From f338697b96757977d2a14da00a91236595704fed Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Sun, 18 Jun 2023 14:12:31 +0100
Subject: build/boot/roms: Support removing microcode

From now on, the following rules are available for all
mainboards, in resources/coreboot/boardname/board.cfg:

* blobs_required="n" or "y"
* microcode_required="n" or "y"

The blobs setting, if set to "n", simply renames filename.rom to
filename_noblobs.rom.

The microcode setting, if set to "n", copies the ROM (with or
without _noblobs) to filename_nomicrocode.rom (if blobs="n",
it would be filename_noblobs_nomicrocode.rom).

Where "nomicrocode" is set, ROMs with microcode will still be
provided by lbmk and in relesase, but ROMs will also be provided
alongside it that lacks any microcode updates.

If the *original* ROM already lacks microcode updates, then the
original ROM will be *renamed* to include "nomicrocode" in the name.
This is done on images for ARM platforms, for instance, where
microcode is never used whatsoever.

Example filenames now generated:
seabios_e6400_4mb_libgfxinit_corebootfb_noblobs_nomicrocode.rom
seabios_e6400_4mb_libgfxinit_corebootfb_noblobs.rom
seabios_withgrub_hp8300usdt_16mb_libgfxinit_corebootfb_colemak_nomicrocode.rom
seabios_withgrub_hp8300usdt_16mb_libgfxinit_corebootfb_colemak.rom
uboot_payload_gru_kevin_libgfxinit_corebootfb_noblobs_nomicrocode.rom

A vocal minority of people were not happy with some of the changes
made in Libreboot last year, including on existing supported
hardware from before those changes were made. I did this before the
last release, out of respect:
https://libreboot.org/news/gm45microcode.html
(re-add mitigations for no-microcode setup on GM45)

This new change is done as an further, extended courtesy. Tested
and works fine. (testing using cbfstool-print)

Actual Libreboot policy about binary blobs is nuanced. See:
https://libreboot.org/news/policy.html (reduction policy) and:
https://libreboot.org/freedom-status.html (implementation)

Well, the status page talks about descriptor vs non-descriptor
on Intel platforms, and where me_cleaner is used (on platforms
that need Intel ME firmware), it regards the descriptored setups
to be blob-free if coreboot does not require binary blobs.

In this paradigm, microcode updates are not considered to be
binary blobs, because they aren't technically software, they're
more like config files that just turn certain features on or off
within the CPU.

However, for lbmk purposes, "noblobs" means that, after the ROM
is fully ready to flash on the chip, there will be no blobs in
it (except microcode). So for example, an X200 that does not
require ME firmware is considered blob-free under this paradigm,
even though Libreboot policy regards X230 as equally libre when
me_cleaner is used; in this setup, ROMs will not contain "blobfree"
in the filename, for X230 (as one example).

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 resources/scripts/build/boot/roms_helper | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

(limited to 'resources/scripts/build/boot')

diff --git a/resources/scripts/build/boot/roms_helper b/resources/scripts/build/boot/roms_helper
index 02d8f61f..d87942d0 100755
--- a/resources/scripts/build/boot/roms_helper
+++ b/resources/scripts/build/boot/roms_helper
@@ -60,6 +60,10 @@ cbfstool=""
 corebootrom=""
 seavgabiosrom=""
 
+# almost all boards will set at least one of these to "n"
+blobs_required=""
+microcode_required=""
+
 CROSS_COMPILE=""
 
 main()
@@ -172,6 +176,14 @@ load_config()
 			[ "${uboot_config}" = "undefined" ]; then
 		uboot_config="default"
 	fi
+	if [ "${microcode_required}" != "n" ] \
+			&& [ "${microcode_required}" != "y" ]; then
+		microcode_required="y"
+	fi
+	if [ "${blobs_required}" != "n" ] \
+			&& [ "${blobs_required}" != "y" ]; then
+		blobs_required="y"
+	fi
 
 	load_config_overrides
 	die_if_cbconfig_and_nopayload
@@ -689,6 +701,10 @@ moverom()
 	_newrom="$2"
 	cuttype="$3"
 
+	if [ "${blobs_required}" = "n" ]; then
+		_newrom="${_newrom%.rom}_noblobs.rom"
+	fi
+
 	printf "\nCreating new ROM image: %s\n" "${_newrom}"
 
 	cp ${rompath} ${_newrom}
@@ -701,7 +717,6 @@ moverom()
 				seek=$(($(stat -c %s ${_newrom}) - 0x20000)) \
 				count=64k conv=notrunc
 		rm -f top64k.bin
-		return 0
 	fi
 
 	for romsize in 4 8 16; do
@@ -723,6 +738,21 @@ moverom()
 					conv=notrunc
 		done
 	done
+
+	if [ "${microcode_required}" = "n" ]; then
+		_newrom_b="${_newrom%.rom}_nomicrocode.rom"
+		cp "${_newrom}" "${_newrom_b}" || exit 1
+		microcode_present="y"
+		"${cbfstool}" "${_newrom_b}" remove -n \
+				cpu_microcode_blob.bin || microcode_present="n"
+		if [ "${microcode_present}" = "n" ]; then
+			rm -f "${_newrom_b}" || exit 1
+			printf "REMARK: '%s' already lacks microcode\n" \
+					${_newrom}
+			printf "Renaming default ROM file instead.\n"
+			mv "${_newrom}" "${_newrom_b}" || exit 1
+		fi
+	fi
 }
 
 main $@
-- 
cgit v1.2.1