From d668f3a35296f0bc7884b18d49f523d7bb331c30 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Thu, 15 May 2025 21:51:36 +0100 Subject: vendor.sh: Properly verify SHA512SUM on extraction I currently check the downloaded files e.g. .exe file, but then I don't check - or even define - sha512sums for the files extracted from them e.g. me.bin This patch fixes that. It also caches the hashed files, so that extraction is faster on a re-run - this makes release builds go faster, when running ./mk release If a checksum is not defined, i.e. blank, then a warning is given, telling you to check a specific directory. This way, when adding new vendor files, you can add it first without specifying the checksum, e.g. me.bin checksum. Then you can manually inspect the files that were extracted, and define it, then test again. In a given pkg.cfg for config/vendor, the following variables are now available for use: FSPM_bin_hash for fsp m module FSPS_bin_hash for fsp s module EC_FW1_hash for KBC1126 EC firmware (1st file) EC_FW2_hash for KBC1126 EC firmware (2nd file) ME_bin_hash for me.bin MRC_bin_hash for mrc.bin (broadwell boards) REF_bin_hash for refcode (broadwell boards) SCH5545EC_bin_hash for sch5545 firmware (Dell Precision T1650) TBFW_bin_hash for Lenovo ThunderBolt firmware (e.g. T480/T480s) E6400_VGA_bin_hash for Dell E6400 Nvidia VGA ROM In practise, most people use release archives, and the inject script, so I knew those were reliable, because the ROM images were hashed prior to removing files. This patch benefits people using lbmk.git directly, without using release files, because now they know they have a valid file e.g. me.bin Previously, only the download was checked, not the extracted files, which meant that the only thing preventing a brick was the code not being buggy. Any number of bugs could pop up in the future, so this new level of integrity will protect against such a scenario, and provide early warning prompting bug fixes. Signed-off-by: Leah Rowe --- config/vendor/3050micro/pkg.cfg | 3 ++ config/vendor/e6400/pkg.cfg | 1 + config/vendor/haswell/pkg.cfg | 1 + config/vendor/hp2170p/pkg.cfg | 3 ++ config/vendor/hp2560p/pkg.cfg | 3 ++ config/vendor/hp2570p/pkg.cfg | 3 ++ config/vendor/hp8200sff/pkg.cfg | 1 + config/vendor/hp820g2/pkg.cfg | 3 ++ config/vendor/hp8460pintel/pkg.cfg | 3 ++ config/vendor/hp8470pintel/pkg.cfg | 3 ++ config/vendor/hp8560w/pkg.cfg | 3 ++ config/vendor/hp9470m/pkg.cfg | 3 ++ config/vendor/ivybridge/pkg.cfg | 1 + config/vendor/sandybridge/pkg.cfg | 1 + config/vendor/t1650/pkg.cfg | 2 + config/vendor/t1700/pkg.cfg | 2 + config/vendor/t480/pkg.cfg | 4 ++ config/vendor/t480s/pkg.cfg | 5 ++ include/get.sh | 26 +++++---- include/mrc.sh | 13 ++--- include/vendor.sh | 108 ++++++++++++++++++++++++++----------- 21 files changed, 142 insertions(+), 50 deletions(-) diff --git a/config/vendor/3050micro/pkg.cfg b/config/vendor/3050micro/pkg.cfg index 497a27a6..45ba55d1 100644 --- a/config/vendor/3050micro/pkg.cfg +++ b/config/vendor/3050micro/pkg.cfg @@ -3,6 +3,7 @@ DL_hash="976bbb1e625f64df276d8343757d910c88b8a781f953bc2c41a7dd15184ec70d55f8081de2a0aaa83cddb8e73bdc2df6288fde6e0897e4928c48ca4bb30bea2d" DL_url="https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip" DL_url_bkup="https://web.archive.org/web/20230822134231/https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip" +ME_bin_hash="3231ddb79be81f0a631926fc0e533ee7bce2d10032d7d45e56ae8a9894bcf9b4ca0b4f6fd3bc4daa185a464e771e0bf3d1b771a3180739b6896cec911758145b" # for Fsp.fd, we don't rely on a download. Instead, # we copy from coreboot.git. The file is defined @@ -10,6 +11,8 @@ DL_url_bkup="https://web.archive.org/web/20230822134231/https://download.asrock. # and inserted to CBFS with names CONFIG_FSP_S_CBFS and CONFIG_FSP_M_CBFS # FSPFD_hash="c500166a8553a80ba8db8b8185a896e0ae1562ea3c139e07acd9e7937baf8110ba743cc79b69db09a5f39c076d1d22bc45045223975f46aea2034ba82a6b0360" +FSPM_bin_hash="b15712a53f4d16f36b384beb6dbb716c0b0924751d6ca1e229cd4b8c03aef9eda025c235af247e53dac94d94b79559623974d0d21c7f97e125d8ecc2c86bf03f" +FSPS_bin_hash="64ac9f93e43efddc35931e168d6594c2b39fb5a0da863d22f2d000d7eacc0692b07ce89389cbb1c5b95ff9b2bba508c538e37d0e644fcab7b2cada773da65ce6" # We will use deguard to disable the Intel Boot Guard: ME11bootguard="y" diff --git a/config/vendor/e6400/pkg.cfg b/config/vendor/e6400/pkg.cfg index c5962480..21d1e69d 100644 --- a/config/vendor/e6400/pkg.cfg +++ b/config/vendor/e6400/pkg.cfg @@ -1,6 +1,7 @@ # SPDX-License-Identifier: GPL-3.0-or-later E6400_VGA_DL_hash="6217d5fce2291d15bb0649fd2faaeb78e4c48962b07a2bea6af60466bfdc5f233af0d077c2c6e71dd96047bdbb1f612324cef0a5e728ba9a9ec5c69a4022cd8d" +E6400_VGA_bin_hash="24fb3d934afca13bd2b43ec958aa2f69654e0f8ee2dd6ca910350a738dea22cfd7f69626093e047566b27c0dd9f3595beeacaad7812fc7f6a13970e49e7b60f3" E6400_VGA_DL_url="https://dl.dell.com/FOLDER01530530M/1/E6400A34.exe" E6400_VGA_DL_url_bkup="https://web.archive.org/web/20230506014903/https://dl.dell.com/FOLDER01530530M/1/E6400A34.exe" E6400_VGA_offset="274451" diff --git a/config/vendor/haswell/pkg.cfg b/config/vendor/haswell/pkg.cfg index e9722a11..401736b5 100644 --- a/config/vendor/haswell/pkg.cfg +++ b/config/vendor/haswell/pkg.cfg @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="f3d79aec805c8b0094a4081be76b3a22d329c479ad18210449b7acc3236ccfc4a2103eaa7c5b79a4872bfd699eede047efd46dfb06dc8f47e3216fc254612998" +ME_bin_hash="8629caded7efd2aa234cc378b7118f0d300402537b8aff6aa3d9b895c6b14590a79cb02d1db7a91de36d36f5612386fc99ddcb57c9d78b1e75b5864e68763de1" DL_url="https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe" DL_url_bkup="https://web.archive.org/web/20211120031520/https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe" diff --git a/config/vendor/hp2170p/pkg.cfg b/config/vendor/hp2170p/pkg.cfg index 77cbd08b..192bcf41 100644 --- a/config/vendor/hp2170p/pkg.cfg +++ b/config/vendor/hp2170p/pkg.cfg @@ -1,8 +1,11 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c" +ME_bin_hash="672240d231a723ea7fac112262fdc28884c43a5be9b231dfae838c7a1edc86140da38983079d23ab5ac8e6c74611b65da4872ecbab3ec979c680d3f526eb91ed" DL_url="https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" DL_url_bkup="https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" EC_hash="940e533b6a276c13a6e46a93795ca84b19877b05e82c0c1795b7fea9cbea63c28e606ef994352fc77c4fdfb2e0c31c5edeefa98b989e1990364dfc6417b25460" EC_url="https://ftp.hp.com/pub/softpaq/sp96001-96500/sp96088.exe" EC_url_bkup="https://web.archive.org/web/20230909164345/https://ftp.hp.com/pub/softpaq/sp96001-96500/sp96088.exe" +EC_FW1_hash="44a27359e8e2ecfae910a754617d5ee947d6bba976f2eb53114a97c71b64813da7ab4223749706c9bbcaf1e752c190834ee3b41c297c191b3cac200814e02938" +EC_FW2_hash="09c5b8bab6f258a0303ac502b4900cd4277bd6c43bfd2ef0030df6e918ef3300d04d2979373f8b05f77d1eae1c27ebd01856426b8eed6f215e1fcaed68e0977e" diff --git a/config/vendor/hp2560p/pkg.cfg b/config/vendor/hp2560p/pkg.cfg index f7c7cd14..52b9394d 100644 --- a/config/vendor/hp2560p/pkg.cfg +++ b/config/vendor/hp2560p/pkg.cfg @@ -1,8 +1,11 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="81c9917938c4a2a4f128c976250451931efd0f25b51ff34f058ddacb8eec27272691371864a683ec7abcb924fea32592d061584c7b2571a5d3e84eb870281cc3" +ME_bin_hash="6a7eb169a01581682a2ecf4b284c1689eb7746cc80aa16ea1ce35d1a1c47a92664b5240defd62535e9707c3f3d42abfb62da3254b97e569de178099f7683c858" DL_url="https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe" DL_url_bkup="https://web.archive.org/web/20220202201637/https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe" EC_hash="a602cc7627c569bc423a5857cf506fbc3bcd68cb6b43a7c1b99d12a569b4107c412748cf49605ef4d5b930eb14b6815c4d1b1dc20145fe9d707e445fc201cea2" EC_url="https://ftp.hp.com/pub/softpaq/sp85501-86000/sp85526.exe" EC_url_bkup="https://web.archive.org/web/20230416125725/https://ftp.hp.com/pub/softpaq/sp85501-86000/sp85526.exe" +EC_FW1_hash="44a27359e8e2ecfae910a754617d5ee947d6bba976f2eb53114a97c71b64813da7ab4223749706c9bbcaf1e752c190834ee3b41c297c191b3cac200814e02938" +EC_FW2_hash="a05c1eb5433f43e035327d0ae74e9dbd09ecb45f00be656e477ebd5b505ca21bae820e90c29483c4c641591fdd2aebb6b6ea0ecfb879b506bc1a657c01a21bd2" diff --git a/config/vendor/hp2570p/pkg.cfg b/config/vendor/hp2570p/pkg.cfg index 9f1a85aa..1df49d73 100644 --- a/config/vendor/hp2570p/pkg.cfg +++ b/config/vendor/hp2570p/pkg.cfg @@ -1,8 +1,11 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c" +ME_bin_hash="672240d231a723ea7fac112262fdc28884c43a5be9b231dfae838c7a1edc86140da38983079d23ab5ac8e6c74611b65da4872ecbab3ec979c680d3f526eb91ed" DL_url="https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" DL_url_bkup="https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" EC_hash="61ed284bdf938c5f36ad3267263fb3963a6608339425bc41aaef3ab0cd98f07c998d816b0233735ca35dc6cb771257da3f09a40d5cfc96bb6388b4366348275e" EC_url="https://ftp.hp.com/pub/softpaq/sp96001-96500/sp96085.exe" EC_url_bkup="https://web.archive.org/web/20230610174558/https://ftp.hp.com/pub/softpaq/sp96001-96500/sp96085.exe" +EC_FW1_hash="44a27359e8e2ecfae910a754617d5ee947d6bba976f2eb53114a97c71b64813da7ab4223749706c9bbcaf1e752c190834ee3b41c297c191b3cac200814e02938" +EC_FW2_hash="d4afcad4960253af674f1dcd3a5a044444b7fcfbaa2a993f976997966b579a80d8a1c58b0ed0a47d862312ad81e433834bb1992c79f69d858d8c00e8cd62e1fb" diff --git a/config/vendor/hp8200sff/pkg.cfg b/config/vendor/hp8200sff/pkg.cfg index 9d0a34de..dba0b354 100644 --- a/config/vendor/hp8200sff/pkg.cfg +++ b/config/vendor/hp8200sff/pkg.cfg @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="8fcb691bf84dc1feefc3c84f7cc59eadaabb200477bb3ecba1b050f23f133b0a8c2539015a523f676544c2dff64599bcba7e844e8c31757b90d70bb4485b5664" +ME_bin_hash="732954bd288a7d7de3b779032476e2bd5a6f64b6971ff3053434d49ab55fd514db9f224e83883215646e50eecf4ecbdb69a65d5957d241e1146424053dd3ba91" DL_url="https://ftp.ext.hp.com/pub/softpaq/sp96001-96500/sp96026.exe" DL_url_bkup="https://web.archive.org/web/20220708171920/https://ftp.ext.hp.com/pub/softpaq/sp96001-96500/sp96026.exe" diff --git a/config/vendor/hp820g2/pkg.cfg b/config/vendor/hp820g2/pkg.cfg index 308148c5..4a2fdbb3 100644 --- a/config/vendor/hp820g2/pkg.cfg +++ b/config/vendor/hp820g2/pkg.cfg @@ -1,6 +1,7 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="1ac05a3e4f46426eeb77f89c4aca25ed1ad64479d8fcba6a3ab63a944512bacbc5d148cc7b9c4ff4b8c90a1fb1de4776e46f14aca8021900e0df37246aa0b717" +ME_bin_hash="ca754e2fd09eb48bc14b2d1b19d3fa3ed1df2297cff2b7d9b68e9002812e745a59a8ca921f26834ae84c0076c64d8dfab75ce113b50e4badafbfb8ab6c14ad2b" DL_url="https://download.lenovo.com/pccbbs/mobiles/n10rg50w.exe" DL_url_bkup="https://download.lenovo.com/pccbbs/mobiles/n10rg50w.exe" MRC_url="https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_13904.77.0_samus_recovery_stable-channel_mp-v3.bin.zip" @@ -9,3 +10,5 @@ MRC_hash="3ff1599c52539f0707a07a8664a84ce51cd3fed1569df4bb7aa6722fc8dec0af175425 MRC_board="samus" MRC_refcode_cbtree="fam15h" MRC_refcode_gbe="131253" +MRC_bin_hash="cade33e8664fb92ebb6ce0c92b572f587f047b2832babb6bd30eb221dba76b08d578e189ba1f89cdb4c956aecd092ebd7443adbc30cf3800452b906967cedc11" +REF_bin_hash="7efa3bdc48d548924b4c57bbadc99a7add91ac8c5eb7f8f98874c2f8583ca0e71e99997186aaf2714c8ca56593e12c80c1aa9e727a462ef9d2c36963042e7d56" diff --git a/config/vendor/hp8460pintel/pkg.cfg b/config/vendor/hp8460pintel/pkg.cfg index 1e1da34e..1140e5c9 100644 --- a/config/vendor/hp8460pintel/pkg.cfg +++ b/config/vendor/hp8460pintel/pkg.cfg @@ -1,8 +1,11 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="81c9917938c4a2a4f128c976250451931efd0f25b51ff34f058ddacb8eec27272691371864a683ec7abcb924fea32592d061584c7b2571a5d3e84eb870281cc3" +ME_bin_hash="6a7eb169a01581682a2ecf4b284c1689eb7746cc80aa16ea1ce35d1a1c47a92664b5240defd62535e9707c3f3d42abfb62da3254b97e569de178099f7683c858" DL_url="https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe" DL_url_bkup="https://web.archive.org/web/20220202201637/https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe" EC_hash="9be5511d7ba07a376583cbd0b7fa4d7dff87ebc94b78d489fd62a14cb7f61eac99670e6a10ce374fe8e3c4bdafabbd1edce7774c3a482c15c2d4207b74ea49ed" EC_url="https://ftp.hp.com/pub/softpaq/sp85501-86000/sp85528.exe" EC_url_bkup="https://web.archive.org/web/20211231004901/https://ftp.ext.hp.com/pub/softpaq/sp85501-86000/sp85528.exe" +EC_FW1_hash="44a27359e8e2ecfae910a754617d5ee947d6bba976f2eb53114a97c71b64813da7ab4223749706c9bbcaf1e752c190834ee3b41c297c191b3cac200814e02938" +EC_FW2_hash="8eba6e0087e42a2f552de3367639b376501d31e8ae1629846496c3eb46ed7d2f9b46531dc245cc2ce5f4a91047fe84a37b350864cdc37530148f456818c0133e" diff --git a/config/vendor/hp8470pintel/pkg.cfg b/config/vendor/hp8470pintel/pkg.cfg index 1170f56b..db0b6e69 100644 --- a/config/vendor/hp8470pintel/pkg.cfg +++ b/config/vendor/hp8470pintel/pkg.cfg @@ -1,8 +1,11 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c" +ME_bin_hash="672240d231a723ea7fac112262fdc28884c43a5be9b231dfae838c7a1edc86140da38983079d23ab5ac8e6c74611b65da4872ecbab3ec979c680d3f526eb91ed" DL_url="https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" DL_url_bkup="https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" EC_hash="b95c9cf909ed537fb448e2be69eddcb57459efbaf0a979a73cd2bce90a7014b110f4dbbeecfd596c072636396b8f20c229c59ffe34e45500ce9edb000c6ccaf9" EC_url="https://ftp.hp.com/pub/softpaq/sp77501-78000/sp77818.exe" EC_url_bkup="https://web.archive.org/web/20230909173821/https://ftp.hp.com/pub/softpaq/sp77501-78000/sp77818.exe" +EC_FW1_hash="44a27359e8e2ecfae910a754617d5ee947d6bba976f2eb53114a97c71b64813da7ab4223749706c9bbcaf1e752c190834ee3b41c297c191b3cac200814e02938" +EC_FW2_hash="d7a44b682b1dae7f3cbcc34646b3dd80895a7e2132ab0292b3d42ccf54a9fa447773f7e8e914b0c427adaaad8aa54224e7e146dc72280cf04093956727f41a03" diff --git a/config/vendor/hp8560w/pkg.cfg b/config/vendor/hp8560w/pkg.cfg index 629d96d1..224b448c 100644 --- a/config/vendor/hp8560w/pkg.cfg +++ b/config/vendor/hp8560w/pkg.cfg @@ -1,8 +1,11 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="81c9917938c4a2a4f128c976250451931efd0f25b51ff34f058ddacb8eec27272691371864a683ec7abcb924fea32592d061584c7b2571a5d3e84eb870281cc3" +ME_bin_hash="6a7eb169a01581682a2ecf4b284c1689eb7746cc80aa16ea1ce35d1a1c47a92664b5240defd62535e9707c3f3d42abfb62da3254b97e569de178099f7683c858" DL_url="https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe" DL_url_bkup="https://web.archive.org/web/20220202201637/https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe" EC_hash="8e2bc5dca1a1cf0cfc1ac9df74eb6fda333f8ae560019f8182a49d3a716d72938f6cde4aa5ee56942def08207d3ef95706653bd238768fd029da43e9a4fbcc67" EC_url="https://ftp.hp.com/pub/softpaq/sp78001-78500/sp78085.exe" EC_url_bkup="https://web.archive.org/web/20230402085323/https://ftp.hp.com/pub/softpaq/sp78001-78500/sp78085.exe" +EC_FW1_hash="44a27359e8e2ecfae910a754617d5ee947d6bba976f2eb53114a97c71b64813da7ab4223749706c9bbcaf1e752c190834ee3b41c297c191b3cac200814e02938" +EC_FW2_hash="82882406167e7df8ff90d2ea8d93adee59c3e8eb034b6dfcd0ff70cadf8ab3e5acee7262dd344560e118d00b010ed13c18539b042dae0b4b4e6a2c09402aadc4" diff --git a/config/vendor/hp9470m/pkg.cfg b/config/vendor/hp9470m/pkg.cfg index 9cdb8143..46f1349b 100644 --- a/config/vendor/hp9470m/pkg.cfg +++ b/config/vendor/hp9470m/pkg.cfg @@ -1,8 +1,11 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c" +ME_bin_hash="672240d231a723ea7fac112262fdc28884c43a5be9b231dfae838c7a1edc86140da38983079d23ab5ac8e6c74611b65da4872ecbab3ec979c680d3f526eb91ed" DL_url="https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" DL_url_bkup="https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" EC_hash="563422bf5420da18b89439f28a38ea28a175f0ad3588f0f5ea39b08dfdd14c8d513cbf11c2125ec3869fc3b7222c7dc3d111415185ea9b73f41410b1b57f13bd" EC_url="https://ftp.hp.com/pub/softpaq/sp96001-96500/sp96090.exe" EC_url_bkup="http://web.archive.org/web/20220504072602/https://ftp.ext.hp.com/pub/softpaq/sp96001-96500/sp96090.exe" +EC_FW1_hash="44a27359e8e2ecfae910a754617d5ee947d6bba976f2eb53114a97c71b64813da7ab4223749706c9bbcaf1e752c190834ee3b41c297c191b3cac200814e02938" +EC_FW2_hash="0d7b446fda5e5cde9570b6df15e4c0ad6b9fad6b425f498669d91bccb4a4bb9a8d22d20f4adb9f116e38df6db3519aae14a6d8fd8cb3075c93ce7c5ae0d8eacb" diff --git a/config/vendor/ivybridge/pkg.cfg b/config/vendor/ivybridge/pkg.cfg index d9b2200b..3b3d1091 100644 --- a/config/vendor/ivybridge/pkg.cfg +++ b/config/vendor/ivybridge/pkg.cfg @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c" +ME_bin_hash="672240d231a723ea7fac112262fdc28884c43a5be9b231dfae838c7a1edc86140da38983079d23ab5ac8e6c74611b65da4872ecbab3ec979c680d3f526eb91ed" DL_url="https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" DL_url_bkup="https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" diff --git a/config/vendor/sandybridge/pkg.cfg b/config/vendor/sandybridge/pkg.cfg index bb022043..c243413f 100644 --- a/config/vendor/sandybridge/pkg.cfg +++ b/config/vendor/sandybridge/pkg.cfg @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="81c9917938c4a2a4f128c976250451931efd0f25b51ff34f058ddacb8eec27272691371864a683ec7abcb924fea32592d061584c7b2571a5d3e84eb870281cc3" +ME_bin_hash="6a7eb169a01581682a2ecf4b284c1689eb7746cc80aa16ea1ce35d1a1c47a92664b5240defd62535e9707c3f3d42abfb62da3254b97e569de178099f7683c858" DL_url="https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe" DL_url_bkup="https://web.archive.org/web/20220202201637/https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe" diff --git a/config/vendor/t1650/pkg.cfg b/config/vendor/t1650/pkg.cfg index f994b942..47303884 100644 --- a/config/vendor/t1650/pkg.cfg +++ b/config/vendor/t1650/pkg.cfg @@ -1,8 +1,10 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="4dc908050c91c1227645c900ddee88652937540af4ba222b0239b7f459f260cdf6e5e8113ac14e5543d00cf53abdd6c7bd23e61f690de1ce45a3709a30cbb91c" +ME_bin_hash="672240d231a723ea7fac112262fdc28884c43a5be9b231dfae838c7a1edc86140da38983079d23ab5ac8e6c74611b65da4872ecbab3ec979c680d3f526eb91ed" DL_url="https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" DL_url_bkup="https://web.archive.org/web/20210706183911/https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe" SCH5545EC_DL_url="https://dl.dell.com/FOLDER05065992M/1/T1650A28.exe" SCH5545EC_DL_url_bkup="https://web.archive.org/web/20230811151654/https://dl.dell.com/FOLDER05065992M/1/T1650A28.exe" SCH5545EC_DL_hash="18261d0f7f27e9de3b0b5a25019b9a934ef1a61cd3f0140e34f38553695e91e671e227a8fa962774edceab5c7804d13ed9fe1c518c5643c7c8f15632f903a6c4" +SCH5545EC_bin_hash="51d9540f73c60ba5e245a8a98c2215d477d3bad9759f1dae94a4fe63652421d8552406817c2482dd6ee3bb55d942bbc0315eab54095544d7956e73112e2d8483" diff --git a/config/vendor/t1700/pkg.cfg b/config/vendor/t1700/pkg.cfg index cc100683..979dd7bf 100644 --- a/config/vendor/t1700/pkg.cfg +++ b/config/vendor/t1700/pkg.cfg @@ -1,9 +1,11 @@ # SPDX-License-Identifier: GPL-3.0-or-later DL_hash="f3d79aec805c8b0094a4081be76b3a22d329c479ad18210449b7acc3236ccfc4a2103eaa7c5b79a4872bfd699eede047efd46dfb06dc8f47e3216fc254612998" +ME_bin_hash="8629caded7efd2aa234cc378b7118f0d300402537b8aff6aa3d9b895c6b14590a79cb02d1db7a91de36d36f5612386fc99ddcb57c9d78b1e75b5864e68763de1" DL_url="https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe" DL_url_bkup="https://web.archive.org/web/20211120031520/https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe" MRC_url="https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_13904.77.0_samus_recovery_stable-channel_mp-v3.bin.zip" MRC_url_bkup="https://web.archive.org/web/20220310155922/https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_13904.77.0_samus_recovery_stable-channel_mp-v3.bin.zip" MRC_hash="3ff1599c52539f0707a07a8664a84ce51cd3fed1569df4bb7aa6722fc8dec0af1754250333b6ca1a9794d970a4de7b29a5cf2499f5b61e4c3eab64d1314aaea9" +MRC_bin_hash="cade33e8664fb92ebb6ce0c92b572f587f047b2832babb6bd30eb221dba76b08d578e189ba1f89cdb4c956aecd092ebd7443adbc30cf3800452b906967cedc11" MRC_board="samus" diff --git a/config/vendor/t480/pkg.cfg b/config/vendor/t480/pkg.cfg index 3071f83d..90c31b75 100644 --- a/config/vendor/t480/pkg.cfg +++ b/config/vendor/t480/pkg.cfg @@ -2,6 +2,7 @@ # ME firmware (deguard will be used) DL_hash="df735a24242792bf4150f30bf0bd4fdbdc0fb6bf0f897ea533df32567be8e084006d692fb6351677f8cc976878c5018667901dbd407b0a77805754f7c101497c" +ME_bin_hash="fad8bcd2ea2ae9d1a2a1e223f499f15ada0787feb600eab3201669f82b7ade0741194fa86448eff57d7f68c8ebbfc1bf266b4d68aca509ee48db258902a805e7" DL_url="https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe" DL_url_bkup="https://web.archive.org/web/20241110222323/https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe" @@ -11,6 +12,8 @@ DL_url_bkup="https://web.archive.org/web/20241110222323/https://dl.dell.com/FOLD # and inserted to CBFS with names CONFIG_FSP_S_CBFS and CONFIG_FSP_M_CBFS # FSPFD_hash="c500166a8553a80ba8db8b8185a896e0ae1562ea3c139e07acd9e7937baf8110ba743cc79b69db09a5f39c076d1d22bc45045223975f46aea2034ba82a6b0360" +FSPM_bin_hash="b15712a53f4d16f36b384beb6dbb716c0b0924751d6ca1e229cd4b8c03aef9eda025c235af247e53dac94d94b79559623974d0d21c7f97e125d8ecc2c86bf03f" +FSPS_bin_hash="64ac9f93e43efddc35931e168d6594c2b39fb5a0da863d22f2d000d7eacc0692b07ce89389cbb1c5b95ff9b2bba508c538e37d0e644fcab7b2cada773da65ce6" # We will use deguard to disable the Intel Boot Guard: ME11bootguard="y" @@ -27,3 +30,4 @@ TBFW_url="https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe" TBFW_url_bkup="https://web.archive.org/web/20241004165955/https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe" TBFW_hash="906d916e8ae77e6d146c67c3113cd904e735a7f28cb2fc37e2284758ead5cda8dd4025c1c741fac9162b1eb01cff08fc39a0d4e79c5cec0515f1d3e6447d1323" TBFW_size=1048576 # size in bytes, when padding, matching TBFW's flash IC +TBFW_bin_hash="15aea269e79d92fe651fe613e30febee5459786169f647e5f321b7382892cf2b8fc61aa1afb8a04d0369b71579de54763272ba144673fbfadfefeb384d45c293" diff --git a/config/vendor/t480s/pkg.cfg b/config/vendor/t480s/pkg.cfg index a9e3e48b..4c1eeaf1 100644 --- a/config/vendor/t480s/pkg.cfg +++ b/config/vendor/t480s/pkg.cfg @@ -1,6 +1,8 @@ # SPDX-License-Identifier: GPL-3.0-or-later +# ME firmware (deguard will be used) DL_hash="df735a24242792bf4150f30bf0bd4fdbdc0fb6bf0f897ea533df32567be8e084006d692fb6351677f8cc976878c5018667901dbd407b0a77805754f7c101497c" +ME_bin_hash="1c77371187ef64e719debc75f606c78fc063b8a84f2704f3fa45e9e4d8a9bccec50420d262bbfbc0dd1695e038698b10113a1bc532a33b943321cd0811e40786" DL_url="https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe" DL_url_bkup="https://web.archive.org/web/20241110222323/https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe" @@ -10,6 +12,8 @@ DL_url_bkup="https://web.archive.org/web/20241110222323/https://dl.dell.com/FOLD # and inserted to CBFS with names CONFIG_FSP_S_CBFS and CONFIG_FSP_M_CBFS # FSPFD_hash="c500166a8553a80ba8db8b8185a896e0ae1562ea3c139e07acd9e7937baf8110ba743cc79b69db09a5f39c076d1d22bc45045223975f46aea2034ba82a6b0360" +FSPM_bin_hash="b15712a53f4d16f36b384beb6dbb716c0b0924751d6ca1e229cd4b8c03aef9eda025c235af247e53dac94d94b79559623974d0d21c7f97e125d8ecc2c86bf03f" +FSPS_bin_hash="64ac9f93e43efddc35931e168d6594c2b39fb5a0da863d22f2d000d7eacc0692b07ce89389cbb1c5b95ff9b2bba508c538e37d0e644fcab7b2cada773da65ce6" # We will use deguard to disable the Intel Boot Guard: ME11bootguard="y" @@ -26,3 +30,4 @@ TBFW_url="https://download.lenovo.com/pccbbs/mobiles/n22th11w.exe" TBFW_url_bkup="https://web.archive.org/web/20230319003752/https://download.lenovo.com/pccbbs/mobiles/n22th11w.exe" TBFW_hash="ef8ec0a41d7faaa0ce514cfb6f8e7e10669c878eff69fbe1b821443b6218f5b31e1b910c8abceecf38d4b11a6e552d90f277c96c7a9c512d605c8b8aea9c1c0c" TBFW_size=1048576 # size in bytes, when padding, matching TBFW's flash IC +TBFW_bin_hash="41672f3ccdbf7a39ffd7d94c5cfb16efd2911be7b980feaa88b0f33777bd679eafdb97019a9c7b1d32cf76297ba0cb81d5b36072f6be96cec2834011249984db" diff --git a/include/get.sh b/include/get.sh index 74adb6be..4bcccceb 100644 --- a/include/get.sh +++ b/include/get.sh @@ -84,8 +84,11 @@ xbmkget() [ "$1" = "curl" ] || [ "$1" = "copy" ] || [ "$1" = "git" ] || \ err "Bad dlop (arg 1): xbmkget $*" + echk="f" && [ "$1" = "git" ] && echk="d" + for url in "$2" "$3"; do - [ -n "$url" ] && try_file "$url" "$@" && return 0 + [ -n "$url" ] && try_file "$url" "$@" && \ + eval "[ -$echk \"$4\" ] && return 0" done && err "$1 $2 $3 $4: not downloaded"; : } @@ -100,11 +103,10 @@ try_file() echk="d" && [ "$2" != "git" ] && echk="f" && \ bad_checksum "$6" "$cached" 2>/dev/null && x_ rm -f "$cached" - e "$cached" $echk || try_$2 "$cached" "$@" || return 1 - if e "$5" $echk && [ "$2" != "git" ]; then - bad_checksum "$6" "$5" 2>/dev/null && x_ cp "$cached" "$5" - fi - e "$cached" $echk missing && return 1 + eval "[ -$echk \"$cached\" ] || try_$2 \"\$cached\" \"\$@\" || return 1" + [ "$2" != "git" ] && [ -f "$5" ] && \ + bad_checksum "$6" "$5" 2>/dev/null && x_ cp "$cached" "$5" + eval "[ -$echk \"$cached\" ] || return 1" if [ "$2" = "git" ]; then tmpclone "$cached" "$5" "$6" "$7" || return 1 @@ -113,6 +115,8 @@ try_file() [ "$cached" != "$5" ] && x_ cp "$cached" "$5" bad_checksum "$6" "$5" && x_ rm -f "$5" && return 1; : fi + + eval "[ -$echk \"$5\" ] || return 1" } try_curl() @@ -146,9 +150,13 @@ try_git() bad_checksum() { - [ ! -f "$2" ] || [ "$(sha512sum "$2" | awk '{print $1}')" != "$1" ] \ - || return 1 - printf "Bad checksum for file: %s\n" "$2" 1>&2 + [ ! -f "$2" ] && printf "File '%s' missing (sha512sum '%s')\n" \ + "$2" "$1" 1>&2 && return 0 + fchksum="$(x_ sha512sum "$2" | awk '{print $1}')" || \ + err "Can't get sha512sum on '$2' (checking for sha512sum '$1')" + [ "$fchksum" != "$1" ] || return 1 + printf "WARNING: BAD checksum for '%s' - expected '%s', got '%s'\n" \ + "$2" "$1" "$fchksum" 1>&2 x_ rm -f "$2" } diff --git a/include/mrc.sh b/include/mrc.sh index 70c3bd3c..a132f574 100644 --- a/include/mrc.sh +++ b/include/mrc.sh @@ -10,23 +10,18 @@ extract_mrc() { extract_shellball x_ "$cbfstool" "$appdir/"bios.bin extract -n mrc.bin \ - -f "$_dest" -r RO_SECTION - - [ -n "$CONFIG_REFCODE_BLOB_FILE" ] && extract_refcode extra; : + -f "$_pre_dest" -r RO_SECTION } extract_refcode() { - _refdest="${CONFIG_REFCODE_BLOB_FILE##*../}" - e "$_refdest" f && return 0 - - [ $# -lt 1 ] && extract_shellball + extract_shellball # cbfstool after coreboot 4.13 changed the stage file attribute scheme, # and refcode is extracted from an image using the old scheme. we use # cbfstool from coreboot 4.11_branch, the tree used by ASUS KGPE-D16 chkvars cbfstoolref - x_ mkdir -p "${_refdest%/*}" + x_ mkdir -p "${_pre_dest%/*}" x_ "$cbfstoolref" "$appdir/bios.bin" extract \ -m x86 -n fallback/refcode -f "$appdir/ref" -r RO_SECTION @@ -35,7 +30,7 @@ extract_refcode() [ -z "$MRC_refcode_gbe" ] || x_ dd if="config/ifd/hp820g2/1.bin" \ of="$appdir/ref" bs=1 seek=$MRC_refcode_gbe count=1 conv=notrunc; : - x_ mv "$appdir/ref" "$_refdest" + x_ mv "$appdir/ref" "$_pre_dest" } extract_shellball() diff --git a/include/vendor.sh b/include/vendor.sh index 823ba74f..8a71ad5b 100644 --- a/include/vendor.sh +++ b/include/vendor.sh @@ -22,12 +22,12 @@ vfix="DO_NOT_FLASH_YET._FIRST,_INJECT_FILES_VIA_INSTRUCTIONS_ON_LIBREBOOT.ORG_" # lbmk-specific extension to the "cv" variable (not suitable for cbmk) cvchk="CONFIG_INCLUDE_SMSC_SCH5545_EC_FW CONFIG_HAVE_MRC CONFIG_HAVE_ME_BIN \ - CONFIG_KBC1126_FIRMWARE CONFIG_LENOVO_TBFW_BIN CONFIG_VGA_BIOS_FILE \ - CONFIG_FSP_M_FILE CONFIG_FSP_S_FILE" + CONFIG_LENOVO_TBFW_BIN CONFIG_VGA_BIOS_FILE CONFIG_FSP_M_FILE \ + CONFIG_FSP_S_FILE CONFIG_KBC1126_FW1 CONFIG_KBC1126_FW2" # lbmk-specific extensions to the "cv" variable (not suitable for cbmk) -cvxbmk="CONFIG_ME_BIN_PATH CONFIG_SMSC_SCH5545_EC_FW_FILE CONFIG_KBC1126_FW1 \ - CONFIG_KBC1126_FW2 CONFIG_KBC1126_FW1_OFFSET CONFIG_KBC1126_FW2_OFFSET \ +cvxbmk="CONFIG_ME_BIN_PATH CONFIG_SMSC_SCH5545_EC_FW_FILE \ + CONFIG_KBC1126_FW1_OFFSET CONFIG_KBC1126_FW2_OFFSET \ CONFIG_VGA_BIOS_ID CONFIG_BOARD_DELL_E6400 CONFIG_FSP_S_CBFS \ CONFIG_HAVE_REFCODE_BLOB CONFIG_REFCODE_BLOB_FILE CONFIG_FSP_FD_PATH \ CONFIG_IFD_BIN_PATH CONFIG_MRC_FILE CONFIG_FSP_M_CBFS \ @@ -40,7 +40,9 @@ eval "`setvars "" has_hashes EC_hash DL_hash DL_url_bkup MRC_refcode_gbe vcfg \ kbc1126_ec_dump MRC_refcode_cbtree _dl SCH5545EC_DL_url EC_url rom DL_url \ nukemode cbfstoolref FSPFD_hash _7ztest ME11bootguard ME11delta xromsize \ ME11version ME11sku ME11pch _me _metmp mfs TBFW_url_bkup TBFW_url cbdir \ - TBFW_hash TBFW_size hashfile EC_url_bkup`" + TBFW_hash TBFW_size hashfile EC_url_bkup FSPM_bin_hash FSPS_bin_hash \ + EC_FW1_hash EC_FW2_hash ME_bin_hash MRC_bin_hash REF_bin_hash _dl_bin \ + SCH5545EC_bin_hash TBFW_bin_hash E6400_VGA_bin_hash _pre_dest`" download() { @@ -52,24 +54,34 @@ download() getfiles() { [ -z "$CONFIG_HAVE_ME_BIN" ] || fetch intel_me "$DL_url" \ - "$DL_url_bkup" "$DL_hash" "$CONFIG_ME_BIN_PATH" + "$DL_url_bkup" "$DL_hash" "$CONFIG_ME_BIN_PATH" "curl" \ + "$ME_bin_hash" [ -z "$CONFIG_INCLUDE_SMSC_SCH5545_EC_FW" ] || fetch sch5545ec \ "$SCH5545EC_DL_url" "$SCH5545EC_DL_url_bkup" "$SCH5545EC_DL_hash" \ - "$CONFIG_SMSC_SCH5545_EC_FW_FILE" - [ -z "$CONFIG_KBC1126_FIRMWARE" ] || fetch kbc1126ec "$EC_url" \ - "$EC_url_bkup" "$EC_hash" "$CONFIG_KBC1126_FW1" + "$CONFIG_SMSC_SCH5545_EC_FW_FILE" "curl" "$SCH5545EC_bin_hash" + [ -z "$CONFIG_KBC1126_FW1" ] || fetch kbc1126ec "$EC_url" \ + "$EC_url_bkup" "$EC_hash" "$CONFIG_KBC1126_FW1" "curl" \ + "$EC_FW1_hash" + [ -z "$CONFIG_KBC1126_FW2" ] || fetch kbc1126ec "$EC_url" \ + "$EC_url_bkup" "$EC_hash" "$CONFIG_KBC1126_FW2" "curl" \ + "$EC_FW2_hash" [ -z "$CONFIG_VGA_BIOS_FILE" ] || fetch e6400vga "$E6400_VGA_DL_url" \ - "$E6400_VGA_DL_url_bkup" "$E6400_VGA_DL_hash" "$CONFIG_VGA_BIOS_FILE" + "$E6400_VGA_DL_url_bkup" "$E6400_VGA_DL_hash" \ + "$CONFIG_VGA_BIOS_FILE" "curl" "$E6400_VGA_bin_hash" [ -z "$CONFIG_HAVE_MRC" ] || fetch "mrc" "$MRC_url" "$MRC_url_bkup" \ - "$MRC_hash" "$CONFIG_MRC_FILE" - [ -n "$CONFIG_REFCODE_BLOB_FILE" ] && fetch "refcode" "$MRC_url" \ - "$MRC_url_bkup" "$MRC_hash" "$CONFIG_REFCODE_BLOB_FILE" + "$MRC_hash" "$CONFIG_MRC_FILE" "curl" "$MRC_bin_hash" + [ -z "$CONFIG_REFCODE_BLOB_FILE" ] || fetch "refcode" "$MRC_url" \ + "$MRC_url_bkup" "$MRC_hash" "$CONFIG_REFCODE_BLOB_FILE" "curl" \ + "$REF_bin_hash" [ -z "$CONFIG_LENOVO_TBFW_BIN" ] || fetch "tbfw" "$TBFW_url" \ - "$TBFW_url_bkup" "$TBFW_hash" "$CONFIG_LENOVO_TBFW_BIN" + "$TBFW_url_bkup" "$TBFW_hash" "$CONFIG_LENOVO_TBFW_BIN" "curl" \ + "$TBFW_bin_hash" [ -z "$CONFIG_FSP_M_FILE" ] || fetch "fsp" "$CONFIG_FSP_FD_PATH" \ - "$CONFIG_FSP_FD_PATH" "$FSPFD_hash" "$CONFIG_FSP_M_FILE" copy + "$CONFIG_FSP_FD_PATH" "$FSPFD_hash" "$CONFIG_FSP_M_FILE" "copy" \ + "$FSPM_bin_hash" [ -z "$CONFIG_FSP_S_FILE" ] || fetch "fsp" "$CONFIG_FSP_FD_PATH" \ - "$CONFIG_FSP_FD_PATH" "$FSPFD_hash" "$CONFIG_FSP_S_FILE" copy; : + "$CONFIG_FSP_FD_PATH" "$FSPFD_hash" "$CONFIG_FSP_S_FILE" "copy" \ + "$FSPS_bin_hash"; : } fetch() @@ -79,9 +91,18 @@ fetch() dl_bkup="$3" dlsum="$4" _dest="${5##*../}" + _pre_dest="$XBMK_CACHE/tmpdl/check" || err "!fetch, mktemp, $*" + dlop="$6" + binsum="$7" [ "$5" = "/dev/null" ] && return 0 - _dl="$XBMK_CACHE/file/$dlsum" + _dl="$XBMK_CACHE/file/$dlsum" # internet file to extract from e.g. .exe + _dl_bin="$XBMK_CACHE/file/$binsum" # extracted file e.g. me.bin + + # an extracted vendor file will be placed in pre_dest first, for + # verifying its checksum. if it matches, it is later moved to _dest + remkdir "${_pre_dest%/*}" "$appdir" + # HACK: if grabbing fsp from coreboot, fix the path for lbmk [ "$dl_type" = "fsp" ] && for _cdl in dl dl_bkup; do eval "$_cdl=\"\${$_cdl##*../}\"; _cdp=\"\$$_cdl\"" @@ -89,20 +110,43 @@ fetch() [ -f "$_cdp" ] && eval "$_cdl=\"$_cdp\"" done; : - dlop="curl" && [ $# -gt 5 ] && dlop="$6" + # download the file (from the internet) to extract from xbmkget "$dlop" "$dl" "$dl_bkup" "$_dl" "$dlsum" - x_ rm -Rf "${_dl}_extracted" - e "$_dest" f && return 0 + + # skip extraction if a cached extracted file exists + ( xbmkget copy "$_dl_bin" "$_dl_bin" "$_dest" "$binsum" 2>/dev/null ) \ + || : + [ -f "$_dest" ] && return 0 x_ mkdir -p "${_dest%/*}" - remkdir "$appdir" [ "$dl_type" = "fsp" ] || extract_archive "$_dl" "$appdir" || \ [ "$dl_type" = "e6400vga" ] || err "$_dest $dl_type: !extract" x_ extract_$dl_type "$_dl" "$appdir" set -u -e - e "$_dest" f missing && err "!extract_$dl_type"; : + + # some functions don't output directly to the given file, _pre_dest. + # instead, they put multiple files there, but we need the one matching + # the given hashsum. So, search for a matching file via bruteforce: + ( fx_ "eval mkdst \"$binsum\"" x_ find "${_pre_dest%/*}" -type f ) || : + + [ -f "$_dest" ] && return 0 + [ -z "$binsum" ] && \ + printf "'%s', '%s': checksum undefined. Check files in '%s'\n" \ + "$board" "$_dest" "${_pre_dest%/*}" 1>&2 + e "$_dest" f not && err "missing file '$_dest', !extract_$dl_type"; : + e "$_dest" f && printf "WARNING: '%s' exists but has bad checksum" \ + "$_dest" + err "Could not safely extract '$_dest', for board '$board'" +} + +mkdst() +{ + bad_checksum "$1" "$2" && x_ rm -f "$2" && return 0 + x_ mv "$2" "$_dl_bin" + x_ cp "$_dl_bin" "$_dest" + exit 1 } extract_intel_me() @@ -110,7 +154,6 @@ extract_intel_me() e "$mecleaner" f not && err "$cbdir: me_cleaner missing" _7ztest="$xbmklocal/metmp/a" - _me="$xbmkpwd/$_dest" _metmp="$xbmklocal/me.bin" x_ rm -f "$_metmp" "$xbmklocal/a" @@ -121,14 +164,14 @@ extract_intel_me() set +u +e x_ rm -Rf "$xbmkpwd/metmp" ( fx_ find_me x_ find "$xbmkpwd/$appdir" -type f ) || : - [ "$ME11bootguard" != "y" ] && x_ mv "$_metmp" "$_me" && return 0 + [ "$ME11bootguard" != "y" ] && x_ mv "$_metmp" "$_pre_dest" && return 0 ( x_ cd src/deguard/ x_ ./finalimage.py --delta "data/delta/$ME11delta" --version \ "$ME11version" --pch "$ME11pch" --sku "$ME11sku" \ - --fake-fpfs data/fpfs/zero --input "$_metmp" --output "$_me" - ) || err "Error running deguard for $_me"; : + --fake-fpfs data/fpfs/zero --input "$_metmp" --output "$_pre_dest" + ) || err "Error running deguard for $_dest"; : } find_me() @@ -165,7 +208,7 @@ extract_kbc1126ec() ) || err "$board: can't extract kbc1126 ec firmware" x_ e "$appdir/ec.bin.fw1" f && x_ e "$appdir/ec.bin.fw2" f - x_ cp "$appdir/"ec.bin.fw* "${_dest%/*}/" + x_ cp "$appdir/"ec.bin.fw* "${_pre_dest%/*}/" } extract_e6400vga() @@ -178,7 +221,7 @@ extract_e6400vga() x_ e "bios.bin" f "$e6400_unpack" bios.bin || printf "TODO: fix dell extract util\n" ) || err "can't extract e6400 vga rom" - x_ cp "$appdir/$E6400_VGA_romname" "$_dest" + x_ cp "$appdir/$E6400_VGA_romname" "$_pre_dest" } extract_sch5545ec() @@ -191,26 +234,27 @@ extract_sch5545ec() _sch5545ec_fw="$_sch5545ec_fw/0 Raw section/body.bin" # <-- this! x_ "$uefiextract" "$_bios" - x_ cp "$_sch5545ec_fw" "$_dest" + x_ cp "$_sch5545ec_fw" "$_pre_dest" } # Lenovo ThunderBolt firmware updates: # https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t480-type-20l5-20l6/20l5/solutions/ht508988 extract_tbfw() { - chkvars TBFW_size; fx_ copytb x_ find "$appdir" -type f -name "TBT.bin" + chkvars TBFW_size + fx_ copytb x_ find "$appdir" -type f -name "TBT.bin" } copytb() { [ -f "$1" ] && [ ! -L "$1" ] && x_ dd if=/dev/null of="$1" bs=1 \ - seek=$TBFW_size && x_ mv "$1" "$_dest" && return 1; : + seek=$TBFW_size && x_ mv "$1" "$_pre_dest" && return 1; : } extract_fsp() { x_ python "$cbdir/3rdparty/fsp/Tools/SplitFspBin.py" split -f "$1" \ - -o "${_dest%/*}" -n "Fsp.fd" + -o "${_pre_dest%/*}" -n "Fsp.fd" } setvfile() -- cgit v1.2.1 From 4313b474a593c5b2e57278c590b7cfb56dec5114 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Fri, 16 May 2025 07:03:08 +0100 Subject: vendor.sh: additional safety check the exit from mkdst can also be non-zero if mv or cp failed, but there's no way to handle that reliably. therefore, the checksum verification should be done one final time, to compensate. Signed-off-by: Leah Rowe --- include/vendor.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/vendor.sh b/include/vendor.sh index 8a71ad5b..7dcf9757 100644 --- a/include/vendor.sh +++ b/include/vendor.sh @@ -131,7 +131,7 @@ fetch() # the given hashsum. So, search for a matching file via bruteforce: ( fx_ "eval mkdst \"$binsum\"" x_ find "${_pre_dest%/*}" -type f ) || : - [ -f "$_dest" ] && return 0 + bad_checksum "$binsum" "$_dest" || [ ! -f "$_dest" ] || return 0 [ -z "$binsum" ] && \ printf "'%s', '%s': checksum undefined. Check files in '%s'\n" \ "$board" "$_dest" "${_pre_dest%/*}" 1>&2 -- cgit v1.2.1 From 6a2ed9428b7528da5c3953a89797d9bfb6d8f7f3 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Fri, 16 May 2025 08:20:17 +0100 Subject: vendor.sh: Fix broken KBC1126 insertion On release archives, I overlooked the previous change to downloads, during the recent implementation of extra safety checks. I previously checked there whether the variable named CONFIG_KBC1126_FIRMWARE was defined, and grabbed both; now I check CONFIG_KBC1126_FW1 and CONFIG_KBC1126_FW2 separately, grabbing each file separately. This patch replicates that change for insertions. Otherwise, hash verification on ROM images will fail, when running the inject script on release images. Downloading was being done, reliably, and the extracted files were correct, so there was no danger if the user was building from source and flashing that way. However, checksum verification on full images failed when inserting into archives. This is not because the files were wrong; they were *correct*. However, the EC firmware was not being inserted *at all* on HP EliteBooks, because of this oversight. The check is now based on whether the paths to the files themselves are defined, not whether EC firmware is enabled in the coreboot config; the latter is implied. With this patch, vendor file insertion once again works perfectly, without error, on every board. There was no real danger for users, just a minor inconvenience. Sorry! Signed-off-by: Leah Rowe --- include/vendor.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/vendor.sh b/include/vendor.sh index 7dcf9757..5d7ea82b 100644 --- a/include/vendor.sh +++ b/include/vendor.sh @@ -346,9 +346,10 @@ add_vfiles() [ "$CONFIG_HAVE_MRC" = "y" ] && vfile "mrc.bin" "$CONFIG_MRC_FILE" \ "mrc" "0xfffa0000" [ "$CONFIG_HAVE_ME_BIN" = "y" ] && vfile IFD "$CONFIG_ME_BIN_PATH" me - [ "$CONFIG_KBC1126_FIRMWARE" = "y" ] && vfile ecfw1.bin \ - "$CONFIG_KBC1126_FW1" raw "$CONFIG_KBC1126_FW1_OFFSET" && vfile \ - ecfw2.bin "$CONFIG_KBC1126_FW2" raw "$CONFIG_KBC1126_FW2_OFFSET" + [ -n "$CONFIG_KBC1126_FW1" ] && vfile ecfw1.bin \ + "$CONFIG_KBC1126_FW1" raw "$CONFIG_KBC1126_FW1_OFFSET" + [ -n "$CONFIG_KBC1126_FW2" ] && vfile ecfw2.bin \ + "$CONFIG_KBC1126_FW2" raw "$CONFIG_KBC1126_FW2_OFFSET" [ -n "$CONFIG_VGA_BIOS_FILE" ] && [ -n "$CONFIG_VGA_BIOS_ID" ] && \ vfile "pci$CONFIG_VGA_BIOS_ID.rom" "$CONFIG_VGA_BIOS_FILE" optionrom [ "$CONFIG_INCLUDE_SMSC_SCH5545_EC_FW" = "y" ] && \ -- cgit v1.2.1 From 6dea381614d01abb58a3534cc62c2346ba654beb Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Sat, 17 May 2025 09:46:54 +0100 Subject: get.sh: fix bad mkdir command this is the mkdir call that createsn the directory where a cached git repository is moved to, during creation. Signed-off-by: Leah Rowe --- include/get.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/get.sh b/include/get.sh index 4bcccceb..c9bf840d 100644 --- a/include/get.sh +++ b/include/get.sh @@ -139,7 +139,7 @@ try_git() x_ rm -Rf "$tmpgitcache" [ -d "$gitdest" ] || ( x_ git clone "$2" "$tmpgitcache" ) || return 1 - [ -d "$gitdest" ] || x_ mkdir -p "${gitdest##*/}" + [ -d "$gitdest" ] || x_ mkdir -p "${gitdest%/*}" [ -d "$gitdest" ] || x_ mv "$tmpgitcache" "$gitdest" ( x_ git -C "$gitdest" remote add main "$4" 2>/dev/null ) || : -- cgit v1.2.1 From d2564fd9457c1fd7533c02341769483e81e9667f Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Sat, 17 May 2025 11:08:06 +0100 Subject: get.sh: simplify tmpclone() Signed-off-by: Leah Rowe --- include/get.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/get.sh b/include/get.sh index c9bf840d..c6c6b75b 100644 --- a/include/get.sh +++ b/include/get.sh @@ -109,7 +109,7 @@ try_file() eval "[ -$echk \"$cached\" ] || return 1" if [ "$2" = "git" ]; then - tmpclone "$cached" "$5" "$6" "$7" || return 1 + [ -d "$5" ] || tmpclone "$cached" "$5" "$6" "$7" || return 1 else bad_checksum "$6" "$cached" && x_ rm -f "$cached" && return 1 [ "$cached" != "$5" ] && x_ cp "$cached" "$5" @@ -162,7 +162,6 @@ bad_checksum() tmpclone() { - [ -d "$2" ] && return 0 printf "Creating git clone '%s' from '%s'\n" "$2" "$1" ( x_ git clone "$1" "$2" ) || return 1 ( x_ git -C "$2" reset --hard "$3" ) || return 1 -- cgit v1.2.1