diff options
| -rw-r--r-- | config/data/deguard/appdir.patch | 131 | ||||
| -rw-r--r-- | config/vendor/3050micro/pkg.cfg | 4 | ||||
| -rw-r--r-- | include/vendor.sh | 33 |
3 files changed, 167 insertions, 1 deletions
diff --git a/config/data/deguard/appdir.patch b/config/data/deguard/appdir.patch new file mode 100644 index 00000000..722a6168 --- /dev/null +++ b/config/data/deguard/appdir.patch @@ -0,0 +1,131 @@ +From b978cbb651a4bdd84be4a92ae240c8ca99ef21eb Mon Sep 17 00:00:00 2001 +From: Leah Rowe <info@minifree.org> +Date: Tue, 24 Sep 2024 16:44:51 +0100 +Subject: [PATCH 1/1] Patch to integrate with lbmk + +Deguard is a standalone utility, but the way it works +doesn't integrate well with lbmk. + +Remove the download logic, because lbmk already downloads +the requisite zip file. + +Also not required, but nice, and included in this patch: + +Detect what python version is available, and make sure it's +python 3. + +Signed-off-by: Leah Rowe <info@minifree.org> +--- + RUNME.sh | 64 +++++++++++++++++++++++++++++++------------------------- + 1 file changed, 36 insertions(+), 28 deletions(-) + +diff --git a/RUNME.sh b/RUNME.sh +index 9809f89..7404ba6 100755 +--- a/RUNME.sh ++++ b/RUNME.sh +@@ -1,25 +1,33 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0-only + ++# This version of deguard is patched to integrate with lbmk. ++# Do not run this version standalone. Please use src/deguard/ instead. ++ + set -e + +-if [ ! -f "me.bin" ]; then +- wget "https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip" +- unzip "H110M-DGS(7.30)ROM.zip" H11MDGS7.30 +- rm "H110M-DGS(7.30)ROM.zip" +- dd if=H11MDGS7.30 of=me.bin skip=1 count=511 bs=4096 +- rm H11MDGS7.30 ++pyver="2" ++python="python3" ++which python3 || python="python" ++which $python || pyver="" ++[ -n "$pyver" ] && pyver="$($python --version | awk '{print $2}')" ++if [ "${pyver%%.*}" != "3" ]; then ++ printf "Wrong python version, or python missing. Must be python 3.\n" 1>&2 ++ exit 1 + fi + ++rm -f me.bin MFS.part ++dd if=../H11MDGS7.30 of=me.bin skip=1 count=511 bs=4096 ++ + dd if=me.bin of=MFS.part skip=168 count=100 bs=4096 + + # Extract file number 7 (fitc.cfg) +-python3 MFSUtil.py -m MFS.part -x -i 7 -o fitc.cfg ++$python MFSUtil.py -m MFS.part -x -i 7 -o fitc.cfg + + # Remove /home/mca/eom +-python3 MFSUtil.py -c fitc.cfg -r -f /home/mca/eom -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg -r -f /home/mca/eom -o fitc.cfg + # Remove /home/bup/ct +-python3 MFSUtil.py -c fitc.cfg -r -f /home/bup/ct -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg -r -f /home/bup/ct -o fitc.cfg + + # list off files differing in optiplex 3050 fw vs donor + files=" +@@ -39,40 +47,40 @@ secureboot/pubkeyhash + + for i in $files + do +- python3 MFSUtil.py -c fitc.cfg -r -f /home/$i -o fitc.cfg ++ $python MFSUtil.py -c fitc.cfg -r -f /home/$i -o fitc.cfg + done + + # Add /home/mca/eom + dd if=/dev/zero of=eom count=1 bs=1 +-python3 MFSUtil.py -c fitc.cfg --add eom --alignment 2 --mode ' --Irw-r-----' \ ++$python MFSUtil.py -c fitc.cfg --add eom --alignment 2 --mode ' --Irw-r-----' \ + --opt '?!-F' --uid 0 --gid 238 -f /home/mca/eom -o fitc.cfg + + # Add /home/bup/ct +-python3 gen_shellcode.py -p H -v 11.6.0.1126 --fake-fpfs=fpfs/optiplex_3050 -o ct +-python3 MFSUtil.py -c fitc.cfg --add ct --alignment 2 --mode ' ---rwxr-----' \ ++$python gen_shellcode.py -p H -v 11.6.0.1126 --fake-fpfs=fpfs/optiplex_3050 -o ct ++$python MFSUtil.py -c fitc.cfg --add ct --alignment 2 --mode ' ---rwxr-----' \ + --opt '?--F' --uid 3 --gid 351 -f /home/bup/ct -o fitc.cfg + + # Add dell files +-python3 MFSUtil.py -c fitc.cfg --add data/emu_fuse_map --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/emu_fuse_map -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/plat_n_sku --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/plat_n_sku -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/fwuoemid --alignment 2 --mode=' ---rw-rw----' --opt='?--F' --uid=32 --gid=238 -f /home/fwupdate/fwuoemid -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/prof0 --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=55 --gid=238 -f /home/icc/prof0 -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/device_ports --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=73 --gid=238 -f /home/mctp/device_ports -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/hdcp_ports --alignment 2 --mode=' -EIrw-r-----' --opt='?!-F' --uid=80 --gid=238 -f /home/pavp/hdcp_ports -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/cfg_rules --alignment 2 --mode=' ---rw-rw----' --opt='-!MF' --uid=85 --gid=238 -f /home/policy/cfgmgr/cfg_rules -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/bootpolres --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpolres -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/bootpoltype --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpoltype -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/enfpolicy --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/enfpolicy -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/kmid --alignment 2 --mode=' ---rw-r-----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/kmid -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/pubkeyhash --alignment 2 --mode=' ---rw-rw-r--' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/pubkeyhash -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/emu_fuse_map --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/emu_fuse_map -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/plat_n_sku --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/plat_n_sku -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/fwuoemid --alignment 2 --mode=' ---rw-rw----' --opt='?--F' --uid=32 --gid=238 -f /home/fwupdate/fwuoemid -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/prof0 --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=55 --gid=238 -f /home/icc/prof0 -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/device_ports --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=73 --gid=238 -f /home/mctp/device_ports -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/hdcp_ports --alignment 2 --mode=' -EIrw-r-----' --opt='?!-F' --uid=80 --gid=238 -f /home/pavp/hdcp_ports -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/cfg_rules --alignment 2 --mode=' ---rw-rw----' --opt='-!MF' --uid=85 --gid=238 -f /home/policy/cfgmgr/cfg_rules -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/bootpolres --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpolres -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/bootpoltype --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpoltype -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/enfpolicy --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/enfpolicy -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/kmid --alignment 2 --mode=' ---rw-r-----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/kmid -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/pubkeyhash --alignment 2 --mode=' ---rw-rw-r--' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/pubkeyhash -o fitc.cfg + + # Delete file id 7 (fitc.cfg) from the MFS partition +-python3 MFSUtil.py -m MFS.part -r -i 7 -o MFS.part ++$python MFSUtil.py -m MFS.part -r -i 7 -o MFS.part + # Delete file id 8 (home) from the MFS partition +-python3 MFSUtil.py -m MFS.part -r -i 8 -o MFS.part ++$python MFSUtil.py -m MFS.part -r -i 8 -o MFS.part + + # Add the modified fitc.cfg into the MFS partition +-python3 MFSUtil.py -m MFS.part -a fitc.cfg --deoptimize -i 7 -o MFS.part ++$python MFSUtil.py -m MFS.part -a fitc.cfg --deoptimize -i 7 -o MFS.part + + # Write + dd conv=notrunc if=MFS.part of=me.bin seek=168 count=100 bs=4096 +-- +2.39.5 + diff --git a/config/vendor/3050micro/pkg.cfg b/config/vendor/3050micro/pkg.cfg new file mode 100644 index 00000000..f1f7860b --- /dev/null +++ b/config/vendor/3050micro/pkg.cfg @@ -0,0 +1,4 @@ +DL_hash="976bbb1e625f64df276d8343757d910c88b8a781f953bc2c41a7dd15184ec70d55f8081de2a0aaa83cddb8e73bdc2df6288fde6e0897e4928c48ca4bb30bea2d" +DL_url="https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip" +DL_url_bkup="https://web.archive.org/web/20230822134231/https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip" +ME_bootguard="me11disreguard" diff --git a/include/vendor.sh b/include/vendor.sh index 03c7ad7d..c5b6560d 100644 --- a/include/vendor.sh +++ b/include/vendor.sh @@ -23,7 +23,7 @@ eval `setvars "" EC_url_bkup EC_hash DL_hash DL_url_bkup MRC_refcode_gbe vcfg \ E6400_VGA_romname SCH5545EC_DL_url_bkup SCH5545EC_DL_hash _dest tree \ mecleaner kbc1126_ec_dump MRC_refcode_cbtree new_mac _dl SCH5545EC_DL_url \ archive EC_url boarddir rom cbdir DL_url nukemode cbfstoolref vrelease \ - verify _7ztest $cv` + verify _7ztest ME_bootguard $cv` vendor_download() { @@ -107,6 +107,14 @@ extract_intel_me() e "$mecleaner" f not && $err "$cbdir: me_cleaner missing" _me="$PWD/$_dest"; cdir="$PWD/$appdir" + if [ "$ME_bootguard" = "me11disreguard" ]; then + # run mkukri's util to extract me.bin and disable bootguard + # for Dell OptiPlex 3050 Micro, using the deguard util. + extract_deguard_me "$cdir" "$_me" + return 0 + fi + # All other ME setups are extracted with brute force and me_cleaner: + [ $# -gt 0 ] && _me="${1}" && cdir="$2" e "$_me" f && return 0 @@ -141,6 +149,29 @@ extract_intel_me() rm -Rf "$sdir" || $err "extract_intel_me: !rm -Rf $sdir" } +extract_deguard_me() +{ + x_ ./mk -f deguard + cp -R src/deguard "$1/disreguard" || \ + $err "Cannot make temporary deguard clone in $1/disreguard" + if [ ! -e "$1/disreguard/.git" ]; then + git -C "$1/disreguard" init || $err "!init $1/disreguard" + git -C "$1/disreguard" add -A . || $err "!add $1/disreguard" + git -C "$1/disreguard" commit -m "tmp" || \ + $err "!commit $1/disreguard" + fi + git -C "$1/disreguard" am config/data/deguard/appdir.patch || \ + $err "Cannot temporarily patch deguard clone in $1/disreguard" + ( + cd "$1/disreguard" || $err "Cannot cd to '$1/disreguard'" + x_ ./RUNME.sh + ) + "$mecleaner" --whitelist MFS --truncate "$1/disreguard/me.bin" || \ + $err "extract_intel_me: Can't truncate disreguarded ME" + cp "$cdir/disreguard/me.bin" "$2" || \ + $err "extract_intel_me: Can't move disreguarded me.bin" +} + extract_archive() { innoextract "$1" -d "$2" || python "$pfs_extract" "$1" -e || 7z x \ |