blobs/xx30 scripts: cleanup and don't continue if hash is good

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-01-04 13:10:57 -05:00
parent de951f7156
commit f2079dbe44
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
2 changed files with 82 additions and 62 deletions

View File

@ -6,6 +6,15 @@ function printusage {
ME_BIN_HASH="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4"
if [ -e "${output_dir}/me.bin" ]; then
echo "me.bin already exists"
if echo "${ME_BIN_HASH} ${output_dir}/me.bin" | sha256sum --check; then
echo "SKIPPING: SHA256 checksum for me.bin matches."
exit 0
fi
echo "me.bin exists but checksum doesn't match. Continuing..."
fi
if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
if [[ "${1:-}" == "--help" ]]; then
usage
@ -20,28 +29,26 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
if [[ ! -f "${output_dir}/me.bin" ]]; then
# Unpack Lenovo's Windows installer into a temporary directory and
# extract the Intel ME blob.
pushd "$(mktemp -d)"
pushd "$(mktemp -d)" || exit
curl -O https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
innoextract g1rg24ww.exe
mv app/ME8_5M_Production.bin "${COREBOOT_DIR}/util/me_cleaner"
popd
rm -rf ./*
popd || exit
# Neutralize and shrink Intel ME. Note that this doesn't include
# --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
# High Assurance Program) bits, as they are defined within the Flash
# Descriptor.
# https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
pushd "${COREBOOT_DIR}/util/me_cleaner"
pushd "${COREBOOT_DIR}/util/me_cleaner" || exit
python me_cleaner.py -r -t -O me_shrinked.bin ME8_5M_Production.bin
rm -f ME8_5M_Production.bin
mv me_shrinked.bin "${output_dir}/me.bin"
#rm ./*.bin
popd
popd || exit
fi
if ! echo "${ME_BIN_HASH} ${output_dir}/me.bin" | sha256sum --check; then

View File

@ -5,6 +5,9 @@ function printusage {
}
BLOBDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 $BLOBDIR/me.bin"
ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe"
ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin"
if [ "$#" -eq 0 ]; then printusage; fi
@ -15,25 +18,33 @@ while getopts ":m:" opt; do
MECLEAN="$OPTARG"
fi
;;
*)
;;
esac
done
FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 $BLOBDIR/me.bin"
ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe"
ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin"
if [ -e "$BLOBDIR/me.bin" ]; then
echo "$BLOBDIR/me.bin found..."
if ! echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check; then
echo "$BLOBDIR/me.bin doesn't pass integrity validation. Continuing..."
rm -f "$BLOBDIR/me.bin"
else
echo "$BLOBDIR/me.bin already extracted and neutered outside of ROMP and BUP"
exit 0
fi
fi
if [ -z "$MECLEAN" ]; then
MECLEAN=`command -v $BLOBDIR/../../build/x86/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
MECLEAN=$(command -v "$BLOBDIR/../../build/x86/coreboot-"*/util/me_cleaner/me_cleaner.py 2>&1 | head -n1)
if [ -z "$MECLEAN" ]; then
echo "me_cleaner.py required but not found or specified with -m. Aborting."
exit 1;
exit 1
fi
fi
echo "### Creating temp dir"
extractdir=$(mktemp -d)
cd "$extractdir"
cd "$extractdir" || exit
echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..."
wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe || { echo "ERROR: wget not found" && exit 1; }
@ -45,12 +56,14 @@ innoextract ./g1rg24ww.exe || { echo "Failed calling innoextract. Tool installed
echo "### Verifying expected hash of app/ME8_5M_Production.bin"
echo "$ME8_5M_PRODUCTION_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; }
bioscopy="some_value" # Assign a value to the bioscopy variable
echo "### Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... "
$MECLEAN -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin
"$MECLEAN" -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin
echo "### Verifying expected hash of me.bin"
echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on final binary..." && exit 1; }
echo "### Cleaning up..."
cd -
cd - >/dev/null
rm -r "$extractdir"