diff options
author | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2021-12-18 01:46:19 +0100 |
---|---|---|
committer | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2022-02-10 10:55:03 +0100 |
commit | 7422411b247945e000911f3f738227d17c337b20 (patch) | |
tree | aa8e06a16936e3efe844739b286a2d14c43c6e4a | |
parent | ae0be6f8b4af05ba8ea959690c2aa4e17609f0e7 (diff) |
Add support for releasing deblobbed u-boot 2020.07 source tarballs
Once the tarball are released, it will enable distributions to use
these tarballs to produce deblobbed u-boot packages.
Note that the produced tarball is not reproducible yet. Because of
that it has to be trusted.
During a release, it's a good idea to sign the uncompressed tarball as
the various compression formats and associated tools make different
tradeoffs.
For instance with xz, xz -9e tends to compress really well with the
the most used xz[1] implementation, and most GNU/Linux users probably
already have it installed, but and the drawbacks is that the format is
very fragile[2].
The lzip format is more suited for long term archiving but its most
packaged implementation[3] is less likely to be already installed by
users than more well known formats like xz, bzip2 or gzip.
Being able to add more compression formats after the release is also
useful, for instance to accommodate different build systems or use
cases (like being able to build u-boot with less dependencies in
distributions like Guix, or building u-boot directly on devices which
don't have enough RAM for xz for instance).
[1]https://tukaani.org/xz/
[2]https://www.nongnu.org/lzip/xz_inadequate.html
[3]https://www.nongnu.org/lzip/
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
-rwxr-xr-x | resources/scripts/build/release/u-boot-stable-src-release | 60 | ||||
-rwxr-xr-x | resources/scripts/download/u-boot | 123 | ||||
-rw-r--r-- | resources/u-boot/default/blobs.list | 185 |
3 files changed, 368 insertions, 0 deletions
diff --git a/resources/scripts/build/release/u-boot-stable-src-release b/resources/scripts/build/release/u-boot-stable-src-release new file mode 100755 index 00000000..357338cf --- /dev/null +++ b/resources/scripts/build/release/u-boot-stable-src-release @@ -0,0 +1,60 @@ +#!/usr/bin/env bash + +# +# helper script: generate deblobbed stable u-boot source code releases +# +# Copyright (C) 2020,2021 Leah Rowe <info@minifree.org> +# Copyright (C) 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +[ "x${DEBUG+set}" = 'xset' ] && set -v +set -u -e + +version="v2021.07" +revision="r1" + +topdir="$(realpath $(dirname $(realpath $0))/../../../../)" +tmpdir="${topdir}/release/u-boot/u-boot-${version}-${revision}" +tarball="${tmpdir}.tar" + +printf "Building source code archive, version %s revision %s\n" "${version}" "${revision}" + +cd "${topdir}" +"${topdir}/download" u-boot + +rm -rf \ + "${tmpdir}/" \ + "${tarball}" \ + "${tarball}.lz" \ + "${tarball}.xz" + +mkdir -p "$(dirname ${tmpdir})" +cp -R "u-boot/u-boot/" "${tmpdir}" + +rm -rf ${tmpdir}/.git ${tmpdir}/.gitignore +make -C ${tmpdir} distclean + +prefix="$(dirname ${tmpdir} | sed 's#^/*##')/" +tar cf "${tarball}" "${tmpdir}" --transform="s#${prefix}##" +lzip -9 --keep -vv "${tarball}" +xz -9 --keep -vv "${tarball}" + +rm -rf "${tmpdir}/" + +printf "Source code archives available at:\n\t%s\n\t%s\n\t%s\n" \ + "${tarball}" \ + "${tarball}.lz" \ + "${tarball}.xz" diff --git a/resources/scripts/download/u-boot b/resources/scripts/download/u-boot new file mode 100755 index 00000000..704d1c3a --- /dev/null +++ b/resources/scripts/download/u-boot @@ -0,0 +1,123 @@ +#!/usr/bin/env bash + +# helper script: download u-boot +# +# Copyright (C) 2014, 2015, 2016, 2020, 2021 Leah Rowe <info@minifree.org> +# Copyright (C) 2021 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +[ "x${DEBUG+set}" = 'xset' ] && set -v +set -u -e + +# set this when you want to modify each u-boot tree +# for example, you want to test custom patches +# NODELETE= ./download coreboot +deleteblobs="true" +[ "x${NODELETE+set}" = 'xset' ] && deleteblobs="false" + +# Error handling is extreme in this script. +# This script handles the internet, and Git. Both are inherently unreliable. +[[ -f build_error ]] && rm -f build_error + +downloadfor() { + uboot_revision="v2021.07" + uboot_dir="u-boot/u-boot" + if [ -d "${uboot_dir}" ]; then + printf \ + "REMARK: '%s' directory already exists. Skipping setup.\n" \ + "${uboot_dir}" + return 0 + fi + + if [ ! -d "${uboot_dir}" ]; then + mkdir -p "${uboot_dir}" + fi + + if [ ! -d "${uboot_dir}" ]; then + printf \ + "ERROR: '%s' directory not created. Check file system permissions\n" \ + "${uboot_dir}" + return 1 + fi + + if [ ! -d "${uboot_dir}/.git" ] && [ -d "${uboot_dir}" ]; then + rm -Rf "${uboot_dir}" + fi + + if [ ! -d "${uboot_dir}" ]; then + printf "Download u-boot from upstream:\n" + git clone https://source.denx.de/u-boot/u-boot \ + "${uboot_dir}" || \ + rm -Rf "${uboot_dir}" + if [ ! -d "${uboot_dir}" ]; then + printf \ + "ERROR: %s: Problem with git-clone. Network issue?\n" \ + "download/u-boot" + return 1 + fi + else + git -C "${uboot_dir}" pull || touch build_error + if [ -f build_error ]; then + printf \ + "ERROR: %s: Problem with git-pull. Network issue?\n" \ + "download/u-boot" + return 1 + fi + fi + + git -C "${uboot_dir}" reset --hard ${uboot_revision} || \ + touch build_error + if [ -f build_error ]; then + printf \ + "ERROR: %s: Unable to reset to commit ID/tag '%s' for board '%s' on tree '%s'\n" \ + "download/u-boot" "${uboot_revision}" "${1}" "${uboot_dir}" + return 1 + fi +} + +strip_comments() +{ + file="$1" + # Remove comments + sed 's/#.*//' "${file}" | \ + # Remove lines composed of whitespaces only + sed '/^\W\+$/d' | \ + # Remove empty lines + sed '/^$/d' +} + +printf "Downloading u-boot and (if exist in build system) applying patches\n" +downloadfor + +rm -f "build_error" +printf "\n\n" + +if [ "${deleteblobs}" = "true" ]; then + bloblist="resources/u-boot/default/blobs.list" + + for blob_path in $(strip_comments "${bloblist}"); do + if echo "${blob_path}" | grep '/$' 2>&1 >/dev/null ; then + printf "Deleting blob directory: '%s/%s'\n" \ + "${uboot_dir}" "${blob_path}" + rm -rf "${uboot_dir}/${blob_path}" + else + printf "Deleting blob file: '%s/%s'\n" \ + "${uboot_dir}" "${blob_path}" + rm -f "${uboot_dir}/${blob_path}" + fi + done +fi +exit 0 diff --git a/resources/u-boot/default/blobs.list b/resources/u-boot/default/blobs.list new file mode 100644 index 00000000..ec6c20ee --- /dev/null +++ b/resources/u-boot/default/blobs.list @@ -0,0 +1,185 @@ +arch/x86/dts/microcode/ + +# The license is nonfree because it contains the following: "Reverse +# engineering, decompilation, or disassembly of this software is not +# permitted." +Licenses/r8a779x_usb3.txt +drivers/usb/host/xhci-rcar-r8a779x_usb3_v3.h + +# The documentation contains instructions to download and install nonfree +# software. Note that if a board doesn't have such instructions it doesn't +# necessarily means that it can boot with only free software and viceversa. + +########### +# Amlogic # +########### +# Amlogic SOCs Usually have various nonfree components, like the first stages +# of the bootloaders and code that runs in TrustZone. They are most likely +# not signed. +# --------- +# TODO: List the nonfree software of specific documentation +doc/board/amlogic/beelink-gtkingpro.rst +doc/board/amlogic/beelink-gtking.rst +doc/board/amlogic/index.rst +doc/board/amlogic/khadas-vim2.rst +doc/board/amlogic/khadas-vim3l.rst +doc/board/amlogic/khadas-vim3.rst +doc/board/amlogic/khadas-vim.rst +doc/board/amlogic/libretech-ac.rst +doc/board/amlogic/libretech-cc.rst +doc/board/amlogic/nanopi-k2.rst +doc/board/amlogic/odroid-c2.rst +doc/board/amlogic/odroid-c4.rst +doc/board/amlogic/odroid-n2.rst +doc/board/amlogic/p200.rst +doc/board/amlogic/p201.rst +doc/board/amlogic/p212.rst +doc/board/amlogic/q200.rst +doc/board/amlogic/s400.rst +doc/board/amlogic/sei510.rst +doc/board/amlogic/sei610.rst +doc/board/amlogic/u200.rst +doc/board/amlogic/w400.rst +doc/board/amlogic/wetek-core2.rst + +######### +# Linux # +######### +# Has intructions to build Linux which is not FSDG compliant. +# TODO: Use linux-libre instead, especially because documentation about vboot +# could be interesting to have. Vboot is a chain of trust that can work with +# only free software. The hardware root of trust can be created by booting on +# a flash chip whose security registers are configured to set the first +# bootloader component read-only. +doc/uImage.FIT/beaglebone_vboot.txt +# Steers very strongly users into using Linux as it shows that the only tested +# kernels are Broadcom forks of Linux. We would need to have linux-libre +# versions of these or test it with stock linux-libre instead. +doc/README.bcm7xxx + +############ +# Mediatek # +############ +# The instructions uses binaries that lack any corresponding source code. +doc/README.mediatek + +############# +# NXP I.MX8 # +############# +# I.MX8 SOCs require a nonfree firmware for the DDR4 controller. In some +# documentation, I didn't find that requirement mentioned, but instead +# there are still nonfree files mentioned. So I assume that they might +# somehow contain code for that nonfree DDR4 controller, but it might be +# worth checking if it's the case or not. The DDR4 controller firmware is not +# signed. In addition the I.MX8 HDMI controller requires a signed firmware. +# ----------- +# nonfree DDR4 controller firmware +doc/board/freescale/imx8mp_evk.rst +# nonfree DDR4 controller and HDMI firmwares +doc/board/freescale/imx8mq_evk.rst +# nonfree DDR4 controller firmware +doc/board/freescale/imx8mn_evk.rst +# nonfree imx-sc-firmware-1.2.7.1.bin and imx-seco-2.3.1.bin firmwares +doc/board/freescale/imx8qxp_mek.rst +# nonfree DDR4 controller firmware +doc/board/freescale/imx8mm_evk.rst +# nonfree imx-sc-firmware-1.1.bin and firmware-imx-8.0.bin firmwares +doc/board/advantech/imx8qm-rom7720-a1.rst +# TODO +doc/board/verdin-imx8mm.rst +doc/board/toradex/colibri-imx8x.rst +doc/board/toradex/apalix-imx8x.rst +doc/board/toradex/apalix-imx8.rst + +####################### +# NXP nonfree srktool # +####################### +# The SRK tool is a tool that is involved in one way or another with +# authenticated or encrypted boot. I'm unsure if free software replacements +# exists or if could easily be replaced with a free software implementation. +# In any case the I.MX6 and I.MX5 can proabably be setup for encrypted or +# authenticated boot with free software tools. The first and second versions +# of the USB Armory has documentation on how to do that. +# --------------------- +doc/imx/board/toradex/colibri_imx7.rst +doc/imx/habv4/introduction_habv4.txt + +################## +# Samsung Exynos # +################## +# The instructions makes users nonfree components like a nonfree first stage +# bootloaders, and nonfree code that runs in TrustZone. +doc/README.odroid +# The instructions makes its users download an image and update u-boot in that +# image. Because of that, it's extremely likely that the images contains +# nonfree components that cannot even be redistributed in another form, and +# that the instructions uses that images because of that. +doc/README.s5p4418 + +##################### +# Texas Instruments # +##################### +# Users are expected to use nonfree tools and even sign an NDA to get access +# to them. +doc/README.ti-secure + +########### +# Unknown # +########### +# Everything looks free software, but the code still needs to be reviewed. +doc/board/microchip/mpfs_icicle.rst +# OP-TEE is under a free software license but its code needs to be reviewed. +doc/README.tee +# The tutorial has instructions to download a downstream u-boot, so it might +# have the same issues than u-boot itself if the u-boot is recent enough. +doc/chromium/run_vboot.rst + +####### +# x86 # +####### +# Unless the computer is supported by Libreboot, or that u-boot runs after +# some other nonfree boot software like a BIOS or UEFI, it's unlikely to be +# able to run with only free software. Though I'm pretty sure that some +# exceptions do exists, but they are probably not supported by u-boot. +# ----- +# nonfree Management Engine firmware, RAM intialization code, and video BIOS +doc/board/google/chromebook_link.rst +# nonfree SDRAM and hardware intialization code +doc/board/google/chromebook_coral.rst + +# nonfree FSP, video BIOS, Management Engine firmware +doc/board/intel/minnowmax.rst +# nonfree FSP, Chipset Micro Code (CMC), microcode +doc/board/intel/crownbay.rst + +# TODO: check +# board/intel/edison.rst +# Steers userstoward using nonfree FSP +board/intel/slimbootloader.rst + +# Steers users and developers toward using nonfree FSP +doc/device-tree-bindings/fsp/fsp2/apollolake/fsp-m.txt + +# Steers users and developers toward using nonfree FSP +doc/device-tree-bindings/fsp/fsp2/apollolake/fsp-s.txt + +############ +# Rockchip # +############ +# rkbin binaries without license nor source code +doc/board/rockchip/rockchip.rst + +# TODO: check the following files +# imx/common/mxs.txt +# README.armada-secureboot +# README.fdt-control +# README.fsl-ddr +# README.m54418twr +# README.marvell +# README.mpc85xxcds +# README.mpc85xx-sd-spi-boot +# README.OFT +# README.rmobile +# README.rockchip +# README.rockusb +# README.socfpga |