#!/bin/bash -e # depends on : wget sha256sum gunzip # Purism source RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v2/v3 and Librem 15 v3 binary blob hashes SKL_UCODE_SHA="e528d2ccc5d76cd04bfabb556a3fbb70b93d9aca43e291e0f0104fbaae5720fd" SKL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" SKL_ME_SHA="cf06d3eb8b24490a1ab46fd988b6cef822e5347cd6a2e92bc332cb4a376eb8bc" SKL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" SKL_FSPS_SHA="c81ffa40df0b6cd6cfde4f476d452a1f6f2217bc96a3b98a4fa4a037ee7039cf" SKL_VBT_SHA="0ba40c1b8c0fb030a0e1a789eda8b2a7369339a410ad8c4620719e451ea69b98" # cbfstool, ifdtool, coreboot image from Purism repo CBFSTOOL_FILE="cbfstool.gz" CBFSTOOL_URL="$PURISM_SOURCE/tools/$CBFSTOOL_FILE" CBFSTOOL_SHA="3994cba01a51dd34388c8be89fd329f91575c12e499dfe1b81975d9fd115ce58" CBFSTOOL_BIN="./cbfstool" IFDTOOL_FILE="ifdtool.gz" IFDTOOL_URL="$PURISM_SOURCE/tools/$IFDTOOL_FILE" IFDTOOL_SHA="08228ece4968794499ebd49a851f7d3f7f1b81352da8cd6e0c7916ac931a7d72" IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v3.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v3/$COREBOOT_IMAGE_FILE" COREBOOT_IMAGE_SHA="784d8c9e9e3cf11e99b7f8a473d0ec18738193b2b57bb7a37386b536dab84be2" die () { local msg=$1 echo "" echo "$msg" exit 1 } check_and_get_url () { local filename=$1 local url=$2 local hash=$3 local description=$4 if [ -f "$filename" ]; then sha=$(sha256sum "$filename" | awk '{print $1}') fi if [ "$sha" != "$hash" ]; then echo " Downloading $description..." wget -O "$filename" "$url" >/dev/null 2>&1 sha=$(sha256sum "$filename" | awk '{print $1}') if [ "$sha" != "$hash" ]; then die "Downloaded $description has the wrong SHA256 hash" fi if [ "${filename: -3}" == ".gz" ]; then gunzip -k $filename fi fi } check_and_get_blob () { local filename=$1 local hash=$2 local description=$3 echo "Checking $filename" if [ -f "$filename" ]; then sha=$(sha256sum "$filename" | awk '{print $1}') fi if [ "$sha" != "$hash" ]; then # get tools check_and_get_tools # extract from coreboot image check_and_get_url $COREBOOT_IMAGE_FILE $COREBOOT_IMAGE_URL $COREBOOT_IMAGE_SHA "precompiled coreboot image" echo "Extracting $filename" if [ $filename = "descriptor.bin" ]; then $IFDTOOL_BIN -x $COREBOOT_IMAGE >/dev/null 2>&1 mv flashregion_0_flashdescriptor.bin descriptor.bin echo "Extracting me.bin" mv flashregion_2_intel_me.bin me.bin rm flashregion_* > /dev/null 2>&1 elif [ $filename = "me.bin" ]; then $IFDTOOL_BIN -x $COREBOOT_IMAGE >/dev/null 2>&1 mv flashregion_2_intel_me.bin me.bin rm flashregion_* > /dev/null 2>&1 else $CBFSTOOL_BIN $COREBOOT_IMAGE extract -n $filename -f $filename >/dev/null 2>&1 fi sha=$(sha256sum "$filename" | awk '{print $1}') if [ "$sha" != "$hash" ]; then die "Downloaded $description has the wrong SHA256 hash" fi fi } echo "" check_and_get_tools() { check_and_get_url $CBFSTOOL_FILE $CBFSTOOL_URL $CBFSTOOL_SHA "cbfstool" chmod +x $CBFSTOOL_BIN check_and_get_url $IFDTOOL_FILE $IFDTOOL_URL $IFDTOOL_SHA "ifdtool" chmod +x $IFDTOOL_BIN } # get tools for extraction #check_and_get_tools # get/verify blobs check_and_get_blob descriptor.bin $SKL_DESCRIPTOR_SHA "Intel Flash Descriptor" check_and_get_blob me.bin $SKL_ME_SHA "Intel ME firmware" check_and_get_blob fspm.bin $SKL_FSPM_SHA "FSP-M" check_and_get_blob fsps.bin $SKL_FSPS_SHA "FSP-S" check_and_get_blob vbt.bin $SKL_VBT_SHA "Video BIOS Table" check_and_get_blob cpu_microcode_blob.bin $SKL_UCODE_SHA "Intel Microcode Update" #clean up after ourselves rm -f $CBFSTOOL_BIN >/dev/null 2>&1 rm -f $IFDTOOL_BIN >/dev/null 2>&1 rm -f $COREBOOT_IMAGE >/dev/null 2>&1 rm -f *.gz >/dev/null 2>&1 echo "" echo "All blobs have been verified and are ready for use"