1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
From 273fec95778f53a622ff1e2a64c15b74813f48d2 Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Sun, 28 Sep 2025 03:17:50 +0100
Subject: [PATCH 1/1] Subject: [PATCH 1/1] Add a -p option (skip FPTR checks)
if you pass -k (keep fptr modules), don't use -r, don't
use -t, you can essentially just use me_cleaner to
extract a ME image without changing it. this is useful
when for example, you just want to set the HAP bit.
however, me_cleaner still performs a FPTR check.
on some newer ME versions, it's always invalid according
to me_cleaner, because for example it doesn't handle
ME16 very well yet.
this patch adds an option to override the FPTR check
either pass -p or --pass-fptr
NOTE: we probably won't use this on coreboot's me_cleaner,
which is the corna version. we only need it on the newer
me_cleaner versions for e.g. ME16, on certain setups.
still, it's best to have the patch here too, just in case.
Signed-off-by: Leah Rowe <leah@libreboot.org>
---
util/me_cleaner/me_cleaner.py | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/util/me_cleaner/me_cleaner.py b/util/me_cleaner/me_cleaner.py
index fae5e56732..228bac899f 100755
--- a/util/me_cleaner/me_cleaner.py
+++ b/util/me_cleaner/me_cleaner.py
@@ -246,8 +246,10 @@ def check_partition_signature(f, offset):
return "{:#x}".format(decrypted_sig).endswith(sha256.hexdigest()) # FIXME
-def print_check_partition_signature(f, offset):
- if check_partition_signature(f, offset):
+def print_check_partition_signature(f, offset, pass_fptr):
+ if pass_fptr:
+ print("Skipping FPTR checks because the user told us to")
+ elif check_partition_signature(f, offset):
print("VALID")
else:
print("INVALID!!")
@@ -486,6 +488,8 @@ if __name__ == "__main__":
"--extract-me)", action="store_true")
parser.add_argument("-k", "--keep-modules", help="don't remove the FTPR "
"modules, even when possible", action="store_true")
+ parser.add_argument("-p", "--pass-fptr", help="skip FTPR signature checks"
+ "regardless of other operations", action="store_true")
bw_list.add_argument("-w", "--whitelist", metavar="whitelist",
help="Comma separated list of additional partitions "
"to keep in the final image. This can be used to "
@@ -871,12 +875,14 @@ if __name__ == "__main__":
print("Checking the FTPR RSA signature of the extracted ME "
"image... ", end="")
print_check_partition_signature(mef_copy,
- ftpr_offset + ftpr_mn2_offset)
+ ftpr_offset + ftpr_mn2_offset,
+ args.pass_fptr)
mef_copy.close()
if not me6_ignition:
print("Checking the FTPR RSA signature... ", end="")
- print_check_partition_signature(mef, ftpr_offset + ftpr_mn2_offset)
+ print_check_partition_signature(mef, ftpr_offset + ftpr_mn2_offset,
+ args.pass_fptr)
f.close()
--
2.47.3
|
