From 06c1ed009d9a2ad35782b7df338db600ae5e9ad9 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Sun, 28 Sep 2025 03:20:07 +0100 Subject: add -p flag to old me_cleaner too this lets you skip fptr checks not currently used on this version, but i want this patch here so that it can be in the future Signed-off-by: Leah Rowe --- ...PATCH-1-1-Add-a-p-option-skip-FPTR-checks.patch | 76 ++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 config/coreboot/default/patches/0038-Subject-PATCH-1-1-Add-a-p-option-skip-FPTR-checks.patch (limited to 'config/coreboot') diff --git a/config/coreboot/default/patches/0038-Subject-PATCH-1-1-Add-a-p-option-skip-FPTR-checks.patch b/config/coreboot/default/patches/0038-Subject-PATCH-1-1-Add-a-p-option-skip-FPTR-checks.patch new file mode 100644 index 00000000..abc232c5 --- /dev/null +++ b/config/coreboot/default/patches/0038-Subject-PATCH-1-1-Add-a-p-option-skip-FPTR-checks.patch @@ -0,0 +1,76 @@ +From 273fec95778f53a622ff1e2a64c15b74813f48d2 Mon Sep 17 00:00:00 2001 +From: Leah Rowe +Date: Sun, 28 Sep 2025 03:17:50 +0100 +Subject: [PATCH 1/1] Subject: [PATCH 1/1] Add a -p option (skip FPTR checks) + +if you pass -k (keep fptr modules), don't use -r, don't +use -t, you can essentially just use me_cleaner to +extract a ME image without changing it. this is useful +when for example, you just want to set the HAP bit. + +however, me_cleaner still performs a FPTR check. + +on some newer ME versions, it's always invalid according +to me_cleaner, because for example it doesn't handle +ME16 very well yet. + +this patch adds an option to override the FPTR check + +either pass -p or --pass-fptr + +NOTE: we probably won't use this on coreboot's me_cleaner, +which is the corna version. we only need it on the newer +me_cleaner versions for e.g. ME16, on certain setups. +still, it's best to have the patch here too, just in case. + +Signed-off-by: Leah Rowe +--- + util/me_cleaner/me_cleaner.py | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/util/me_cleaner/me_cleaner.py b/util/me_cleaner/me_cleaner.py +index fae5e56732..228bac899f 100755 +--- a/util/me_cleaner/me_cleaner.py ++++ b/util/me_cleaner/me_cleaner.py +@@ -246,8 +246,10 @@ def check_partition_signature(f, offset): + return "{:#x}".format(decrypted_sig).endswith(sha256.hexdigest()) # FIXME + + +-def print_check_partition_signature(f, offset): +- if check_partition_signature(f, offset): ++def print_check_partition_signature(f, offset, pass_fptr): ++ if pass_fptr: ++ print("Skipping FPTR checks because the user told us to") ++ elif check_partition_signature(f, offset): + print("VALID") + else: + print("INVALID!!") +@@ -486,6 +488,8 @@ if __name__ == "__main__": + "--extract-me)", action="store_true") + parser.add_argument("-k", "--keep-modules", help="don't remove the FTPR " + "modules, even when possible", action="store_true") ++ parser.add_argument("-p", "--pass-fptr", help="skip FTPR signature checks" ++ "regardless of other operations", action="store_true") + bw_list.add_argument("-w", "--whitelist", metavar="whitelist", + help="Comma separated list of additional partitions " + "to keep in the final image. This can be used to " +@@ -871,12 +875,14 @@ if __name__ == "__main__": + print("Checking the FTPR RSA signature of the extracted ME " + "image... ", end="") + print_check_partition_signature(mef_copy, +- ftpr_offset + ftpr_mn2_offset) ++ ftpr_offset + ftpr_mn2_offset, ++ args.pass_fptr) + mef_copy.close() + + if not me6_ignition: + print("Checking the FTPR RSA signature... ", end="") +- print_check_partition_signature(mef, ftpr_offset + ftpr_mn2_offset) ++ print_check_partition_signature(mef, ftpr_offset + ftpr_mn2_offset, ++ args.pass_fptr) + + f.close() + +-- +2.47.3 + -- cgit v1.2.1