From fabddb4f7addc20ec146f5f7fada9d2b92f80a0a Mon Sep 17 00:00:00 2001
From: Markus Meissner <coder@safemailbox.de>
Date: Sat, 11 Dec 2021 15:33:02 +0100
Subject: [PATCH] flash-gui.sh: add .npf handling; add create-npf.sh

---
 create-npf.sh           |  8 ++++++++
 initrd/bin/flash-gui.sh | 23 ++++++++++++++++++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100755 create-npf.sh

diff --git a/create-npf.sh b/create-npf.sh
new file mode 100755
index 00000000..2c64fede
--- /dev/null
+++ b/create-npf.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -exuo pipefail
+HEADS_GIT_VERSION=$(git describe --tags)
+BOARD=$1
+cd ./build/x86/${BOARD}/
+sha256sum heads-${BOARD}-${HEADS_GIT_VERSION}.rom > sha256sum.txt
+sed -ie 's@  @  /tmp/verified_rom/@g' sha256sum.txt
+zip heads-${BOARD}-${HEADS_GIT_VERSION}.npf heads-${BOARD}-${HEADS_GIT_VERSION}.rom sha256sum.txt
diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh
index f5237390..16dfbd26 100755
--- a/initrd/bin/flash-gui.sh
+++ b/initrd/bin/flash-gui.sh
@@ -33,7 +33,7 @@ while true; do
           --yesno "You will need to insert a USB drive containing your BIOS image (*.rom or *.tgz).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80) then
         mount_usb
         if grep -q /media /proc/mounts ; then
-          find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' \) | sort > /tmp/filelist.txt
+          find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' -o -type f -name '*.npf' \) | sort > /tmp/filelist.txt
           file_selector "/tmp/filelist.txt" "Choose the ROM to flash"
           if [ "$FILE" == "" ]; then
             return
@@ -41,6 +41,27 @@ while true; do
             ROM=$FILE
           fi
 
+          # is a .npf provided?
+          if [ -z "${ROM##*.npf}" ]; then
+            # unzip to /tmp/verified_rom
+            mkdir /tmp/verified_rom
+            unzip $ROM -d /tmp/verified_rom
+            # check file integrity
+            if (cd /tmp/verified_rom/ && sha256sum -cs /tmp/verified_rom/sha256sum.txt) ; then
+              ROM="$(head -n1 /tmp/verified_rom/sha256sum.txt | cut -d ' ' -f 3)"
+            else
+              whiptail --title 'ROM Integrity Check Failed! ' \
+                --msgbox "$ROM integrity check failed. Did not flash.\n\nPlease check your file (e.g. re-download).\n" 16 60
+              exit
+            fi
+          else
+            # exit if we shall not proceed
+            if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \
+                --yesno "You have provided a *.rom file. The integrity of the file can not be\nchecked for this file.\nIf you do not know how to check the file integrity yourself,\nyou should use a *.npf file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 16 60) then
+              exit
+            fi
+          fi
+
           if (whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \
               --yesno "This will replace your current ROM with:\n\n${ROM#"/media/"}\n\nDo you want to proceed?" 0 80) then
             if [ "$menu_choice" == "c" ]; then