diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/git.sh | 2 | ||||
| -rw-r--r-- | include/lib.sh | 43 | ||||
| -rw-r--r-- | include/rom.sh | 17 | ||||
| -rw-r--r-- | include/vendor.sh | 130 |
4 files changed, 154 insertions, 38 deletions
diff --git a/include/git.sh b/include/git.sh index fb0b2b42..21a1f3b7 100644 --- a/include/git.sh +++ b/include/git.sh @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-3.0-or-later -# Copyright (c) 2020-2021,2023-2024 Leah Rowe <leah@libreboot.org> +# Copyright (c) 2020-2021,2023-2025 Leah Rowe <leah@libreboot.org> # Copyright (c) 2022 Caleb La Grange <thonkpeasant@protonmail.com> eval "`setvars "" loc url bkup_url subfile subhash subrepo subrepo_bkup \ diff --git a/include/lib.sh b/include/lib.sh index 857857d2..b43d83f3 100644 --- a/include/lib.sh +++ b/include/lib.sh @@ -15,16 +15,6 @@ tmpgit="$PWD/tmp/gitclone" grubdata="config/data/grub" err="err_" -pyver="2" -python="python3" -command -v python3 1>/dev/null || python="python" -command -v $python 1>/dev/null || pyver="" -[ -n "$pyver" ] && pyver="$($python --version | awk '{print $2}')" -if [ "${pyver%%.*}" != "3" ]; then - printf "Wrong python version, or python missing. Must be v 3.x.\n" 1>&2 - exit 1 -fi - err_() { printf "ERROR %s: %s\n" "$0" "$1" 1>&2; exit 1 @@ -88,6 +78,22 @@ if [ $# -gt 0 ] && [ "$1" = "dependencies" ]; then exit 0 fi +pyver="2" +python="python3" +command -v python3 1>/dev/null || python="python" +command -v $python 1>/dev/null || pyver="" +[ -z "$pyver" ] || \ + python -c 'import sys; print(sys.version_info[:])' 1>/dev/null \ + 2>/dev/null || $err "Cannot determine which Python version." +[ -n "$pyver" ] && \ + pyver="`python -c 'import sys; print(sys.version_info[:])' | \ + awk '{print $1}'`" && \ + pyver="${pyver#(}" && pyver="${pyver%,}" +if [ "${pyver%%.*}" != "3" ]; then + printf "Wrong python version, or python missing. Must be v 3.x.\n" 1>&2 + exit 1 +fi + id -u 1>/dev/null 2>/dev/null || $err "suid check failed (id -u)" [ "$(id -u)" != "0" ] || $err "this command as root is not permitted" @@ -107,10 +113,19 @@ if [ -z "${TMPDIR+x}" ]; then export TMPDIR="/tmp" export TMPDIR="$(mktemp -d -t xbmk_XXXXXXXX)" touch lock || $err "cannot create 'lock' file" - rm -Rf "$XBMK_CACHE/xbmkpath" || $err "cannot remove xbmkpath" - mkdir -p "$XBMK_CACHE/xbmkpath" || $err "cannot create xbmkpath" - export PATH="$XBMK_CACHE/xbmkpath:$PATH" || \ - $err "Can't create xbmkpath" + rm -Rf "$XBMK_CACHE/xbmkpath" "$XBMK_CACHE/gnupath" || \ + $err "cannot remove xbmkpath" + mkdir -p "$XBMK_CACHE/gnupath" "$XBMK_CACHE/xbmkpath" || \ + $err "cannot create gnupath" + export PATH="$XBMK_CACHE/xbmkpath:$XBMK_CACHE/gnupath:$PATH" || \ + $err "Can't create gnupath/xbmkpath" + ( + # set up python v3.x in PATH, in case it's not set up correctly. + # see code above that detected the correct python3 command. + cd "$XBMK_CACHE/xbmkpath" || $err "can't cd $XBMK_CACHE/xbmkpath" + ln -s "`command -v "$python"`" python || \ + $err "Can't set up python symlink in $XBMK_CACHE/xbmkpath" + ) || $err "Can't set up python symlink in $XBMK_CACHE/xbmkpath" xbmk_parent="y" fi diff --git a/include/rom.sh b/include/rom.sh index 2a7bc837..3e8c9c9b 100644 --- a/include/rom.sh +++ b/include/rom.sh @@ -7,7 +7,11 @@ mkserprog() { + [ $# -lt 1 ] && $err "mkserprog: no arguments provided" [ "$_f" = "-d" ] && return 0 # dry run + + [ "$1" = "pico" ] && mkpicotool + basename -as .h "$serdir/"*.h > "$TMPDIR/ser" || $err "!mk $1 $TMPDIR" while read -r sertarget; do @@ -20,6 +24,7 @@ mkserprog() ln -srf "$sersrc/build_$pt/" "$sersrc/build") \ && x_ cmake -DPICO_BOARD="$sertarget" \ -DPICO_SDK_PATH="$picosdk" -B "$sersrc/build" "$sersrc" \ + -Dpicotool_DIR="$picotool/picotool" \ && x_ cmake --build "$sersrc/build" [ "$1" = "stm32" ] && x_ make -C "$sersrc" \ libopencm3-just-make BOARD=$sertarget && x_ make -C \ @@ -30,6 +35,18 @@ mkserprog() [ "$XBMK_RELEASE" = "y" ] && mkrom_tarball "bin/serprog_$1"; return 0 } +mkpicotool() +{ + rm -Rf "$picotool" || $err "Can't remove picotool builddir" + ( + x_ cd src/picotool + cmake -DCMAKE_INSTALL_PREFIX=xbmkbin -DPICOTOOL_FLAT_INSTALL=1 \ + -DPICO_SDK_PATH=../pico-sdk || \ + $err "Can't prep picotool" + make install || $err "Can't build picotool"; : + ) || $err "Can't build picotool"; : +} + copyps1bios() { x_ rm -Rf bin/playstation diff --git a/include/vendor.sh b/include/vendor.sh index 15d4e5cb..bde245d9 100644 --- a/include/vendor.sh +++ b/include/vendor.sh @@ -12,7 +12,7 @@ appdir="$vendir/app" cbcfgsdir="config/coreboot" hashfiles="vendorhashes blobhashes" # blobhashes for backwards compatibility dontflash="!!! AN ERROR OCCURED! Please DO NOT flash if injection failed. !!!" -vfix="DO_NOT_FLASH_YET._FIRST,_INJECT_BLOBS_VIA_INSTRUCTIONS_ON_LIBREBOOT.ORG_" +vfix="DO_NOT_FLASH_YET._FIRST,_INJECT_FILES_VIA_INSTRUCTIONS_ON_LIBREBOOT.ORG_" vguide="https://libreboot.org/docs/install/ivy_has_common.html" tmpromdel="$PWD/tmp/DO_NOT_FLASH" @@ -33,7 +33,8 @@ eval "`setvars "" has_hashes EC_hash DL_hash DL_url_bkup MRC_refcode_gbe vcfg \ archive EC_url boarddir rom cbdir DL_url nukemode cbfstoolref FSPFD_hash \ _7ztest ME11bootguard ME11delta ME11version ME11sku ME11pch tmpromdir \ IFD_platform ifdprefix cdir sdir _me _metmp mfs TBFW_url_bkup TBFW_url \ - TBFW_hash TBFW_size hashfile xromsize xchanged EC_url_bkup $cv`" + TBFW_hash TBFW_size hashfile xromsize xchanged EC_url_bkup need_files \ + vfile $cv`" vendor_download() { @@ -65,7 +66,7 @@ readkconfig() CONFIG_LENOVO_TBFW_BIN CONFIG_FSP_M_FILE CONFIG_FSP_S_FILE; do eval "[ \"\${$c}\" = \"/dev/null\" ] && continue" eval "[ -z \"\${$c}\" ] && continue" - eval "`setcfg "config/vendor/$vcfg/pkg.cfg"`"; return 0 + eval "`setcfg "$vfile"`"; return 0 done printf "Vendor files not needed for: %s\n" "$board" 1>&2; return 1 } @@ -340,6 +341,7 @@ fail_inject() vendor_inject() { + need_files="n" # will be set to "y" if vendorfiles needed _olderr="$err" err="fail_inject" remkdir "$tmpromdel" @@ -347,35 +349,87 @@ vendor_inject() set +u +e; [ $# -lt 1 ] && $err "No options specified. - $dontflash" eval "`setvars "" nukemode new_mac xchanged`" + # randomise the MAC address by default + # TODO: support setting CBFS MAC address for GA-G41M-ES2L + new_mac="??:??:??:??:??:??" + archive="$1"; [ $# -gt 1 ] && case "$2" in - nuke) nukemode="nuke" ;; + nuke) + new_mac="" + nukemode="nuke" ;; setmac) - new_mac="??:??:??:??:??:??" - [ $# -gt 2 ] && new_mac="$3" ;; + [ $# -gt 2 ] && new_mac="$3" && \ + [ -z "$new_mac" ] && $err \ + "You set an empty MAC address string" ;; *) $err "Unrecognised inject mode: '$2'" esac + # allow the user to skip setting MAC addresses. + # if new_mac is empty, this script skips running nvmutil + [ "$new_mac" = "keep" ] && new_mac="" + + # we don't allow the *user* to clear new_mac, in the setmac + # command, in case the build system is being integrated with + # another, where setmac is relied upon and is being set + # explicitly. this is a preventative error handle, as a courtes + # to that hypothetical user e.g. Linux distro package maintainer + # integrating this build system into their distro. if they used + # a variable for that, and they forgot to initialise it, they'll know. + check_release "$archive" || \ $err "You must run this script on a release archive. - $dontflash" - if readcfg; then + + [ "$new_mac" = "restore" ] && \ + printf "Restoring default GbE for '$archive', board '$board'\n" + + readcfg && need_files="y" + if [ "$need_files" = "y" ] || [ -n "$new_mac" ]; then [ "$nukemode" = "nuke" ] || x_ ./mk download "$board" patch_release_roms - else - printf "Tarball '%s' (board '%s) doesn't need vendorfiles.\n" \ - "$archive" "$board" - err="$_olderr" - return 0 fi + [ "$need_files" != "y" ] && printf \ + "\nTarball '%s' (board '%s) doesn't need vendorfiles.\n" \ + "$archive" "$board" 1>&2 xtype="patched" && [ "$nukemode" = "nuke" ] && xtype="nuked" - [ "$xchanged" = "y" ] || \ - printf "\nRelease archive '%s' was not modified.\n" "$archive" + [ "$xchanged" != "y" ] && \ + printf "\nRelease archive '%s' was *NOT* modified.\n" \ + "$archive" && [ "$has_hashes" = "y" ] && \ + printf "WARNING: '%s' contains '%s'. DO NOT FLASH!\n" \ + "$archive" "$hashfile" 1>&2 && \ + printf "(vendorfiles may be needed and aren't there)\n" \ + 1>&2 [ "$xchanged" = "y" ] && \ printf "\nRelease archive '%s' successfully %s.\n" \ - "$archive" "$xtype" + "$archive" "$xtype" && [ "$nukemode" != "nuke" ] && \ + printf "You may now extract '%s' and flash images from it.\n" \ + "$archive" [ "$xchanged" = "y" ] && [ "$nukemode" = "nuke" ] && \ - printf "!!!WARNING!!! -> Vendor files removed. DO NOT FLASH.\n" + printf "WARNING! Vendorfiles *removed*. DO NOT FLASH.\n" 1>&2 \ + && printf "DO NOT flash images from '%s'\n" \ + "$archive" 1>&2 + + [ "$need_files" = "n" ] && printf \ + "Board '%s' doesn't use vendorfiles, so none were inserted.\n" \ + "$board" + + # + # catch-all error handler, for libreboot release opsec: + # + # if vendor files defined, and a hash file was missing, that means + # a nuke must succeed, if specified. if no hashfile was present, + # that means vendorfiles had been injected, so a nuke must succeed. + # this check is here in case of future bugs in lbmk's handling + # of vendorfile deletions on release archives, which absolutely + # must always be 100% reliable, so paranoia is paramount: + # + if [ "$xchanged" != "y" ] && [ "$need_files" = "y" ] && \ + [ "$nukemode" = "nuke" ] && [ "$has_hashes" != "y" ]; then + printf "FAILED NUKE: tarball '$archive', board '$board'\n" 1>&2 + $err "Unhandled vendorfile deletion: DO NOT RELEASE TO RSYNC" + fi # of course, we assume that those variables are also set right + err="$_olderr" return 0 } @@ -406,8 +460,17 @@ readcfg() [ "$board" = "serprog_stm32" ] || \ [ "$board" = "serprog_pico" ]; then return 1 - fi; boarddir="$cbcfgsdir/$board" - eval "`setcfg "$boarddir/target.cfg"`"; chkvars vcfg tree + fi + boarddir="$cbcfgsdir/$board" + + eval "`setcfg "$boarddir/target.cfg"`" + chkvars tree + x_ ./mk -d coreboot "$tree" # even if vendorfiles not used, see: setmac + + [ -z "$vcfg" ] && return 1 + vfile="config/vendor/$vcfg/pkg.cfg" + [ -L "$vfile" ] && $err "'$archive', '$board': $vfile is a symlink" + [ -f "$vfile" ] || $err "'$archive', '$board': $vfile doesn't exist" cbdir="src/coreboot/$tree" cbfstool="elf/cbfstool/$tree/cbfstool" @@ -416,9 +479,7 @@ readcfg() kbc1126_ec_dump="$PWD/$cbdir/util/kbc1126/kbc1126_ec_dump" cbfstool="elf/cbfstool/$tree/cbfstool" ifdtool="elf/ifdtool/$tree/ifdtool" - [ -n "$IFD_platform" ] && ifdprefix="-p $IFD_platform" - - x_ ./mk -d coreboot "$tree" + [ -n "$IFD_platform" ] && ifdprefix="-p $IFD_platform"; : } patch_release_roms() @@ -477,6 +538,8 @@ patch_release_roms() 1>&2 printf "This board probably lacks Intel ethernet.\n" \ 1>&2 + printf "(or it's pre-IFD Intel with Intel GbE NIC)\n" \ + 1>&2 fi fi @@ -551,11 +614,24 @@ patch_rom() { rom="$1" + # regarding ifs below: + # if a hash file exists, we only want to allow inject. + # if a hash file is missing, we only want to allow nuke. + # this logical rule prevents double-nuke and double-inject + + # if injecting without a hash file i.e. inject what was injected + # (or inject where no vendor files are needed, covered previously) if [ "$has_hashes" != "y" ] && [ "$nukemode" != "nuke" ]; then printf "inject: '%s' has no hash file. Skipping.\n" \ "$archive" 1>&2 return 1 fi + # nuking *with* a hash file, i.e. nuking what was nuked before + if [ "$has_hashes" = "y" ] && [ "$nukemode" = "nuke" ]; then + printf "inject nuke: '%s' has a hash file. Skipping nuke.\n" \ + "$archive" 1>&2 + return 1 + fi [ -n "$CONFIG_HAVE_REFCODE_BLOB" ] && inject "fallback/refcode" \ "$CONFIG_REFCODE_BLOB_FILE" "stage" @@ -645,7 +721,9 @@ modify_mac_addresses() [ -n "$CONFIG_GBE_BIN_PATH" ] || return 1 e "${CONFIG_GBE_BIN_PATH##*../}" f n && $err "missing gbe file" - x_ make -C util/nvmutil + [ "$new_mac" != "restore" ] && \ + x_ make -C util/nvmutil + x_ mkdir -p tmp [ -L "tmp/gbe" ] && $err "tmp/gbe exists but is a symlink" [ -d "tmp/gbe" ] && $err "tmp/gbe exists but is a directory" @@ -654,7 +732,8 @@ modify_mac_addresses() fi x_ cp "${CONFIG_GBE_BIN_PATH##*../}" "tmp/gbe" - x_ "util/nvmutil/nvm" "tmp/gbe" setmac "$new_mac" + [ "$new_mac" != "restore" ] && \ + x_ "util/nvmutil/nvm" "tmp/gbe" setmac "$new_mac" find "$tmpromdir" -maxdepth 1 -type f -name "*.rom" > "tmp/rom.list" \ || $err "'$archive' -> Can't make tmp/rom.list - $dontflash" @@ -669,4 +748,9 @@ modify_mac_addresses() printf "\nThe following GbE NVM words were written in '%s':\n" \ "$archive" x_ util/nvmutil/nvm tmp/gbe dump + + [ "$new_mac" = "restore" ] && \ + printf "\nNOTE: User specified setmac 'restore' argument.\n" && \ + printf "Default GbE file '%s' written without running nvmutil.\n" \ + "${CONFIG_GBE_BIN_PATH##*../}"; : } |