Add deguard logic for Dell OptiPlex 3050 Micro

Copy the downloaded deguard source code into appdir,
and patch it to run as part of lbmk, instead of
standalone. The archived one in src/ is not directly
used; instead, the hotpatched version is used.

This is because the standalone version already has
download logic for the .zip file, but we already
cache that file in cache/ and use that.

Signed-off-by: Leah Rowe <leah@libreboot.org>
3050wip
Leah Rowe 2024-09-24 16:47:21 +01:00
parent 0266a48913
commit e7c0109f5d
3 changed files with 167 additions and 1 deletions

View File

@ -0,0 +1,131 @@
From b978cbb651a4bdd84be4a92ae240c8ca99ef21eb Mon Sep 17 00:00:00 2001
From: Leah Rowe <info@minifree.org>
Date: Tue, 24 Sep 2024 16:44:51 +0100
Subject: [PATCH 1/1] Patch to integrate with lbmk
Deguard is a standalone utility, but the way it works
doesn't integrate well with lbmk.
Remove the download logic, because lbmk already downloads
the requisite zip file.
Also not required, but nice, and included in this patch:
Detect what python version is available, and make sure it's
python 3.
Signed-off-by: Leah Rowe <info@minifree.org>
---
RUNME.sh | 64 +++++++++++++++++++++++++++++++-------------------------
1 file changed, 36 insertions(+), 28 deletions(-)
diff --git a/RUNME.sh b/RUNME.sh
index 9809f89..7404ba6 100755
--- a/RUNME.sh
+++ b/RUNME.sh
@@ -1,25 +1,33 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0-only
+# This version of deguard is patched to integrate with lbmk.
+# Do not run this version standalone. Please use src/deguard/ instead.
+
set -e
-if [ ! -f "me.bin" ]; then
- wget "https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip"
- unzip "H110M-DGS(7.30)ROM.zip" H11MDGS7.30
- rm "H110M-DGS(7.30)ROM.zip"
- dd if=H11MDGS7.30 of=me.bin skip=1 count=511 bs=4096
- rm H11MDGS7.30
+pyver="2"
+python="python3"
+which python3 || python="python"
+which $python || pyver=""
+[ -n "$pyver" ] && pyver="$($python --version | awk '{print $2}')"
+if [ "${pyver%%.*}" != "3" ]; then
+ printf "Wrong python version, or python missing. Must be python 3.\n" 1>&2
+ exit 1
fi
+rm -f me.bin MFS.part
+dd if=../H11MDGS7.30 of=me.bin skip=1 count=511 bs=4096
+
dd if=me.bin of=MFS.part skip=168 count=100 bs=4096
# Extract file number 7 (fitc.cfg)
-python3 MFSUtil.py -m MFS.part -x -i 7 -o fitc.cfg
+$python MFSUtil.py -m MFS.part -x -i 7 -o fitc.cfg
# Remove /home/mca/eom
-python3 MFSUtil.py -c fitc.cfg -r -f /home/mca/eom -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg -r -f /home/mca/eom -o fitc.cfg
# Remove /home/bup/ct
-python3 MFSUtil.py -c fitc.cfg -r -f /home/bup/ct -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg -r -f /home/bup/ct -o fitc.cfg
# list off files differing in optiplex 3050 fw vs donor
files="
@@ -39,40 +47,40 @@ secureboot/pubkeyhash
for i in $files
do
- python3 MFSUtil.py -c fitc.cfg -r -f /home/$i -o fitc.cfg
+ $python MFSUtil.py -c fitc.cfg -r -f /home/$i -o fitc.cfg
done
# Add /home/mca/eom
dd if=/dev/zero of=eom count=1 bs=1
-python3 MFSUtil.py -c fitc.cfg --add eom --alignment 2 --mode ' --Irw-r-----' \
+$python MFSUtil.py -c fitc.cfg --add eom --alignment 2 --mode ' --Irw-r-----' \
--opt '?!-F' --uid 0 --gid 238 -f /home/mca/eom -o fitc.cfg
# Add /home/bup/ct
-python3 gen_shellcode.py -p H -v 11.6.0.1126 --fake-fpfs=fpfs/optiplex_3050 -o ct
-python3 MFSUtil.py -c fitc.cfg --add ct --alignment 2 --mode ' ---rwxr-----' \
+$python gen_shellcode.py -p H -v 11.6.0.1126 --fake-fpfs=fpfs/optiplex_3050 -o ct
+$python MFSUtil.py -c fitc.cfg --add ct --alignment 2 --mode ' ---rwxr-----' \
--opt '?--F' --uid 3 --gid 351 -f /home/bup/ct -o fitc.cfg
# Add dell files
-python3 MFSUtil.py -c fitc.cfg --add data/emu_fuse_map --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/emu_fuse_map -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/plat_n_sku --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/plat_n_sku -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/fwuoemid --alignment 2 --mode=' ---rw-rw----' --opt='?--F' --uid=32 --gid=238 -f /home/fwupdate/fwuoemid -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/prof0 --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=55 --gid=238 -f /home/icc/prof0 -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/device_ports --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=73 --gid=238 -f /home/mctp/device_ports -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/hdcp_ports --alignment 2 --mode=' -EIrw-r-----' --opt='?!-F' --uid=80 --gid=238 -f /home/pavp/hdcp_ports -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/cfg_rules --alignment 2 --mode=' ---rw-rw----' --opt='-!MF' --uid=85 --gid=238 -f /home/policy/cfgmgr/cfg_rules -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/bootpolres --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpolres -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/bootpoltype --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpoltype -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/enfpolicy --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/enfpolicy -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/kmid --alignment 2 --mode=' ---rw-r-----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/kmid -o fitc.cfg
-python3 MFSUtil.py -c fitc.cfg --add data/pubkeyhash --alignment 2 --mode=' ---rw-rw-r--' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/pubkeyhash -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/emu_fuse_map --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/emu_fuse_map -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/plat_n_sku --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/plat_n_sku -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/fwuoemid --alignment 2 --mode=' ---rw-rw----' --opt='?--F' --uid=32 --gid=238 -f /home/fwupdate/fwuoemid -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/prof0 --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=55 --gid=238 -f /home/icc/prof0 -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/device_ports --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=73 --gid=238 -f /home/mctp/device_ports -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/hdcp_ports --alignment 2 --mode=' -EIrw-r-----' --opt='?!-F' --uid=80 --gid=238 -f /home/pavp/hdcp_ports -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/cfg_rules --alignment 2 --mode=' ---rw-rw----' --opt='-!MF' --uid=85 --gid=238 -f /home/policy/cfgmgr/cfg_rules -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/bootpolres --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpolres -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/bootpoltype --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpoltype -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/enfpolicy --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/enfpolicy -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/kmid --alignment 2 --mode=' ---rw-r-----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/kmid -o fitc.cfg
+$python MFSUtil.py -c fitc.cfg --add data/pubkeyhash --alignment 2 --mode=' ---rw-rw-r--' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/pubkeyhash -o fitc.cfg
# Delete file id 7 (fitc.cfg) from the MFS partition
-python3 MFSUtil.py -m MFS.part -r -i 7 -o MFS.part
+$python MFSUtil.py -m MFS.part -r -i 7 -o MFS.part
# Delete file id 8 (home) from the MFS partition
-python3 MFSUtil.py -m MFS.part -r -i 8 -o MFS.part
+$python MFSUtil.py -m MFS.part -r -i 8 -o MFS.part
# Add the modified fitc.cfg into the MFS partition
-python3 MFSUtil.py -m MFS.part -a fitc.cfg --deoptimize -i 7 -o MFS.part
+$python MFSUtil.py -m MFS.part -a fitc.cfg --deoptimize -i 7 -o MFS.part
# Write
dd conv=notrunc if=MFS.part of=me.bin seek=168 count=100 bs=4096
--
2.39.5

4
config/vendor/3050micro/pkg.cfg vendored Normal file
View File

@ -0,0 +1,4 @@
DL_hash="976bbb1e625f64df276d8343757d910c88b8a781f953bc2c41a7dd15184ec70d55f8081de2a0aaa83cddb8e73bdc2df6288fde6e0897e4928c48ca4bb30bea2d"
DL_url="https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip"
DL_url_bkup="https://web.archive.org/web/20230822134231/https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip"
ME_bootguard="me11disreguard"

View File

@ -23,7 +23,7 @@ eval `setvars "" EC_url_bkup EC_hash DL_hash DL_url_bkup MRC_refcode_gbe vcfg \
E6400_VGA_romname SCH5545EC_DL_url_bkup SCH5545EC_DL_hash _dest tree \ E6400_VGA_romname SCH5545EC_DL_url_bkup SCH5545EC_DL_hash _dest tree \
mecleaner kbc1126_ec_dump MRC_refcode_cbtree new_mac _dl SCH5545EC_DL_url \ mecleaner kbc1126_ec_dump MRC_refcode_cbtree new_mac _dl SCH5545EC_DL_url \
archive EC_url boarddir rom cbdir DL_url nukemode cbfstoolref vrelease \ archive EC_url boarddir rom cbdir DL_url nukemode cbfstoolref vrelease \
verify _7ztest $cv` verify _7ztest ME_bootguard $cv`
vendor_download() vendor_download()
{ {
@ -107,6 +107,14 @@ extract_intel_me()
e "$mecleaner" f not && $err "$cbdir: me_cleaner missing" e "$mecleaner" f not && $err "$cbdir: me_cleaner missing"
_me="$PWD/$_dest"; cdir="$PWD/$appdir" _me="$PWD/$_dest"; cdir="$PWD/$appdir"
if [ "$ME_bootguard" = "me11disreguard" ]; then
# run mkukri's util to extract me.bin and disable bootguard
# for Dell OptiPlex 3050 Micro, using the deguard util.
extract_deguard_me "$cdir" "$_me"
return 0
fi
# All other ME setups are extracted with brute force and me_cleaner:
[ $# -gt 0 ] && _me="${1}" && cdir="$2" [ $# -gt 0 ] && _me="${1}" && cdir="$2"
e "$_me" f && return 0 e "$_me" f && return 0
@ -141,6 +149,29 @@ extract_intel_me()
rm -Rf "$sdir" || $err "extract_intel_me: !rm -Rf $sdir" rm -Rf "$sdir" || $err "extract_intel_me: !rm -Rf $sdir"
} }
extract_deguard_me()
{
x_ ./mk -f deguard
cp -R src/deguard "$1/disreguard" || \
$err "Cannot make temporary deguard clone in $1/disreguard"
if [ ! -e "$1/disreguard/.git" ]; then
git -C "$1/disreguard" init || $err "!init $1/disreguard"
git -C "$1/disreguard" add -A . || $err "!add $1/disreguard"
git -C "$1/disreguard" commit -m "tmp" || \
$err "!commit $1/disreguard"
fi
git -C "$1/disreguard" am config/data/deguard/appdir.patch || \
$err "Cannot temporarily patch deguard clone in $1/disreguard"
(
cd "$1/disreguard" || $err "Cannot cd to '$1/disreguard'"
x_ ./RUNME.sh
)
"$mecleaner" --whitelist MFS --truncate "$1/disreguard/me.bin" || \
$err "extract_intel_me: Can't truncate disreguarded ME"
cp "$cdir/disreguard/me.bin" "$2" || \
$err "extract_intel_me: Can't move disreguarded me.bin"
}
extract_archive() extract_archive()
{ {
innoextract "$1" -d "$2" || python "$pfs_extract" "$1" -e || 7z x \ innoextract "$1" -d "$2" || python "$pfs_extract" "$1" -e || 7z x \