mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
blobs/xx30 scripts: cleanup and don't continue if hash is good
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
parent
de951f7156
commit
f2079dbe44
@ -6,6 +6,15 @@ function printusage {
|
||||
|
||||
ME_BIN_HASH="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4"
|
||||
|
||||
if [ -e "${output_dir}/me.bin" ]; then
|
||||
echo "me.bin already exists"
|
||||
if echo "${ME_BIN_HASH} ${output_dir}/me.bin" | sha256sum --check; then
|
||||
echo "SKIPPING: SHA256 checksum for me.bin matches."
|
||||
exit 0
|
||||
fi
|
||||
echo "me.bin exists but checksum doesn't match. Continuing..."
|
||||
fi
|
||||
|
||||
if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
|
||||
if [[ "${1:-}" == "--help" ]]; then
|
||||
usage
|
||||
@ -20,28 +29,26 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
|
||||
if [[ ! -f "${output_dir}/me.bin" ]]; then
|
||||
# Unpack Lenovo's Windows installer into a temporary directory and
|
||||
# extract the Intel ME blob.
|
||||
pushd "$(mktemp -d)"
|
||||
pushd "$(mktemp -d)" || exit
|
||||
|
||||
curl -O https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
|
||||
innoextract g1rg24ww.exe
|
||||
|
||||
mv app/ME8_5M_Production.bin "${COREBOOT_DIR}/util/me_cleaner"
|
||||
|
||||
popd
|
||||
rm -rf ./*
|
||||
popd || exit
|
||||
|
||||
# Neutralize and shrink Intel ME. Note that this doesn't include
|
||||
# --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
|
||||
# High Assurance Program) bits, as they are defined within the Flash
|
||||
# Descriptor.
|
||||
# https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
|
||||
pushd "${COREBOOT_DIR}/util/me_cleaner"
|
||||
pushd "${COREBOOT_DIR}/util/me_cleaner" || exit
|
||||
|
||||
python me_cleaner.py -r -t -O me_shrinked.bin ME8_5M_Production.bin
|
||||
|
||||
rm -f ME8_5M_Production.bin
|
||||
mv me_shrinked.bin "${output_dir}/me.bin"
|
||||
#rm ./*.bin
|
||||
|
||||
popd
|
||||
popd || exit
|
||||
fi
|
||||
|
||||
if ! echo "${ME_BIN_HASH} ${output_dir}/me.bin" | sha256sum --check; then
|
||||
|
@ -5,6 +5,9 @@ function printusage {
|
||||
}
|
||||
|
||||
BLOBDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 $BLOBDIR/me.bin"
|
||||
ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe"
|
||||
ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin"
|
||||
|
||||
if [ "$#" -eq 0 ]; then printusage; fi
|
||||
|
||||
@ -15,25 +18,33 @@ while getopts ":m:" opt; do
|
||||
MECLEAN="$OPTARG"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 $BLOBDIR/me.bin"
|
||||
ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe"
|
||||
ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin"
|
||||
|
||||
if [ -e "$BLOBDIR/me.bin" ]; then
|
||||
echo "$BLOBDIR/me.bin found..."
|
||||
if ! echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check; then
|
||||
echo "$BLOBDIR/me.bin doesn't pass integrity validation. Continuing..."
|
||||
rm -f "$BLOBDIR/me.bin"
|
||||
else
|
||||
echo "$BLOBDIR/me.bin already extracted and neutered outside of ROMP and BUP"
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$MECLEAN" ]; then
|
||||
MECLEAN=`command -v $BLOBDIR/../../build/x86/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
|
||||
MECLEAN=$(command -v "$BLOBDIR/../../build/x86/coreboot-"*/util/me_cleaner/me_cleaner.py 2>&1 | head -n1)
|
||||
if [ -z "$MECLEAN" ]; then
|
||||
echo "me_cleaner.py required but not found or specified with -m. Aborting."
|
||||
exit 1;
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "### Creating temp dir"
|
||||
extractdir=$(mktemp -d)
|
||||
cd "$extractdir"
|
||||
cd "$extractdir" || exit
|
||||
|
||||
echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..."
|
||||
wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe || { echo "ERROR: wget not found" && exit 1; }
|
||||
@ -45,12 +56,14 @@ innoextract ./g1rg24ww.exe || { echo "Failed calling innoextract. Tool installed
|
||||
echo "### Verifying expected hash of app/ME8_5M_Production.bin"
|
||||
echo "$ME8_5M_PRODUCTION_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; }
|
||||
|
||||
bioscopy="some_value" # Assign a value to the bioscopy variable
|
||||
|
||||
echo "### Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... "
|
||||
$MECLEAN -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin
|
||||
"$MECLEAN" -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin
|
||||
echo "### Verifying expected hash of me.bin"
|
||||
echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on final binary..." && exit 1; }
|
||||
|
||||
|
||||
echo "### Cleaning up..."
|
||||
cd -
|
||||
cd - >/dev/null
|
||||
|
||||
rm -r "$extractdir"
|
||||
|
Loading…
Reference in New Issue
Block a user