don't delete microcode updates in rom images

at present, lbmk can remove microcode updates on images for
a given target, if the target specifies
microcode_required="n" in target.cfg

lbmk then provides images with microcode, and images without,
in a given release. although the user can also remove them
manually, this just makes it a bit more convenient, for those
users who do wish to run without the updates. this functionality
is provided only on those platforms where no-microcode is tested.

well, this behaviour implements a compromise on libreboot policy,
which is to always include microcode updates by default. see:
Binary Blob Reduction Policy

the *canoeboot* project now exists, developed in parallel with
libreboot, and it ships without microcode updates, on the same
targets where lbmk also handled this.

running without microcode updates is foolish, and should not
be encouraged. clean up lbmk by not providing this kludge.

the libreboot documentation will be updated, telling such users
to try canoeboot instead, or to remove the update from a given
libreboot rom - this is still possible, and mitigations such as
PECI disablement on GM45 are still in place (and will be kept),
so that this continues to work well.

Signed-off-by: Leah Rowe <leah@libreboot.org>
9020vga
Leah Rowe 2023-12-23 06:54:56 +00:00
parent 72cd169ee5
commit f44b99c808
54 changed files with 7 additions and 150 deletions

View File

@ -4,5 +4,3 @@ payload_grub="n"
payload_grub_withseabios="n" payload_grub_withseabios="n"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
microcode_required="n"
vendorfiles="n"

View File

@ -3,5 +3,3 @@ arch="i386-elf"
payload_seabios="y" payload_seabios="y"
payload_seabios_withgrub="y" payload_seabios_withgrub="y"
payload_memtest="y" payload_memtest="y"
microcode_required="n"
vendorfiles="n"

View File

@ -4,5 +4,3 @@ payload_grub="n"
payload_grub_withseabios="n" payload_grub_withseabios="n"
payload_seabios="y" payload_seabios="y"
payload_memtest="n" payload_memtest="n"
vendorfiles="n"
microcode_required="n"

View File

@ -4,5 +4,3 @@ payload_grub="n"
payload_grub_withseabios="n" payload_grub_withseabios="n"
payload_seabios="y" payload_seabios="y"
payload_memtest="n" payload_memtest="n"
vendorfiles="n"
microcode_required="n"

View File

@ -7,4 +7,3 @@ payload_memtest="y"
payload_seabios_withgrub="y" payload_seabios_withgrub="y"
payload_seabios_grubonly="y" payload_seabios_grubonly="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"

View File

@ -7,4 +7,3 @@ payload_memtest="y"
payload_seabios_withgrub="y" payload_seabios_withgrub="y"
payload_seabios_grubonly="y" payload_seabios_grubonly="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"

View File

@ -7,4 +7,3 @@ payload_memtest="y"
payload_seabios_withgrub="y" payload_seabios_withgrub="y"
payload_seabios_grubonly="y" payload_seabios_grubonly="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"

View File

@ -2,6 +2,4 @@ tree="default"
arch="i386-elf" arch="i386-elf"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
microcode_required="n"
vendorfiles="n"
grub_timeout=10 grub_timeout=10

View File

@ -2,6 +2,4 @@ tree="default"
arch="i386-elf" arch="i386-elf"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
microcode_required="n"
vendorfiles="n"
grub_timeout=10 grub_timeout=10

View File

@ -3,6 +3,4 @@ arch="i386-elf"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ata" grub_scan_disk="ata"
microcode_required="n"
vendorfiles="n"
grub_timeout=10 grub_timeout=10

View File

@ -1,5 +1,3 @@
tree="default" tree="default"
arch="aarch64-elf" arch="aarch64-elf"
payload_uboot="y" payload_uboot="y"
vendorfiles="n"
microcode_required="n"

View File

@ -1,5 +1,3 @@
tree="default" tree="default"
arch="aarch64-elf" arch="aarch64-elf"
payload_uboot="y" payload_uboot="y"
vendorfiles="n"
microcode_required="n"

View File

@ -5,4 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
crossgcc_ada="n" crossgcc_ada="n"
vendorfiles="n"

View File

@ -5,4 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
crossgcc_ada="n" crossgcc_ada="n"
vendorfiles="n"

View File

@ -5,4 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
crossgcc_ada="n" crossgcc_ada="n"
vendorfiles="n"

View File

@ -5,4 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
crossgcc_ada="n" crossgcc_ada="n"
vendorfiles="n"

View File

@ -3,5 +3,4 @@ arch="i386-elf"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
crossgcc_ada="n" crossgcc_ada="n"
vendorfiles="n"
grub_timeout=10 grub_timeout=10

View File

@ -4,5 +4,4 @@ payload_seabios="y"
payload_seabios_withgrub="y" payload_seabios_withgrub="y"
payload_memtest="y" payload_memtest="y"
crossgcc_ada="n" crossgcc_ada="n"
vendorfiles="n"
grub_timeout=10 grub_timeout=10

View File

@ -4,5 +4,4 @@ payload_seabios="y"
payload_seabios_withgrub="y" payload_seabios_withgrub="y"
payload_memtest="y" payload_memtest="y"
crossgcc_ada="n" crossgcc_ada="n"
vendorfiles="n"
grub_timeout=10 grub_timeout=10

View File

@ -4,5 +4,4 @@ payload_seabios="y"
payload_seabios_withgrub="y" payload_seabios_withgrub="y"
payload_memtest="y" payload_memtest="y"
crossgcc_ada="n" crossgcc_ada="n"
vendorfiles="n"
grub_timeout=10 grub_timeout=10

View File

@ -4,5 +4,4 @@ payload_seabios="y"
payload_seabios_withgrub="y" payload_seabios_withgrub="y"
payload_memtest="y" payload_memtest="y"
crossgcc_ada="n" crossgcc_ada="n"
vendorfiles="n"
grub_timeout=10 grub_timeout=10

View File

@ -4,5 +4,4 @@ payload_seabios="y"
payload_seabios_withgrub="y" payload_seabios_withgrub="y"
payload_memtest="y" payload_memtest="y"
crossgcc_ada="n" crossgcc_ada="n"
vendorfiles="n"
grub_timeout=10 grub_timeout=10

View File

@ -4,5 +4,3 @@ payload_grub="y"
payload_grub_withseabios="y" payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -4,5 +4,3 @@ payload_grub="y"
payload_grub_withseabios="y" payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -1,5 +1,3 @@
tree="default" tree="default"
arch="aarch64-elf" arch="aarch64-elf"
payload_uboot="y" payload_uboot="y"
vendorfiles="n"
microcode_required="n"

View File

@ -6,5 +6,3 @@ payload_seabios="y"
payload_memtest="y" payload_memtest="y"
payload_uboot="y" payload_uboot="y"
grub_scan_disk="both" grub_scan_disk="both"
vendorfiles="n"
microcode_required="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -4,6 +4,4 @@ payload_grub="y"
payload_grub_withseabios="y" payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"
grub_background="background1024x768.png" grub_background="background1024x768.png"

View File

@ -4,6 +4,4 @@ payload_grub="y"
payload_grub_withseabios="y" payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"
grub_background="background1024x768.png" grub_background="background1024x768.png"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -5,5 +5,3 @@ payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
payload_memtest="y" payload_memtest="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"

View File

@ -4,6 +4,4 @@ payload_grub="y"
payload_grub_withseabios="y" payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"
grub_background="background1024x768.png" grub_background="background1024x768.png"

View File

@ -4,6 +4,4 @@ payload_grub="y"
payload_grub_withseabios="y" payload_grub_withseabios="y"
payload_seabios="y" payload_seabios="y"
grub_scan_disk="ahci" grub_scan_disk="ahci"
microcode_required="n"
vendorfiles="n"
grub_background="background1024x768.png" grub_background="background1024x768.png"

View File

@ -22,7 +22,7 @@ kmapdir="config/grub/keymap"
pv="payload_grub payload_grub_withseabios payload_seabios payload_memtest t" pv="payload_grub payload_grub_withseabios payload_seabios payload_memtest t"
pv="${pv} payload_seabios_withgrub payload_seabios_grubonly payload_uboot memtest_bin" pv="${pv} payload_seabios_withgrub payload_seabios_grubonly payload_uboot memtest_bin"
v="romdir cbrom initmode displaymode cbcfg targetdir tree arch" v="romdir cbrom initmode displaymode cbcfg targetdir tree arch"
v="${v} grub_timeout ubdir vendorfiles board grub_scan_disk uboot_config" v="${v} grub_timeout ubdir board grub_scan_disk uboot_config"
eval "$(setvars "n" ${pv})" eval "$(setvars "n" ${pv})"
eval "$(setvars "" ${v} boards _displaymode _payload _keyboard all targets)" eval "$(setvars "" ${v} boards _displaymode _payload _keyboard all targets)"
@ -107,8 +107,6 @@ check_target()
payload_uboot="n" payload_uboot="n"
[ "${payload_uboot}" = "y" ] && [ -z "${uboot_config}" ] && \ [ "${payload_uboot}" = "y" ] && [ -z "${uboot_config}" ] && \
uboot_config="default" uboot_config="default"
[ "${vendorfiles}" != "n" ] && [ "${vendorfiles}" != "y" ] && \
vendorfiles="y"
# Override all payload directives with cmdline args # Override all payload directives with cmdline args
[ -z "${_payload}" ] && return 0 [ -z "${_payload}" ] && return 0
@ -401,17 +399,12 @@ mkUbootRom() {
printf "%s\n" "${tmprom}" printf "%s\n" "${tmprom}"
} }
# it is assumed that no other work will be done on the ROM moverom()
# after calling this function. therefore this function is "final" {
moverom() { printf "Creating target image: %s\n" "$2"
rompath="${1}"
newrom="${2}"
[ "${vendorfiles}" = "n" ] && newrom="${newrom%.rom}_noblobs.rom" x_ mkdir -p "${2%/*}"
printf "Creating target image: %s\n" "${newrom}" x_ cp "$1" "$2"
x_ mkdir -p "${newrom%/*}"
x_ cp "${rompath}" "${newrom}"
} }
usage() usage()

View File

@ -7,8 +7,7 @@ set -u -e
. "include/err.sh" . "include/err.sh"
. "include/option.sh" . "include/option.sh"
eval "$(setvars "" vdir relname src_dirname srcdir _xm target romdir \ eval "$(setvars "" vdir relname src_dirname srcdir _xm target romdir mode)"
microcode_required mode)"
main() main()
{ {
@ -133,21 +132,7 @@ handle_rom_archive()
nukerom() nukerom()
{ {
microcode_required="y"
. "config/coreboot/${target}/target.cfg" . "config/coreboot/${target}/target.cfg"
if [ "${microcode_required}" != "y" ] && \
[ "${microcode_required}" != "n" ]; then microcode_required="y"; fi
if [ "${microcode_required}" = "n" ]; then
for romfile in "${romdir}"/*.rom; do
[ -f "${romfile}" ] || continue
strip_ucode "${romfile}"
done
for romfile in "${romdir}"/*.tmprom; do
[ -f "${romfile}" ] || continue
mv "${romfile}" "${romfile%.tmprom}.rom" || \
err "!mv romfile, nukerom"
done
fi
# Hash the images before removing vendor files # Hash the images before removing vendor files
# which "./vendor inject" uses for verification # which "./vendor inject" uses for verification
@ -165,20 +150,6 @@ nukerom()
done done
} }
strip_ucode()
{
romfile=${1}
_newrom_b="${romfile%.rom}_nomicrocode.tmprom"
cp "${romfile}" "${_newrom_b}" || err "!cp romfile ${romfile}, strip_u"
microcode_present="y"
"${cbfstool}" "${_newrom_b}" remove -n \
cpu_microcode_blob.bin 2>/dev/null || microcode_present="n"
[ "${microcode_present}" = "n" ] || return 0
printf "REMARK: '%s' already lacks microcode\n" "${romfile}" 1>&2
printf "Renaming default ROM file instead.\n" 1>&2
mv "${romfile}" "${_newrom_b}" || err "!mv romfile ${romfile}, strip_u"
}
insert_copying_files() insert_copying_files()
{ {
remkdir "${1}/licenses" remkdir "${1}/licenses"

18
script/vendor/inject vendored
View File

@ -122,14 +122,6 @@ patch_release_roms()
printf "patching rom: %s\n" "$x" printf "patching rom: %s\n" "$x"
patch_rom "${x}" patch_rom "${x}"
done done
for x in "${_tmpdir}"/bin/*/*_nomicrocode.rom ; do
[ -f "${x}" ] || continue
[ -f "${x%_nomicrocode.rom}.rom" ] || continue
cp "${x%_nomicrocode.rom}.rom" "${x}" || \
err "patch_r: !cp \"${x%_nomicrocode.rom}.rom\" \"${x}\""
x_ "${cbfstool}" "${x}" remove -n cpu_microcode_blob.bin
done
( (
x_ cd "${_tmpdir}/bin/"* # TODO: very dodgy, re-write accordingly x_ cd "${_tmpdir}/bin/"* # TODO: very dodgy, re-write accordingly
@ -159,16 +151,6 @@ patch_rom()
{ {
rom="${1}" rom="${1}"
# we don't process no-microcode roms; these are
# instead re-created at the end, after re-inserting
# on roms with microcode, by copying and then removing,
# so that the hashes will match (otherwise, cbfstool
# may sometimes insert certain vendor files at the wrong offset)
# (unless nomicrocode is the only config provided)
[ "${rom}" != "${rom%_nomicrocode.rom}.rom" ] && \
[ -f "${rom%_nomicrocode.rom}.rom" ] && \
[ "${release}" = "y" ] && return 0
check_defconfig "$boarddir" && err "patch_rom $boarddir: no configs" check_defconfig "$boarddir" && err "patch_rom $boarddir: no configs"
set -- "${boarddir}/config/"* set -- "${boarddir}/config/"*