diff options
author | Leah Rowe <leah@libreboot.org> | 2025-01-02 02:25:24 +0000 |
---|---|---|
committer | Leah Rowe <leah@libreboot.org> | 2025-01-02 08:46:36 +0000 |
commit | 41275d699ca38307225f950252ce0c446dc5aea8 (patch) | |
tree | f68a34e47ef408faf7df47411ed3c8be7cec11ea /config/grub/nvme/patches/0007-Compile-with-Argon2id-support.patch | |
parent | ed7293494e351fd8eb9aff4649d53782640e52b3 (diff) |
vendor.sh: MUCH, MUCH, MUCH safer ./mk inject
Don't extract to bin/release/
Modify the tarball instead. Previously, the tarball would
not be modified, but a lot of users thought the tarball was
being modified and ignored bin/release/, where the injected
images were actually being saved to.
Don't copy the tarball either. Just modify it in-place.
Don't allow single-rom injection either; only allow the
tarball-based method.
The command syntax has changed, but:
./mk inject tarball.tar.xz
This is the same. What has changed is nuke, and MAC address
modification. Observe:
./mk inject tarball.tar.xz nuke
./mk inject tarball.tar.xz setmac
./mk inject tarball.tar.xz setmac ??:??:??:??:??:??
./mk inject tarball.tar.xz setmac 00:1f:16:??:22:aa
These are just a few examples. The MAC address syntax is
the same as used for nvmutil, which means you can set it
randomly. Also:
./mk inject tarball.tar.xz setmac
You can use the *setmac* command *repeatedly*, even if
you've already injected a given archive. It'll just
update the archive, but skip injecting other files
that were already injected.
If you use setmac without a MAC address, it will randomise
the MAC address. This is therefore very similar to the
command structure used in nvmutil.
The code for injection is generally more robust, with
stronger error checks. This design change was done, so
that the user doesn't accidentally brick their machine.
The non-injected images have a prefix in the file name
saying "DO_NOT_FLASH", and those non-injected images are
padded by 1 byte. That way, the user knows not to flash it
and if they try, flashprog will throw an error.
The prefix and padding is removed on injection. Old images
without the padding/prefix can still be injected, via
tarballs; this new code is backwards-compatible with tarballs
from older Libreboot releases.
A common thing I see sometimes is a user will say they have
a black screen or something, and I say: did you insert vendor
files? And they say yes. And they did. But they extracted and
flashed from the tarball, which wasn't injected, because
they didn't release about bin/release/
No amount of RTFM is justified. The previous design flaw
is a bug. We must always observe user safety first, no matter
what, so that has now been done.
Signed-off-by: Leah Rowe <leah@libreboot.org>
Diffstat (limited to 'config/grub/nvme/patches/0007-Compile-with-Argon2id-support.patch')
0 files changed, 0 insertions, 0 deletions