From ed8c74e1973d833a968a018c23cbb2688aea5eb4 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Mon, 23 Jan 2023 22:30:53 -0500
Subject: [PATCH] Add script for obtaining T440p me.bin blob

I performed an analysis of the differences between an me.bin blob I
extracted from my T440p and the me.bin blob from Lenovo's website:
https://github.com/osresearch/heads/pull/1282#issuecomment-1386292403.
---
 blobs/t440p/download-clean-me | 49 +++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100755 blobs/t440p/download-clean-me

diff --git a/blobs/t440p/download-clean-me b/blobs/t440p/download-clean-me
new file mode 100755
index 00000000..38e272fa
--- /dev/null
+++ b/blobs/t440p/download-clean-me
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -e
+
+function usage() {
+    echo -n \
+        "Usage: $(basename "$0")
+Download Intel ME firmware from Lenovo, neutralize, and shrink.
+"
+}
+
+ME_BIN_HASH="b7cf4c0cf514bbf279d9fddb12c34fca5c1c23e94b000c26275369b924ab9c25"
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+    if [[ "${1:-}" == "--help" ]]; then
+        usage
+    else
+        BLOB_DIR="$(cd "$(dirname "$0")" && pwd)"
+        COREBOOT_DIR="$(find "${BLOB_DIR}/../../build/x86/" -maxdepth 1 -type d -name 'coreboot-*')"
+
+        pushd "$(mktemp -d)"
+
+        curl -O https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe
+        innoextract glrg22ww.exe
+
+        mv app/ME9.1_5M_Production.bin "${COREBOOT_DIR}/util/me_cleaner"
+
+        popd
+
+        pushd "${COREBOOT_DIR}/util/me_cleaner"
+
+        # Neutralize and shrink Intel ME. Note that this doesn't include
+        # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g., High
+        # Assurance Program) bits, as they are defined within the Flash
+        # Descriptor.
+        # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+        python me_cleaner.py -r -t -O me_shrinked.bin ME9.1_5M_Production.bin
+
+        mv me_shrinked.bin "${BLOB_DIR}/me.bin"
+        rm ./*.bin
+
+        popd
+
+        if ! echo "${ME_BIN_HASH} ${BLOB_DIR}/me.bin" | sha256sum --check; then
+            echo "SHA256 checksum for me.bin doesn't match."
+            exit 1
+        fi
+    fi
+fi