdir/$i"
else else
continue continue
fi fi
@ -149,27 +162,16 @@ extract_intel_me()
rm -Rf "$sdir" || $err "extract_intel_me: !rm -Rf $sdir" rm -Rf "$sdir" || $err "extract_intel_me: !rm -Rf $sdir"
} }
extract_deguard_me() apply_me11_deguard_mod()
{ {
x_ ./mk -f deguard
cp -R src/deguard "$1/disreguard" || \
$err "Cannot make temporary deguard clone in $1/disreguard"
if [ ! -e "$1/disreguard/.git" ]; then
git -C "$1/disreguard" init || $err "!init $1/disreguard"
git -C "$1/disreguard" add -A . || $err "!add $1/disreguard"
git -C "$1/disreguard" commit -m "tmp" || \
$err "!commit $1/disreguard"
fi
git -C "$1/disreguard" am "$PWD/config/data/deguard/appdir.patch" || \
$err "Cannot temporarily patch deguard clone in $1/disreguard"
( (
cd "$1/disreguard" || $err "Cannot cd to '$1/disreguard'" x_ cd src/deguard/
x_ ./RUNME.sh ./finalimage.py --delta "data/delta/$ME11delta" \
) || $err "$1/disreguard: RUNME.sh returned error status" --version "$ME11version" \
"$mecleaner" --whitelist MFS --truncate "$1/disreguard/me.bin" || \ --pch "$ME11pch" --sku "$ME11sku" --fake-fpfs data/fpfs/zero \
$err "extract_intel_me: Can't truncate disreguarded ME" --input "$_metmp" --output "$_me" || \
cp "$cdir/disreguard/me.bin" "$2" || \ $err "Error running deguard for $_me"
$err "extract_intel_me: Can't move disreguarded me.bin" ) || $err "Error running deguard for $_me"
} }
extract_archive() extract_archive()