From 79c139876564c63b8ae90cea6e958e3ce1895161 Mon Sep 17 00:00:00 2001 From: Youness Alaoui Date: Thu, 8 Mar 2018 17:38:37 -0500 Subject: [PATCH] Add blobs directory/script for skylake based librems --- README.md | 4 +- blobs/librem_skl/get_blobs.sh | 218 ++++++++++++++++++++++++++++++++++ blobs/librem_skl/readme.md | 16 +++ boards/librem13v2.config | 1 + 4 files changed, 238 insertions(+), 1 deletion(-) create mode 100755 blobs/librem_skl/get_blobs.sh create mode 100644 blobs/librem_skl/readme.md diff --git a/README.md b/README.md index 99179e11..b8f04fa9 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,9 @@ Notes: see `patches/xen-4.6.3.patch` and adding `no-real-mode` to start of the Xen command line. Booting or installing Qubes is a bit hacky and needs to be documented. * Building for the Lenovo X220 requires binary blobs to be placed in the blobs/x220/ folder. -See the readme.txt file in that folder +See the readme.md file in that folder +* Building for the Librem 13 v2/v3 or Librem 15 v3/v4 requires binary blobs to be placed in +the blobs/librem_skl folder. See the readme.md file in that folder Signing with GPG --- diff --git a/blobs/librem_skl/get_blobs.sh b/blobs/librem_skl/get_blobs.sh new file mode 100755 index 00000000..b36abe69 --- /dev/null +++ b/blobs/librem_skl/get_blobs.sh @@ -0,0 +1,218 @@ +#!/bin/bash -e +# depends on : wget sha256sum python2.7 bspatch + +# Librem 13 v2 and Librem 15 v3 binary blob hashes +SKL_UCODE_SHA="9c84936df700d74612a99e6ab581640ecf423d25a0b74a1ea23a6d9872349213" +SKL_DESCRIPTOR_SHA="d5110807c9d67cea6d546ac62125d87042a868177241be4ae17a2dbedef10017" +SKL_ME_NOCONF_SHA="70f07be7934bdbb215c66455a2b0d32651f3b2ecaf2519d83d8ca9cf475cc366" +SKL_ME_SHA="3042150c7f655293a69bcf886836732fc451439ae551a2babf3173f4f0d9a8d3" +SKL_FSP_SHA="a7dfec436f5a21a66b5a455775599d73a95170a3446849a34e89a64a2bb69820" +SKL_FSPM_SHA="7a1acc72073969e6753bbfe145f06c3f4d35e2516cb241641eae968705e2cc46" +SKL_FSPS_SHA="0dac94d249473e9d366597fd1f96a0232fb7bf045a3d08f16784961273351822" +SKL_VBT_SHA="51fa214ca44a61b171662d4c2ca6adc1aa3dc6c3d7a24bf9ae5f249f012d61c0" + +# FSP downloadable from Github +SKL_UCODE_URL="https://github.com/platomav/CPUMicrocodes/raw/bfb23e48eb84dff1495d1c8789f133a1b684de27/Intel/cpu406E3_platC0_ver000000C2_2017-11-16_PRD_C6C6F699.bin" +SKL_FSP_URL="https://github.com/IntelFsp/FSP/raw/8267cde09763c0c699704fbae10e6bd121f01b6a/KabylakeFspBinPkg/Fsp.fd" +SKL_VBT_URL="https://github.com/IntelFsp/FSP/raw/8267cde09763c0c699704fbae10e6bd121f01b6a/KabylakeFspBinPkg/SampleCode/Vbt/Vbt.bin" +SKL_FSP_SPLIT_URL="https://raw.githubusercontent.com/tianocore/edk2/e8a70885d8f34533b6dd69878fe95a249e9af086/IntelFsp2Pkg/Tools/SplitFspBin.py" +SKL_FSP_SPLIT_SHA="f654f6363de68ad78b1baf8b8e573b53715c3bc76f7f3c23562641e49a7033f3" +ME_CLEANER_URL="https://github.com/corna/me_cleaner/raw/9e1611fdf21426d66a29a5ea62b7e30d512859e6/me_cleaner.py" +ME_CLEANER_SHA="412e95538c46d6d4d456987a8897b3d0ad1df118c51378a350540eef51c242d4" + +SKL_DESCRIPTOR_URL="https://code.puri.sm/kakaroto/coreboot-files/raw/master/descriptor-skl.bin" +SKL_ME_PATCH_URL="https://code.puri.sm/kakaroto/coreboot-files/raw/master/me11.0.18_config.bspatch" +SKL_ME_PATCH_SHA="49019f89206d6371b1377cf738426c3b0ac60c4b1bb89d5d5de00481e7e4fece" + +# Link found on : http://www.win-raid.com/t832f39-Intel-Engine-Firmware-Repositories.html +# Update link if it changes and becomes invalid. +SKL_ME_RAR_URL="http://www.mediafire.com/file/1angqt361xdf8k0/" +SKL_ME_FILENAME="11.0.18.1002_CON_LP_C0_NPDM_PRD_RGN.bin" +SKL_ME_FULL_FILENAME="Intel CSME 11.0 Firmware Repository Pack r50/$SKL_ME_FILENAME" +SKL_ME_RAR_SHA="11a9c199065c513a93c19269ffbb4bb094f8642a97686082e8cd2974673c599d" + +# Might be required to compile unrar in case unrar-nonfree is not installed +RAR_NONFREE_SOURCE_URL="https://www.rarlab.com/rar/unrarsrc-5.5.8.tar.gz" +RAR_NONFREE_SOURCE_SHA="9b66e4353a9944bc140eb2a919ff99482dd548f858f5e296d809e8f7cdb2fcf4" + +die () { + local msg=$1 + + echo "" + echo "$msg" + exit 1 +} + +check_binary () { + local filename=$1 + local hash=$2 + + if [ ! -f "$filename" ]; then + die "Binary blob file '$filename' does not exist" + fi + sha=$(sha256sum "$filename" | awk '{print $1}') + if [ "$sha" != "$hash" ]; then + die "Extracted binary '$filename' has the wrong SHA256 hash" + fi +} + +check_and_get_url () { + filename=$1 + url=$2 + hash=$3 + description=$4 + + if [ -f "$filename" ]; then + sha=$(sha256sum "$filename" | awk '{print $1}') + fi + if [ "$sha" != "$hash" ]; then + wget -O "$filename" "$url" + sha=$(sha256sum "$filename" | awk '{print $1}') + if [ "$sha" != "$hash" ]; then + die "Downloaded $description has the wrong SHA256 hash" + fi + fi + +} + +get_and_split_fsp () { + fsp="fsp.fd" + fsp_M="fsp_M.fd" + fsp_S="fsp_S.fd" + fsp_T="fsp_T.fd" + fspm="fspm.bin" + fsps="fsps.bin" + fsp_split="SplitFspBin.py" + + if [ -f "$fspm" ]; then + fspm_sha=$(sha256sum "$fspm" | awk '{print $1}') + fi + if [ -f "$fsps" ]; then + fsps_sha=$(sha256sum "$fsps" | awk '{print $1}') + fi + # No FSP-M or FSP-S + if [ "$fspm_sha" != "$SKL_FSPM_SHA" ] || [ "$fsps_sha" != "$SKL_FSPS_SHA" ]; then + if [ -f "$fsp" ]; then + fsp_sha=$(sha256sum "$fsp" | awk '{print $1}') + fi + # No FSP.fd + if [ "$fsp_sha" != "$SKL_FSP_SHA" ]; then + wget -O "$fsp" "$SKL_FSP_URL" + fsp_sha=$(sha256sum "$fsp" | awk '{print $1}') + if [ "$fsp_sha" != "$SKL_FSP_SHA" ]; then + die "Downloaded FSP image has the wrong SHA256 hash" + fi + fi + # No FspSplit + if [ -f "$fsp_split" ]; then + split_sha=$(sha256sum "$fsp_split" | awk '{print $1}') + fi + if [ "$split_sha" != "$SKL_FSP_SHA" ]; then + wget -O "$fsp_split" "$SKL_FSP_SPLIT_URL" + split_sha=$(sha256sum "$fsp_split" | awk '{print $1}') + if [ "$split_sha" != "$SKL_FSP_SPLIT_SHA" ]; then + die "Downloaded FSP Split Tool has the wrong SHA256 hash" + fi + fi + python2 "$fsp_split" split -f "$fsp" + if [ -f "$fsp_M" ]; then + mv "$fsp_M" "$fspm" + fi + if [ -f "$fsp_S" ]; then + mv "$fsp_S" "$fsps" + fi + fspm_sha=$(sha256sum "$fspm" | awk '{print $1}') + fsps_sha=$(sha256sum "$fsps" | awk '{print $1}') + if [ "$fspm_sha" != "$SKL_FSPM_SHA" ] || [ "$fsps_sha" != "$SKL_FSPS_SHA" ]; then + die "Extracted FSP images have the wrong SHA256 hash" + fi + rm -f "$fsp" + rm -f "$fsp_split" + rm -f "$fsp_T" + fi +} + +get_and_patch_me_11 () { + if [ -f "me.bin" ]; then + sha=$(sha256sum "me.bin" | awk '{print $1}') + fi + if [ "$sha" != "$SKL_ME_SHA" ]; then + local rar_filename=me_11_repository.rar + local unrar='unrar-nonfree' + + if [ -f "$rar_filename" ]; then + sha=$(sha256sum "$rar_filename" | awk '{print $1}') + fi + if ! type "$unrar" &> /dev/null; then + wget -O unrar.tar.gz "$RAR_NONFREE_SOURCE_URL" + sha=$(sha256sum unrar.tar.gz | awk '{print $1}') + if [ "$sha" != "$RAR_NONFREE_SOURCE_SHA" ]; then + die "Unrar source package has the wrong SHA256 hash" + fi + tar -xzvf unrar.tar.gz + ( + cd unrar + make + ) + unrar="`pwd`/unrar/unrar" + fi + if [ "$sha" != "$SKL_ME_RAR_SHA" ]; then + DIRECT_LINK=$(wget -O - "$SKL_ME_RAR_URL" 2>/dev/null | grep -o -e 'http://download.*.rar' | head -n 1) + wget -O "$rar_filename" "$DIRECT_LINK" + sha=$(sha256sum "$rar_filename" | awk '{print $1}') + if [ "$sha" != "$SKL_ME_RAR_SHA" ]; then + # We'll assume the rar file was updated again + me_dirname=$("$unrar" l "$rar_filename" | grep '\.\.\.D\.\.\.' | tr -s [:blank:] | cut -d' ' -f 6-) + SKL_ME_FULL_FILENAME="$me_dirname/$SKL_ME_FILENAME" + fi + fi + if type "$unrar" &> /dev/null; then + "$unrar" e -y "$rar_filename" "$SKL_ME_FULL_FILENAME" + else + die "Couldn't extract ME image. Requires unrar-nonfree" + fi + sha="" + if [ -f "$SKL_ME_FILENAME" ]; then + sha=$(sha256sum "$SKL_ME_FILENAME" | awk '{print $1}') + fi + if [ "$sha" != "$SKL_ME_NOCONF_SHA" ]; then + die "Couldn't extract ME image with the correct SHA256 hash" + fi + check_and_get_url me11.0.18_config.bspatch $SKL_ME_PATCH_URL $SKL_ME_PATCH_SHA "ME Patch" + bspatch "$SKL_ME_FILENAME" "me.bin" me11.0.18_config.bspatch + rm -f me11.0.18_config.bspatch + rm -f "$SKL_ME_FILENAME" + rm -f "$rar_filename" + fi +} + +apply_me_cleaner() { + if [ -f "me_cleaner.py" ]; then + sha=$(sha256sum "me_cleaner.py" | awk '{print $1}') + fi + if [ "$sha" != "$ME_CLEANER_SHA" ]; then + wget -O "me_cleaner.py" "$ME_CLEANER_URL" + sha=$(sha256sum "me_cleaner.py" | awk '{print $1}') + if [ "$sha" != "$ME_CLEANER_SHA" ]; then + die "Downloaded ME Cleaner has the wrong SHA256 hash" + fi + fi + cat descriptor.bin me.bin > desc_me.bin + python2 "me_cleaner.py" -s desc_me.bin + python2 "me_cleaner.py" -w "MFS" me.bin + dd if=desc_me.bin of=descriptor.bin bs=4096 count=1 + rm -f desc_me.bin + rm -f me_cleaner.py +} + +check_and_get_url descriptor.bin $SKL_DESCRIPTOR_URL $SKL_DESCRIPTOR_SHA "Intel Flash Descriptor" +check_binary descriptor.bin $SKL_DESCRIPTOR_SHA +get_and_patch_me_11 +check_binary me.bin $SKL_ME_SHA +apply_me_cleaner +get_and_split_fsp +check_binary fspm.bin $SKL_FSPM_SHA +check_binary fsps.bin $SKL_FSPS_SHA +check_and_get_url vbt.bin $SKL_VBT_URL $SKL_VBT_SHA "Video BIOS Table" +check_and_get_url cpu_microcode_blob.bin $SKL_UCODE_URL $SKL_UCODE_SHA "Intel Microcode Update" + diff --git a/blobs/librem_skl/readme.md b/blobs/librem_skl/readme.md new file mode 100644 index 00000000..4862f130 --- /dev/null +++ b/blobs/librem_skl/readme.md @@ -0,0 +1,16 @@ +To build for the Librem 2nd generation (Librem 13 v2/v3 and Librem 15 v3/v4), +we need to have the following files in this folder: +* cpu_microcode_blob.bin - CPU Microcode +* descriptor.bin - The Intel Flash Descriptor +* fspm.bin - FSP 2.0 Memory Init blob +* fsps.bin - FSP 2.0 Silicon Init blob +* me.bin - Intel Management Engine + +To get the binaries, run the get_blobs.sh script which will download and +verify all of the files' hashes, then run me_cleaner on the descriptor.bin and me.bin. + +You can now compile the image with: + +``` +make BOARD=librem13v2 +``` diff --git a/boards/librem13v2.config b/boards/librem13v2.config index 15eacb54..aa7376e6 100644 --- a/boards/librem13v2.config +++ b/boards/librem13v2.config @@ -1,5 +1,6 @@ # Configuration for a librem13v2 CONFIG_LINUX_CONFIG=config/linux-librem13v2.config +CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v2.config CONFIG_COREBOOT=y CONFIG_CRYPTSETUP=y