add -p flag to old me_cleaner too

this lets you skip fptr checks

not currently used on this version, but i want this
patch here so that it can be in the future

Signed-off-by: Leah Rowe <leah@libreboot.org>

1 files changed, 76 insertions, 0 deletions

diff --git a/config/coreboot/default/patches/0038-Subject-PATCH-1-1-Add-a-p-option-skip-FPTR-checks.patch b/config/coreboot/default/patches/0038-Subject-PATCH-1-1-Add-a-p-option-skip-FPTR-checks.patch
new file mode 100644
index 00000000..abc232c5
--- /dev/null
+++ b/config/coreboot/default/patches/0038-Subject-PATCH-1-1-Add-a-p-option-skip-FPTR-checks.patch
@@ -0,0 +1,76 @@
+From 273fec95778f53a622ff1e2a64c15b74813f48d2 Mon Sep 17 00:00:00 2001
+From: Leah Rowe <leah@libreboot.org>
+Date: Sun, 28 Sep 2025 03:17:50 +0100
+Subject: [PATCH 1/1] Subject: [PATCH 1/1] Add a -p option (skip FPTR checks)
+
+if you pass -k (keep fptr modules), don't use -r, don't
+use -t, you can essentially just use me_cleaner to
+extract a ME image without changing it. this is useful
+when for example, you just want to set the HAP bit.
+
+however, me_cleaner still performs a FPTR check.
+
+on some newer ME versions, it's always invalid according
+to me_cleaner, because for example it doesn't handle
+ME16 very well yet.
+
+this patch adds an option to override the FPTR check
+
+either pass -p or --pass-fptr
+
+NOTE: we probably won't use this on coreboot's me_cleaner,
+which is the corna version. we only need it on the newer
+me_cleaner versions for e.g. ME16, on certain setups.
+still, it's best to have the patch here too, just in case.
+
+Signed-off-by: Leah Rowe <leah@libreboot.org>
+---
+ util/me_cleaner/me_cleaner.py | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/util/me_cleaner/me_cleaner.py b/util/me_cleaner/me_cleaner.py
+index fae5e56732..228bac899f 100755
+--- a/util/me_cleaner/me_cleaner.py
++++ b/util/me_cleaner/me_cleaner.py
+@@ -246,8 +246,10 @@ def check_partition_signature(f, offset):
+     return "{:#x}".format(decrypted_sig).endswith(sha256.hexdigest())   # FIXME
+ 
+ 
+-def print_check_partition_signature(f, offset):
+-    if check_partition_signature(f, offset):
++def print_check_partition_signature(f, offset, pass_fptr):
++    if pass_fptr:
++        print("Skipping FPTR checks because the user told us to")
++    elif check_partition_signature(f, offset):
+         print("VALID")
+     else:
+         print("INVALID!!")
+@@ -486,6 +488,8 @@ if __name__ == "__main__":
+                         "--extract-me)", action="store_true")
+     parser.add_argument("-k", "--keep-modules", help="don't remove the FTPR "
+                         "modules, even when possible", action="store_true")
++    parser.add_argument("-p", "--pass-fptr", help="skip FTPR signature checks"
++                        "regardless of other operations", action="store_true")
+     bw_list.add_argument("-w", "--whitelist", metavar="whitelist",
+                          help="Comma separated list of additional partitions "
+                          "to keep in the final image. This can be used to "
+@@ -871,12 +875,14 @@ if __name__ == "__main__":
+             print("Checking the FTPR RSA signature of the extracted ME "
+                   "image... ", end="")
+             print_check_partition_signature(mef_copy,
+-                                            ftpr_offset + ftpr_mn2_offset)
++                                            ftpr_offset + ftpr_mn2_offset,
++                                                args.pass_fptr)
+         mef_copy.close()
+ 
+     if not me6_ignition:
+         print("Checking the FTPR RSA signature... ", end="")
+-        print_check_partition_signature(mef, ftpr_offset + ftpr_mn2_offset)
++        print_check_partition_signature(mef, ftpr_offset + ftpr_mn2_offset,
++                                                args.pass_fptr)
+ 
+     f.close()
+ 
+-- 
+2.47.3
+