From 20be007f5b7042196647eabc5b6ec9d0d84ac108 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Sat, 9 Sep 2023 20:05:11 +0100 Subject: blobs/inject: fix checksum validation if no-ucode on e6400_4mb, the release build scripts remove nvidia's vga rom which is used on dgpu models. however, microcode is also removed in separately copied rom images the inject script was inserting vgaroms directly into these no-microcode roms, but the microcode blob is bigger than the vga rom, and cbfstool inserts into the first available free spot within cbfs, so it was inserting into the spot where cpu microcode went. this caused the rom checksum to not match what was generated during build/release/roms being executed the only real fix is to guarantee offsets within cbfs for all files, by recording what offsets were used and then calculating that during insertion so this patch is a workaround, but fixes the issue. the workaround is: don't insert blobs directly on no-microcode roms, instead insert only on microcode-based roms, then re-copy those roms and remove microcode in aptly named copies it's a bit more convoluted, but works perfectly fine. Signed-off-by: Leah Rowe --- script/update/blobs/inject | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/script/update/blobs/inject b/script/update/blobs/inject index 10691658..abdea964 100755 --- a/script/update/blobs/inject +++ b/script/update/blobs/inject @@ -9,6 +9,8 @@ . "include/defconfig.sh" . "include/blobutil.sh" +release_archive="n" + main() { sname="${0}" @@ -103,8 +105,10 @@ build_dependencies() inject_blobs() { + release_archive="n" if [ "${release}" = "true" ]; then printf "patching release file\n" + release_archive="y" patch_release_roms else patch_rom "${rom}" || \ @@ -124,13 +128,22 @@ patch_release_roms() echo "patching rom $x" patch_rom "${x}" || err "patch_release_roms: could not patch ${x}" done + for x in "${_tmpdir}"/bin/*/*_nomicrocode.rom ; do + [ -f "${x}" ] || continue + [ -f "${x%_nomicrocode.rom}.rom" ] || continue + + cp "${x%_nomicrocode.rom}.rom" "${x}" || \ + err "patch_release_roms: ${x}: can't overwrite no-ucode rom" + "${cbfstool}" "${x}" remove -n cpu_microcode_blob.bin || \ + err "patch_release_roms: ${x}: cannot remove u-code" + done ( cd "${_tmpdir}"/bin/* # NOTE: For compatibility with older rom releases, defer to sha1 sha512sum --status -c blobhashes || \ - sha1sum --statuc -c blobhashes || \ + sha1sum --status -c blobhashes || \ err "patch_release_roms: ROMs did not match expected hashes" ) @@ -154,6 +167,16 @@ patch_rom() { rom="${1}" + # we don't process no-microcode roms; these are + # instead re-created at the end, after re-inserting + # on roms with microcode, by copying and then removing, + # so that the hashes will match (otherwise, cbfstool + # may sometimes insert certain blobs at the wrong offset) + # (unless nomicrocode is the only config provided) + [ "${rom}" != "${rom%_nomicrocode.rom}.rom" ] && \ + [ -f "${rom%_nomicrocode.rom}.rom" ] && \ + [ "${release_archive}" = "y" ] && return 0 + check_defconfig "${boarddir}" || exit 1 set -- "${boarddir}/config/"* . "${1}" 2>/dev/null -- cgit v1.2.1