From e7c0109f5d97eb8eeaa2e2404be6bea2c56f1e0d Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Tue, 24 Sep 2024 16:47:21 +0100 Subject: Add deguard logic for Dell OptiPlex 3050 Micro Copy the downloaded deguard source code into appdir, and patch it to run as part of lbmk, instead of standalone. The archived one in src/ is not directly used; instead, the hotpatched version is used. This is because the standalone version already has download logic for the .zip file, but we already cache that file in cache/ and use that. Signed-off-by: Leah Rowe --- config/data/deguard/appdir.patch | 131 +++++++++++++++++++++++++++++++++++++++ config/vendor/3050micro/pkg.cfg | 4 ++ include/vendor.sh | 33 +++++++++- 3 files changed, 167 insertions(+), 1 deletion(-) create mode 100644 config/data/deguard/appdir.patch create mode 100644 config/vendor/3050micro/pkg.cfg diff --git a/config/data/deguard/appdir.patch b/config/data/deguard/appdir.patch new file mode 100644 index 00000000..722a6168 --- /dev/null +++ b/config/data/deguard/appdir.patch @@ -0,0 +1,131 @@ +From b978cbb651a4bdd84be4a92ae240c8ca99ef21eb Mon Sep 17 00:00:00 2001 +From: Leah Rowe +Date: Tue, 24 Sep 2024 16:44:51 +0100 +Subject: [PATCH 1/1] Patch to integrate with lbmk + +Deguard is a standalone utility, but the way it works +doesn't integrate well with lbmk. + +Remove the download logic, because lbmk already downloads +the requisite zip file. + +Also not required, but nice, and included in this patch: + +Detect what python version is available, and make sure it's +python 3. + +Signed-off-by: Leah Rowe +--- + RUNME.sh | 64 +++++++++++++++++++++++++++++++------------------------- + 1 file changed, 36 insertions(+), 28 deletions(-) + +diff --git a/RUNME.sh b/RUNME.sh +index 9809f89..7404ba6 100755 +--- a/RUNME.sh ++++ b/RUNME.sh +@@ -1,25 +1,33 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0-only + ++# This version of deguard is patched to integrate with lbmk. ++# Do not run this version standalone. Please use src/deguard/ instead. ++ + set -e + +-if [ ! -f "me.bin" ]; then +- wget "https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip" +- unzip "H110M-DGS(7.30)ROM.zip" H11MDGS7.30 +- rm "H110M-DGS(7.30)ROM.zip" +- dd if=H11MDGS7.30 of=me.bin skip=1 count=511 bs=4096 +- rm H11MDGS7.30 ++pyver="2" ++python="python3" ++which python3 || python="python" ++which $python || pyver="" ++[ -n "$pyver" ] && pyver="$($python --version | awk '{print $2}')" ++if [ "${pyver%%.*}" != "3" ]; then ++ printf "Wrong python version, or python missing. Must be python 3.\n" 1>&2 ++ exit 1 + fi + ++rm -f me.bin MFS.part ++dd if=../H11MDGS7.30 of=me.bin skip=1 count=511 bs=4096 ++ + dd if=me.bin of=MFS.part skip=168 count=100 bs=4096 + + # Extract file number 7 (fitc.cfg) +-python3 MFSUtil.py -m MFS.part -x -i 7 -o fitc.cfg ++$python MFSUtil.py -m MFS.part -x -i 7 -o fitc.cfg + + # Remove /home/mca/eom +-python3 MFSUtil.py -c fitc.cfg -r -f /home/mca/eom -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg -r -f /home/mca/eom -o fitc.cfg + # Remove /home/bup/ct +-python3 MFSUtil.py -c fitc.cfg -r -f /home/bup/ct -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg -r -f /home/bup/ct -o fitc.cfg + + # list off files differing in optiplex 3050 fw vs donor + files=" +@@ -39,40 +47,40 @@ secureboot/pubkeyhash + + for i in $files + do +- python3 MFSUtil.py -c fitc.cfg -r -f /home/$i -o fitc.cfg ++ $python MFSUtil.py -c fitc.cfg -r -f /home/$i -o fitc.cfg + done + + # Add /home/mca/eom + dd if=/dev/zero of=eom count=1 bs=1 +-python3 MFSUtil.py -c fitc.cfg --add eom --alignment 2 --mode ' --Irw-r-----' \ ++$python MFSUtil.py -c fitc.cfg --add eom --alignment 2 --mode ' --Irw-r-----' \ + --opt '?!-F' --uid 0 --gid 238 -f /home/mca/eom -o fitc.cfg + + # Add /home/bup/ct +-python3 gen_shellcode.py -p H -v 11.6.0.1126 --fake-fpfs=fpfs/optiplex_3050 -o ct +-python3 MFSUtil.py -c fitc.cfg --add ct --alignment 2 --mode ' ---rwxr-----' \ ++$python gen_shellcode.py -p H -v 11.6.0.1126 --fake-fpfs=fpfs/optiplex_3050 -o ct ++$python MFSUtil.py -c fitc.cfg --add ct --alignment 2 --mode ' ---rwxr-----' \ + --opt '?--F' --uid 3 --gid 351 -f /home/bup/ct -o fitc.cfg + + # Add dell files +-python3 MFSUtil.py -c fitc.cfg --add data/emu_fuse_map --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/emu_fuse_map -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/plat_n_sku --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/plat_n_sku -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/fwuoemid --alignment 2 --mode=' ---rw-rw----' --opt='?--F' --uid=32 --gid=238 -f /home/fwupdate/fwuoemid -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/prof0 --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=55 --gid=238 -f /home/icc/prof0 -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/device_ports --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=73 --gid=238 -f /home/mctp/device_ports -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/hdcp_ports --alignment 2 --mode=' -EIrw-r-----' --opt='?!-F' --uid=80 --gid=238 -f /home/pavp/hdcp_ports -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/cfg_rules --alignment 2 --mode=' ---rw-rw----' --opt='-!MF' --uid=85 --gid=238 -f /home/policy/cfgmgr/cfg_rules -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/bootpolres --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpolres -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/bootpoltype --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpoltype -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/enfpolicy --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/enfpolicy -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/kmid --alignment 2 --mode=' ---rw-r-----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/kmid -o fitc.cfg +-python3 MFSUtil.py -c fitc.cfg --add data/pubkeyhash --alignment 2 --mode=' ---rw-rw-r--' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/pubkeyhash -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/emu_fuse_map --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/emu_fuse_map -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/plat_n_sku --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=3 --gid=238 -f /home/bup/bup_sku/plat_n_sku -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/fwuoemid --alignment 2 --mode=' ---rw-rw----' --opt='?--F' --uid=32 --gid=238 -f /home/fwupdate/fwuoemid -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/prof0 --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=55 --gid=238 -f /home/icc/prof0 -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/device_ports --alignment 2 --mode=' ---rw-r-----' --opt='?--F' --uid=73 --gid=238 -f /home/mctp/device_ports -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/hdcp_ports --alignment 2 --mode=' -EIrw-r-----' --opt='?!-F' --uid=80 --gid=238 -f /home/pavp/hdcp_ports -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/cfg_rules --alignment 2 --mode=' ---rw-rw----' --opt='-!MF' --uid=85 --gid=238 -f /home/policy/cfgmgr/cfg_rules -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/bootpolres --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpolres -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/bootpoltype --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/bootpoltype -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/enfpolicy --alignment 2 --mode=' ---rw-rw----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/enfpolicy -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/kmid --alignment 2 --mode=' ---rw-r-----' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/kmid -o fitc.cfg ++$python MFSUtil.py -c fitc.cfg --add data/pubkeyhash --alignment 2 --mode=' ---rw-rw-r--' --opt='?-MF' --uid=3 --gid=238 -f /home/secureboot/pubkeyhash -o fitc.cfg + + # Delete file id 7 (fitc.cfg) from the MFS partition +-python3 MFSUtil.py -m MFS.part -r -i 7 -o MFS.part ++$python MFSUtil.py -m MFS.part -r -i 7 -o MFS.part + # Delete file id 8 (home) from the MFS partition +-python3 MFSUtil.py -m MFS.part -r -i 8 -o MFS.part ++$python MFSUtil.py -m MFS.part -r -i 8 -o MFS.part + + # Add the modified fitc.cfg into the MFS partition +-python3 MFSUtil.py -m MFS.part -a fitc.cfg --deoptimize -i 7 -o MFS.part ++$python MFSUtil.py -m MFS.part -a fitc.cfg --deoptimize -i 7 -o MFS.part + + # Write + dd conv=notrunc if=MFS.part of=me.bin seek=168 count=100 bs=4096 +-- +2.39.5 + diff --git a/config/vendor/3050micro/pkg.cfg b/config/vendor/3050micro/pkg.cfg new file mode 100644 index 00000000..f1f7860b --- /dev/null +++ b/config/vendor/3050micro/pkg.cfg @@ -0,0 +1,4 @@ +DL_hash="976bbb1e625f64df276d8343757d910c88b8a781f953bc2c41a7dd15184ec70d55f8081de2a0aaa83cddb8e73bdc2df6288fde6e0897e4928c48ca4bb30bea2d" +DL_url="https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip" +DL_url_bkup="https://web.archive.org/web/20230822134231/https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip" +ME_bootguard="me11disreguard" diff --git a/include/vendor.sh b/include/vendor.sh index 03c7ad7d..c5b6560d 100644 --- a/include/vendor.sh +++ b/include/vendor.sh @@ -23,7 +23,7 @@ eval `setvars "" EC_url_bkup EC_hash DL_hash DL_url_bkup MRC_refcode_gbe vcfg \ E6400_VGA_romname SCH5545EC_DL_url_bkup SCH5545EC_DL_hash _dest tree \ mecleaner kbc1126_ec_dump MRC_refcode_cbtree new_mac _dl SCH5545EC_DL_url \ archive EC_url boarddir rom cbdir DL_url nukemode cbfstoolref vrelease \ - verify _7ztest $cv` + verify _7ztest ME_bootguard $cv` vendor_download() { @@ -107,6 +107,14 @@ extract_intel_me() e "$mecleaner" f not && $err "$cbdir: me_cleaner missing" _me="$PWD/$_dest"; cdir="$PWD/$appdir" + if [ "$ME_bootguard" = "me11disreguard" ]; then + # run mkukri's util to extract me.bin and disable bootguard + # for Dell OptiPlex 3050 Micro, using the deguard util. + extract_deguard_me "$cdir" "$_me" + return 0 + fi + # All other ME setups are extracted with brute force and me_cleaner: + [ $# -gt 0 ] && _me="${1}" && cdir="$2" e "$_me" f && return 0 @@ -141,6 +149,29 @@ extract_intel_me() rm -Rf "$sdir" || $err "extract_intel_me: !rm -Rf $sdir" } +extract_deguard_me() +{ + x_ ./mk -f deguard + cp -R src/deguard "$1/disreguard" || \ + $err "Cannot make temporary deguard clone in $1/disreguard" + if [ ! -e "$1/disreguard/.git" ]; then + git -C "$1/disreguard" init || $err "!init $1/disreguard" + git -C "$1/disreguard" add -A . || $err "!add $1/disreguard" + git -C "$1/disreguard" commit -m "tmp" || \ + $err "!commit $1/disreguard" + fi + git -C "$1/disreguard" am config/data/deguard/appdir.patch || \ + $err "Cannot temporarily patch deguard clone in $1/disreguard" + ( + cd "$1/disreguard" || $err "Cannot cd to '$1/disreguard'" + x_ ./RUNME.sh + ) + "$mecleaner" --whitelist MFS --truncate "$1/disreguard/me.bin" || \ + $err "extract_intel_me: Can't truncate disreguarded ME" + cp "$cdir/disreguard/me.bin" "$2" || \ + $err "extract_intel_me: Can't move disreguarded me.bin" +} + extract_archive() { innoextract "$1" -d "$2" || python "$pfs_extract" "$1" -e || 7z x \ -- cgit v1.2.1