diff options
| author | Leah Rowe <leah@libreboot.org> | 2023-09-09 20:05:11 +0100 | 
|---|---|---|
| committer | Leah Rowe <leah@libreboot.org> | 2023-09-09 20:11:11 +0100 | 
| commit | 20be007f5b7042196647eabc5b6ec9d0d84ac108 (patch) | |
| tree | 781edcb4441a57b0fe957cd876234b4e897f5796 | |
| parent | f989d5b434f8fe3c6c5baafb8b35ec8e6cfcdbb1 (diff) | |
blobs/inject: fix checksum validation if no-ucode
on e6400_4mb, the release build scripts remove nvidia's vga
rom which is used on dgpu models. however, microcode is also
removed in separately copied rom images
the inject script was inserting vgaroms directly into these
no-microcode roms, but the microcode blob is bigger than the
vga rom, and cbfstool inserts into the first available free
spot within cbfs, so it was inserting into the spot where
cpu microcode went. this caused the rom checksum to not match
what was generated during build/release/roms being executed
the only real fix is to guarantee offsets within cbfs for all
files, by recording what offsets were used and then calculating
that during insertion
so this patch is a workaround, but fixes the issue. the workaround
is: don't insert blobs directly on no-microcode roms, instead
insert only on microcode-based roms, then re-copy those roms
and remove microcode in aptly named copies
it's a bit more convoluted, but works perfectly fine.
Signed-off-by: Leah Rowe <leah@libreboot.org>
| -rwxr-xr-x | script/update/blobs/inject | 25 | 
1 files changed, 24 insertions, 1 deletions
| diff --git a/script/update/blobs/inject b/script/update/blobs/inject index 10691658..abdea964 100755 --- a/script/update/blobs/inject +++ b/script/update/blobs/inject @@ -9,6 +9,8 @@  . "include/defconfig.sh"  . "include/blobutil.sh" +release_archive="n" +  main()  {  	sname="${0}" @@ -103,8 +105,10 @@ build_dependencies()  inject_blobs()  { +	release_archive="n"  	if [ "${release}" = "true" ]; then  		printf "patching release file\n" +		release_archive="y"  		patch_release_roms  	else  		patch_rom "${rom}" || \ @@ -124,13 +128,22 @@ patch_release_roms()  		echo "patching rom $x"  		patch_rom "${x}" || err "patch_release_roms: could not patch ${x}"  	done +	for x in "${_tmpdir}"/bin/*/*_nomicrocode.rom ; do +		[ -f "${x}" ] || continue +		[ -f "${x%_nomicrocode.rom}.rom" ] || continue + +		cp "${x%_nomicrocode.rom}.rom" "${x}" || \ +		    err "patch_release_roms: ${x}: can't overwrite no-ucode rom" +		"${cbfstool}" "${x}" remove -n cpu_microcode_blob.bin || \ +		    err "patch_release_roms: ${x}: cannot remove u-code" +	done  	(  	cd "${_tmpdir}"/bin/*  	# NOTE: For compatibility with older rom releases, defer to sha1  	sha512sum --status -c blobhashes || \ -	    sha1sum --statuc -c blobhashes || \ +	    sha1sum --status -c blobhashes || \  	    err "patch_release_roms: ROMs did not match expected hashes"  	) @@ -154,6 +167,16 @@ patch_rom()  {  	rom="${1}" +	# we don't process no-microcode roms; these are +	# instead re-created at the end, after re-inserting +	# on roms with microcode, by copying and then removing, +	# so that the hashes will match (otherwise, cbfstool +	# may sometimes insert certain blobs at the wrong offset) +	# (unless nomicrocode is the only config provided) +	[ "${rom}" != "${rom%_nomicrocode.rom}.rom" ] && \ +	[ -f "${rom%_nomicrocode.rom}.rom" ] && \ +	[ "${release_archive}" = "y" ] && return 0 +  	check_defconfig "${boarddir}" || exit 1	  	set -- "${boarddir}/config/"*  	. "${1}" 2>/dev/null | 
