lbmk.git/config, branch 25.06 libreboot build system (LibreBoot MaKe) Libreboot 25.06 release 2025-06-30T13:08:48+00:00 Leah Rowe leah@libreboot.org 2025-06-30T13:08:48+00:00 c46a71138c77556b103a4a5c85917d5bb5cc915a Signed-off-by: Leah Rowe <leah@libreboot.org> 
Signed-off-by: Leah Rowe <leah@libreboot.org>
rom.sh: rename mkvendorfiles 2025-05-25T03:46:08+00:00 Leah Rowe leah@libreboot.org 2025-05-25T03:45:23+00:00 a47e98117235682e9d1744ddbf1d16523532d96a it mainly does general tasks, like handling utils and enabling ccache. the vfiles are a small part. rename the function accordingly. it is called by premake, so let's call it corebootpremake. this change will also make sense when cherry-picked into cbmk, which does not handle vfiles at all. Signed-off-by: Leah Rowe <leah@libreboot.org> 
it mainly does general tasks, like handling utils
and enabling ccache. the vfiles are a small part.

rename the function accordingly. it is called by
premake, so let's call it corebootpremake.

this change will also make sense when cherry-picked
into cbmk, which does not handle vfiles at all.

Signed-off-by: Leah Rowe <leah@libreboot.org>
rom.sh: simplify u-boot payload handling 2025-05-25T02:09:29+00:00 Leah Rowe leah@libreboot.org 2025-05-25T02:09:29+00:00 8c3f10ba402e7535529decf008cfd3dbd39d9d7e define it with a single variable, rather than several. this allows several checks to be greatly simplified. Signed-off-by: Leah Rowe <leah@libreboot.org> 
define it with a single variable, rather than several.

this allows several checks to be greatly simplified.

Signed-off-by: Leah Rowe <leah@libreboot.org>
ifd/hp8300usdt: set the HAP bit by default 2025-05-23T03:52:36+00:00 Leah Rowe leah@libreboot.org 2025-05-23T03:52:36+00:00 3e28873532b13a750df04d8dad8ffacb159cc7da In practise, coreboot can set this bit at build time. We also use ME Soft Temporary Disable by default, on this platform. We also use me_cleaner by default, so the me.bin file added to flash only contains the code that would run with HAP set anyway. Therefore, this change is of little practical consequence, but as a friend put it to me, this change is most technically correct. And I'm all about technical correctness. Signed-off-by: Leah Rowe <leah@libreboot.org> 
In practise, coreboot can set this bit at build time.
We also use ME Soft Temporary Disable by default, on
this platform.

We also use me_cleaner by default, so the me.bin file
added to flash only contains the code that would run
with HAP set anyway.

Therefore, this change is of little practical consequence,
but as a friend put it to me, this change is most technically
correct.

And I'm all about technical correctness.

Signed-off-by: Leah Rowe <leah@libreboot.org>
coreboot: Remove unused vboot tests 2025-05-22T13:13:11+00:00 Leah Rowe leah@libreboot.org 2025-05-22T13:13:11+00:00 452aeb6001a5fc2b08da72536e6ed0d6fe2b6a9d Futility tests enlarge the src tarballs, without much utility. Uttterly futile. Signed-off-by: Leah Rowe <leah@libreboot.org> 
Futility tests enlarge the src tarballs, without much utility.

Uttterly futile.

Signed-off-by: Leah Rowe <leah@libreboot.org>
coreboot/default: Remove unneeded FSP modules 2025-05-22T12:48:20+00:00 Leah Rowe leah@libreboot.org 2025-05-22T12:48:20+00:00 64cc91bca33d3a5356a805155d229b574e954f1c We only need the Kabylake version. We can safely remove the other ones, thereby significantly reducing the size of the lbmk release archive. Signed-off-by: Leah Rowe <leah@libreboot.org> 
We only need the Kabylake version. We can safely
remove the other ones, thereby significantly
reducing the size of the lbmk release archive.

Signed-off-by: Leah Rowe <leah@libreboot.org>
xbmk: add fake config makefile args to flashprog 2025-05-22T10:34:28+00:00 Leah Rowe leah@libreboot.org 2025-05-22T10:34:28+00:00 fc0720184d954690071dcbf1c9322a2006701a94 also pcsx-redux this way, commands like "./mk -u" without argument will not fail. these fake makefile commands do nothing. otherwise, an error errors because their makefiles do not define these options. Signed-off-by: Leah Rowe <leah@libreboot.org> 
also pcsx-redux

this way, commands like "./mk -u" without argument
will not fail. these fake makefile commands do nothing.

otherwise, an error errors because their makefiles
do not define these options.

Signed-off-by: Leah Rowe <leah@libreboot.org>
GRUB: Update to revision 73d1c959e (14 March 2025) 2025-05-21T12:34:18+00:00 Leah Rowe leah@libreboot.org 2025-05-21T12:34:18+00:00 24b8e633e0348d60dc7d64a919605e69f6ef0379 This brings in several changes from upstream: * 73d1c959e cryptocheck: Add --quiet option * dbc0eb5bd disk/cryptodisk: Wipe the passphrase from memory * 301b4ef25 disk/cryptodisk: Add the "erase secrets" function * 23ec4535f docs: Document available crypto disks checks * 10d778c4b commands/search: Add the diskfilter support * 7a584fbde disk/diskfilter: Introduce the "cryptocheck" command * ed691c0e0 commands/search: Introduce the --cryptodisk-only argument * c448f511e kern/rescue_reader: Block the rescue mode until the CLI authentication * 4abac0ad5 fs/xfs: Fix large extent counters incompat feature support This commit is of particular interest: * dbc0eb5bd disk/cryptodisk: Wipe the passphrase from memory Signed-off-by: Leah Rowe <leah@libreboot.org> 
This brings in several changes from upstream:

* 73d1c959e cryptocheck: Add --quiet option
* dbc0eb5bd disk/cryptodisk: Wipe the passphrase from memory
* 301b4ef25 disk/cryptodisk: Add the "erase secrets" function
* 23ec4535f docs: Document available crypto disks checks
* 10d778c4b commands/search: Add the diskfilter support
* 7a584fbde disk/diskfilter: Introduce the "cryptocheck" command
* ed691c0e0 commands/search: Introduce the --cryptodisk-only argument
* c448f511e kern/rescue_reader: Block the rescue mode until the CLI authentication
* 4abac0ad5 fs/xfs: Fix large extent counters incompat feature support

This commit is of particular interest:

* dbc0eb5bd disk/cryptodisk: Wipe the passphrase from memory

Signed-off-by: Leah Rowe <leah@libreboot.org>
dependencies/debian: add libx86 2025-05-19T16:40:44+00:00 Leah Rowe leah@libreboot.org 2025-05-19T16:40:44+00:00 265ec0b7673d3df608dfb9e1cbec39b3bb68cdd6 already present on a few other config files, e.g. arch i noticed on debian-experimental that i needed to explicitly install it, whereas it was implicitly installed on debian 12 Signed-off-by: Leah Rowe <leah@libreboot.org> 
already present on a few other config files, e.g. arch

i noticed on debian-experimental that i needed to explicitly
install it, whereas it was implicitly installed on debian 12

Signed-off-by: Leah Rowe <leah@libreboot.org>
vendor.sh: Properly verify SHA512SUM on extraction 2025-05-16T04:39:18+00:00 Leah Rowe leah@libreboot.org 2025-05-15T20:51:36+00:00 d668f3a35296f0bc7884b18d49f523d7bb331c30 I currently check the downloaded files e.g. .exe file, but then I don't check - or even define - sha512sums for the files extracted from them e.g. me.bin This patch fixes that. It also caches the hashed files, so that extraction is faster on a re-run - this makes release builds go faster, when running ./mk release If a checksum is not defined, i.e. blank, then a warning is given, telling you to check a specific directory. This way, when adding new vendor files, you can add it first without specifying the checksum, e.g. me.bin checksum. Then you can manually inspect the files that were extracted, and define it, then test again. In a given pkg.cfg for config/vendor, the following variables are now available for use: FSPM_bin_hash for fsp m module FSPS_bin_hash for fsp s module EC_FW1_hash for KBC1126 EC firmware (1st file) EC_FW2_hash for KBC1126 EC firmware (2nd file) ME_bin_hash for me.bin MRC_bin_hash for mrc.bin (broadwell boards) REF_bin_hash for refcode (broadwell boards) SCH5545EC_bin_hash for sch5545 firmware (Dell Precision T1650) TBFW_bin_hash for Lenovo ThunderBolt firmware (e.g. T480/T480s) E6400_VGA_bin_hash for Dell E6400 Nvidia VGA ROM In practise, most people use release archives, and the inject script, so I knew those were reliable, because the ROM images were hashed prior to removing files. This patch benefits people using lbmk.git directly, without using release files, because now they know they have a valid file e.g. me.bin Previously, only the download was checked, not the extracted files, which meant that the only thing preventing a brick was the code not being buggy. Any number of bugs could pop up in the future, so this new level of integrity will protect against such a scenario, and provide early warning prompting bug fixes. Signed-off-by: Leah Rowe <leah@libreboot.org> 
I currently check the downloaded files e.g. .exe file, but
then I don't check - or even define - sha512sums for the
files extracted from them e.g. me.bin

This patch fixes that. It also caches the hashed files, so
that extraction is faster on a re-run - this makes release
builds go faster, when running ./mk release

If a checksum is not defined, i.e. blank, then a warning is
given, telling you to check a specific directory. This way,
when adding new vendor files, you can add it first without
specifying the checksum, e.g. me.bin checksum. Then you can
manually inspect the files that were extracted, and define it,
then test again.

In a given pkg.cfg for config/vendor, the following variables
are now available for use:

FSPM_bin_hash for fsp m module
FSPS_bin_hash for fsp s module
EC_FW1_hash for KBC1126 EC firmware (1st file)
EC_FW2_hash for KBC1126 EC firmware (2nd file)
ME_bin_hash for me.bin
MRC_bin_hash for mrc.bin (broadwell boards)
REF_bin_hash for refcode (broadwell boards)
SCH5545EC_bin_hash for sch5545 firmware (Dell Precision T1650)
TBFW_bin_hash for Lenovo ThunderBolt firmware (e.g. T480/T480s)
E6400_VGA_bin_hash for Dell E6400 Nvidia VGA ROM

In practise, most people use release archives, and the
inject script, so I knew those were reliable, because the ROM
images were hashed prior to removing files. This patch benefits
people using lbmk.git directly, without using release files,
because now they know they have a valid file e.g. me.bin

Previously, only the download was checked, not the extracted
files, which meant that the only thing preventing a brick was
the code not being buggy. Any number of bugs could pop up in
the future, so this new level of integrity will protect against
such a scenario, and provide early warning prompting bug fixes.

Signed-off-by: Leah Rowe <leah@libreboot.org>