diff --git a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy index 9f97e251..8736c316 100644 --- a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy +++ b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy @@ -154,12 +154,24 @@ backup() { echo "Backing up BIOS firmware and store it locally..." echo "Remember that firmware is also backed up in HCL report." - # On MSI boards some regions may be not available so we need to use specific - # ones - if [ "$BOARD_VENDOR" == "Micro-Star International Co., Ltd." ] && [ "$SYSTEM_MODEL" == "MS-7E06" ]; then - FLASHROM_ADD_OPT_READ="--ifd -i fd -i me -i bios" + check_intel_regions + if [ $BOARD_HAS_FD_REGION -ne 0 ]; then + # Use safe defaults. Descriptor may contain additional regions not detected + # by flashrom and will return failure when attempted to be read. BIOS and + # Flash descriptor regions should always be readable. If not, then we have + # some ugly case, hard to deal with. + FLASHROM_ADD_OPT_READ="--ifd -i fd -i bios" + if [ $BOARD_HAS_ME_REGION -ne 0 ] && [ $BOARD_ME_REGION_LOCKED -eq 0 ]; then + # ME region is not locked, read it as well + FLASHROM_ADD_OPT_READ+=" -i me" + fi + if [ $BOARD_HAS_GBE_REGION -ne 0 ] && [ $BOARD_GBE_REGION_LOCKED -eq 0 ]; then + # GBE region is present and not locked, read it as well + FLASHROM_ADD_OPT_READ+=" -i gbe" + fi else - FLASHROM_ADD_OPT_READ=" " + # No descriptor, probably safe to read everything + FLASHROM_ADD_OPT_READ="" fi flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r "${FW_BACKUP_DIR}"/rom.bin ${FLASHROM_ADD_OPT_READ} >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to read BIOS firmware backup" @@ -185,11 +197,23 @@ backup() { } romhole_migration() { - echo "Beginning ROM hole migration process..." - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r /tmp/rom.bin ${FLASHROM_ADD_OPT_READ} >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE - dd if=/tmp/rom.bin of=/tmp/romhole.bin skip=$((0x17C0000)) bs=128K count=1 iflag=skip_bytes - echo "Migrate to ROMHOLE section." - cbfstool "$BIOS_UPDATE_FILE" write -r ROMHOLE -f /tmp/romhole.bin -u + cbfstool $BIOS_UPDATE_FILE layout -w | grep -q "ROMHOLE" || return + + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r /tmp/rom.bin --ifd -i bios >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to read current firmware to migrate MSI ROMHOLE" + if check_if_dasharo; then + cbfstool /tmp/rom.bin layout -w | grep -q "ROMHOLE" || return + # This one is rather unlikely to fail, but just in case print a warning + cbfstool /tmp/rom.bin read -r ROMHOLE -f /tmp/romhole.bin 2> /dev/null + if [ $? -ne 0 ]; then + print_warning "Failed to migrate MSI ROMHOLE, your platform's unique SMBIOS/DMI data may be lost" + return + else + else + dd if=/tmp/rom.bin of=/tmp/romhole.bin skip=$((0x17C0000)) bs=128K count=1 iflag=skip_bytes > /dev/null 2>&1 + fi + + cbfstool "$BIOS_UPDATE_FILE" write -r ROMHOLE -f /tmp/romhole.bin -u 2> /dev/null } smbios_migration() { @@ -255,6 +279,33 @@ resign_binary() { fi } +check_vboot_keys() { + if [ "$HAVE_VBOOT" -eq 0 ]; then + # If we flash whole BIOS region, no need to check if keys match + grep -q "\-\-ifd" <<< "$FLASHROM_ADD_OPT_UPDATE" && grep -q "\-i bios" <<< "$FLASHROM_ADD_OPT_UPDATE" && return + # No FMAP flashing? Also skip + grep -q "\-\-fmap" <<< "$FLASHROM_ADD_OPT_UPDATE" || return + + BINARY_KEYS=$(CBFSTOOL=$(which cbfstool) futility show $BIOS_UPDATE_FILE| grep -i 'key sha1sum') + + if [ $BOARD_HAS_FD_REGION -eq 0 ]; then + FLASHROM_ADD_OPT_READ="" + else + FLASHROM_ADD_OPT_READ="--ifd -i bios" + fi + echo "Checking vboot keys." + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_READ} -r /tmp/bios.bin > /dev/null 2>/dev/null + if [ $? -eq 0 ] && [ -f "/tmp/bios.bin" ]; then + FLASH_KEYS=$(CBFSTOOL=$(which cbfstool) futility show /tmp/bios.bin | grep -i 'key sha1sum') + diff <(echo "$BINARY_KEYS") <(echo "$FLASH_KEYS") > /dev/null 2>&1 + # If keys are different we must additionally flash at least GBB region as well + if [ $? -ne 0 ]; then + FLASHROM_ADD_OPT_UPDATE+=" -i GBB" + fi + fi + fi +} + blob_transmission() { echo "Extracting the UEFI image from BIOS update" wget -O "$DBT_BIOS_UPDATE_FILENAME" --user-agent='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' "$DBT_BIOS_UPDATE_URL" >> $ERR_LOG_FILE 2>&1 @@ -320,6 +371,11 @@ install() { check_flash_lock verify_artifacts bios + check_intel_regions + check_blobs_in_binary $BIOS_UPDATE_FILE + check_if_me_disabled + set_intel_regions_update_params "-N --ifd -i bios" + if [ "$HAVE_EC" = "true" ]; then echo "Checking for Open Source Embedded Controller firmware" dasharo_ectool info >> $ERR_LOG_FILE 2>&1 @@ -356,7 +412,7 @@ install() { fi echo "Installing Dasharo firmware..." - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_DEPLOY} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to install Dasharo firmware" print_green "Successfully installed Dasharo firmware" @@ -469,10 +525,60 @@ update() { bootsplash_migration fi + cbfstool "$BIOS_UPDATE_FILE" extract -r COREBOOT -n config -f "$BIOS_UPDATE_CONFIG_FILE" + grep -q "CONFIG_VBOOT=y" "$BIOS_UPDATE_CONFIG_FILE" + HAVE_VBOOT="$?" + + check_intel_regions + check_blobs_in_binary $BIOS_UPDATE_FILE + check_if_me_disabled + set_flashrom_update_params $BIOS_UPDATE_FILE + set_intel_regions_update_params "-N --ifd" + check_vboot_keys + echo "Updating Dasharo firmware..." - print_warning "This will take around 3 minutes. Please be patient and do not reset your computer, or touch the keyboard!" - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE - error_check "Failed to update Dasharo firmware" + print_warning "This may take several minutes. Please be patient and do not reset your computer, or touch the keyboard!" + + # FLASHROM_ADD_OPT_UPDATE_OVERRIDE takes priority over auto-detected update params. + # It set only by platform-specific and firmware version-specific conditions + if [ -v FLASHROM_ADD_OPT_UPDATE_OVERRIDE ]; then + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE_OVERRIDE} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to update Dasharo firmware" + else + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to update Dasharo firmware" + + if [ $BINARY_HAS_RW_B -eq 0 ]; then + echo "Updating second firmware partition..." + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} --fmap -N -i RW_SECTION_B -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to update second firmware partition" + fi + fi + + # We use FLASHROM_ADD_OPT_REGIONS for updating ME and IFD. + # If FLASHROM_ADD_OPT_REGIONS remains the same after + # set_intel_regions_update_params or is cleared, it means + # we either cannot update any region, or were not allowed to, + # or platform has no descriptor. + if [ "$FLASHROM_ADD_OPT_REGIONS" != "-N --ifd" ] && [ "$FLASHROM_ADD_OPT_REGIONS" != "" ]; then + UPDATE_STRING="" + grep -q "\-i fd" <<< "$FLASHROM_ADD_OPT_REGIONS" + UPDATE_IFD=$? + grep -q "\-i me" <<< "$FLASHROM_ADD_OPT_REGIONS" + UPDATE_ME=$? + if [ $UPDATE_IFD -eq 0 ]; then + UPDATE_STRING+="Flash Descriptor" + if [ $UPDATE_ME -eq 0 ]; then + UPDATE_STRING+=" and " + fi + fi + if [ $UPDATE_ME -eq 0 ]; then + UPDATE_STRING+="Managment Engine" + fi + echo "Updating $UPDATE_STRING" + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to update $UPDATE_STRING" + fi if [ "$HAVE_EC" = "true" ]; then echo "Dasharo EC update process will start in a moment." @@ -546,22 +652,29 @@ restore() { tar -zxf "$HCL_REPORT_PACKAGE" -C /tmp echo "Restoring BIOS firmware..." if [ -f "/tmp/logs/rom.bin" ]; then - # Write to entire flash when restoring, ask if user want to restore print_green "Found $HCL_REPORT_PACKAGE" read -p "Do you want to restore firmware from the given HCL report? [N/y] " case ${REPLY} in yes|y|Y|Yes|YES) - check_flash_lock - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE - error_check "Failed to restore BIOS firmware! You can try one more time." - print_green "Successfully restored firmware" - echo "Returning to main menu..." - exit 0 - ;; + # Ideally we would like to write the entire flash when restoring, + # but in reality we may face locked or unaccessible regions. + # To be on the safe side, flash whatever can be flashed by determining + # what is writable. + check_flash_lock + check_intel_regions + check_blobs_in_binary /tmp/logs/rom.bin + check_if_me_disabled + set_intel_regions_update_params "-N --ifd -i bios" + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to restore BIOS firmware! You can try one more time." + print_green "Successfully restored firmware" + echo "Returning to main menu..." + exit 0 + ;; *) - echo "Returning to main menu..." - exit 0 - ;; + echo "Returning to main menu..." + exit 0 + ;; esac else print_error "Report does not have firmware backup!" @@ -583,9 +696,16 @@ restore() { tar -zxf "$HCL_REPORT_PACKAGE" -C /tmp echo "Restoring BIOS firmware..." if [ -f "/tmp/logs/rom.bin" ]; then - # Write to entire flash when restoring + # Ideally we would like to write the entire flash when restoring, + # but in reality we may face locked or unaccessible regions. + # To be on the safe side, flash whatever can be flashed by determining + # what is writable. check_flash_lock - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + check_intel_regions + check_blobs_in_binary /tmp/logs/rom.bin + check_if_me_disabled + set_intel_regions_update_params "-N --ifd -i bios" + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to restore BIOS firmware! You can try one more time." print_green "Successfully restored firmware" else diff --git a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh index d2c9bba8..981734ba 100644 --- a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh +++ b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh @@ -178,17 +178,17 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" if check_if_dasharo; then # if v1.5.1 or older, flash the whole bios region + # TODO: Let DTS determine which parameters are suitable. + # FIXME: Can we ever get rid of that? We change so much in each release, + # that we almost always need to flash whole BIOS regions + # because of non-backward compatbile or breaking changes. compare_versions $DASHARO_VERSION 1.5.2 if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.5.2 NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.5.2 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A" + FLASHROM_ADD_OPT_UPDATE_OVERRIDE="--ifd -i bios" fi fi ;; @@ -211,17 +211,17 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" if check_if_dasharo; then - # if v1.5.0 or older, flash the whole bios region + # if v1.5.1 or older, flash the whole bios region + # TODO: Let DTS determine which parameters are suitable. + # FIXME: Can we ever get rid of that? We change so much in each release, + # that we almost always need to flash whole BIOS regions + # because of non-backward compatbile or breaking changes. compare_versions $DASHARO_VERSION 1.5.1 if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.5.1 NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.5.1 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A" + FLASHROM_ADD_OPT_UPDATE_OVERRIDE="--ifd -i bios" fi fi ;; @@ -243,17 +243,17 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" if check_if_dasharo; then - # if v1.7.1 or older, flash the whole bios region + # if v1.7.2 or older, flash the whole bios region + # TODO: Let DTS determine which parameters are suitable. + # FIXME: Can we ever get rid of that? We change so much in each release, + # that we almost always need to flash whole BIOS regions + # because of non-backward compatbile or breaking changes. compare_versions $DASHARO_VERSION 1.7.2 if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.7.2 NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.7.2 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A" + FLASHROM_ADD_OPT_UPDATE_OVERRIDE="--ifd -i bios" fi fi ;; @@ -276,18 +276,17 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" if check_if_dasharo; then - # if v1.7.1 or older, flash the whole bios region + # if v1.7.2 or older, flash the whole bios region + # TODO: Let DTS determine which parameters are suitable. + # FIXME: Can we ever get rid of that? We change so much in each release, + # that we almost always need to flash whole BIOS regions + # because of non-backward compatbile or breaking changes. compare_versions $DASHARO_VERSION 1.7.2 if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.7.2 NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.7.2 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A" - fi + FLASHROM_ADD_OPT_UPDATE_OVERRIDE="--ifd -i bios" fi ;; *) @@ -318,20 +317,7 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" - if check_if_dasharo; then - # if v1.1.1 or older, flash the whole bios region, as per: - # https://docs.dasharo.com/variants/msi_z690/firmware-update/#version-older-than-v110 - compare_versions $DASHARO_VERSION 1.1.2 - if [ $? -eq 1 ]; then - # For Dasharo version lesser than 1.1.2 - NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.1.2 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A -i RW_SECTION_B" - fi - fi + NEED_ROMHOLE_MIGRATION="true" ;; "PRO Z690-A WIFI (MS-7D25)" | "PRO Z690-A (MS-7D25)") DASHARO_REL_NAME="msi_ms7d25" @@ -352,20 +338,7 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" - if check_if_dasharo; then - # if v1.1.1 or older, flash the whole bios region, as per: - # https://docs.dasharo.com/variants/msi_z690/firmware-update/#version-older-than-v110 - compare_versions $DASHARO_VERSION 1.1.2 - if [ $? -eq 1 ]; then - # For Dasharo version lesser than 1.1.2 - NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.1.2 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A -i RW_SECTION_B" - fi - fi + NEED_ROMHOLE_MIGRATION="true" ;; *) error_exit "Board model $BOARD_MODEL is currently not supported" @@ -393,11 +366,7 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - FLASHROM_ADD_OPT_DEPLOY="-N --ifd -i bios" - FLASHROM_ADD_OPT_READ="--ifd -i fd -i me -i bios" - if ! check_if_dasharo; then - NEED_ROMHOLE_MIGRATION="true" - fi + NEED_ROMHOLE_MIGRATION="true" ;; "PRO Z790-P WIFI (MS-7E06)" | "PRO Z790-P (MS-7E06)") DASHARO_REL_NAME="msi_ms7e06" @@ -418,11 +387,7 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - FLASHROM_ADD_OPT_DEPLOY="-N --ifd -i bios" - FLASHROM_ADD_OPT_READ="--ifd -i fd -i me -i bios" - if ! check_if_dasharo; then - NEED_ROMHOLE_MIGRATION="true" - fi + NEED_ROMHOLE_MIGRATION="true" ;; *) error_exit "Board model $BOARD_MODEL is currently not supported" @@ -741,3 +706,211 @@ verify_artifacts() { fi print_green "Done" } + +check_intel_regions() { + + FLASH_REGIONS=$(flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} 2>&1) + BOARD_HAS_FD_REGION=0 + BOARD_FD_REGION_RW=0 + BOARD_HAS_ME_REGION=0 + BOARD_ME_REGION_RW=0 + BOARD_ME_REGION_LOCKED=0 + BOARD_HAS_GBE_REGION=0 + BOARD_GBE_REGION_RW=0 + BOARD_GBE_REGION_LOCKED=0 + + grep -q "Flash Descriptor region" <<< "$FLASH_REGIONS" && BOARD_HAS_FD_REGION=1 + grep -qE "Flash Descriptor region.*read-write" <<< "$FLASH_REGIONS" && BOARD_FD_REGION_RW=1 + + grep -q "Management Engine region" <<< "$FLASH_REGIONS" && BOARD_HAS_ME_REGION=1 + grep -qE "Management Engine region.*read-write" <<< "$FLASH_REGIONS" && BOARD_ME_REGION_RW=1 + grep -qE "Management Engine region.*locked" <<< "$FLASH_REGIONS" && BOARD_ME_REGION_LOCKED=1 + + grep -q "Gigabit Ethernet region" <<< "$FLASH_REGIONS" && BOARD_HAS_GBE_REGION=1 + grep -qE "Gigabit Ethernet region.*read-write" <<< "$FLASH_REGIONS" && BOARD_GBE_REGION_RW=1 + grep -qE "Gigabit Ethernet region.*locked" <<< "$FLASH_REGIONS" && BOARD_GBE_REGION_LOCKED=1 +} + +check_blobs_in_binary() { + BINARY_HAS_FD=0 + BINARY_HAS_ME=0 + + # If there is no descriptor, there is no ME as well, so skip the check + if [ $BOARD_HAS_FD_REGION -ne 0 ]; then + ME_OFFSET=$(ifdtool -d $1 2> /dev/null | grep "Flash Region 2 (Intel ME):" | sed 's/Flash Region 2 (Intel ME)\://' |awk '{print $1;}') + # Check for IFD signature at offset 0 (old descriptors) + if [ $(tail -c +0 $1|head -c 4|xxd -ps) == "5aa5f00f" ]; then + BINARY_HAS_FD=1 + fi + # Check for IFD signature at offset 16 (new descriptors) + if [ $(tail -c +17 $1|head -c 4|xxd -ps) == "5aa5f00f" ]; then + BINARY_HAS_FD=1 + fi + # Check for ME FPT signature at ME offset + 16 (old ME) + if [ $(tail -c +$((0x$ME_OFFSET + 17)) $1|head -c 4|tr -d '\0') == "\$FPT" ]; then + BINARY_HAS_ME=1 + fi + # Check for aa55 signature at ME offset + 4096 (new ME) + if [ $(tail -c +$((0x$ME_OFFSET + 4097)) $1|head -c 2|xxd -ps) == "aa55" ]; then + BINARY_HAS_ME=1 + fi + fi +} + +check_if_me_disabled() { + + ME_DISABLED=0 + + if [ $BOARD_HAS_ME_REGION -eq 0 ]; then + # No ME region + ME_DISABLED=1 + return + fi + + # Check if HECI present + # FIXME: what if HECI is not device 16.0? + if [ -d /sys/class/pci_bus/0000:00/device/0000:00:16.0 ]; then + # Check ME Current Operation Mode at offset 0x40 bits 19:16 + ME_OPMODE="$(setpci -s 00:16.0 42.B 2> /dev/null | cut -c2-)" + if [ $ME_OPMODE == "0" ]; then + echo "ME is not disabled" >> $ERR_LOG_FILE + return + elif [ $ME_OPMODE == "2" ]; then + echo "ME is disabled (HAP/Debug Mode)" >> $ERR_LOG_FILE + ME_DISABLED=1 + return + elif [ $ME_OPMODE == "3" ]; then + echo "ME is soft disabled (HECI)" >> $ERR_LOG_FILE + ME_DISABLED=1 + return + elif [ $ME_OPMODE == "4" ]; then + echo "ME disabled by Security Override Jumper/FDOPS" >> $ERR_LOG_FILE + ME_DISABLED=1 + return + elif [ $ME_OPMODE == "5" ]; then + echo "ME disabled by Security Override MEI Message/HMRFPO" >> $ERR_LOG_FILE + ME_DISABLED=1 + return + elif [ $ME_OPMODE == "6" ]; then + echo "ME disabled by Security Override MEI Message/HMRFPO" >> $ERR_LOG_FILE + ME_DISABLED=1 + return + elif [ $ME_OPMODE == "7" ]; then + echo "ME disabled (Enhanced Debug Mode) or runs Ignition FW" >> $ERR_LOG_FILE + ME_DISABLED=1 + return + else + print_warning "Unknown ME operation mode, assuming enabled." + echo "Unknown ME operation mode, assuming enabled." >> $ERR_LOG_FILE + return + fi + else + # If we are running coreboot, check for status in logs + cbmem -1 | grep -q "ME is disabled" && ME_DISABLED=1 && return # HECI (soft) disabled + cbmem -1 | grep -q "ME is HAP disabled" && ME_DISABLED=1 && return # HAP disabled + # TODO: If proprietary BIOS, then also try to check SMBIOS for ME FWSTS + # BTW we could do the same in coreboot, expose FWSTS in SMBIOS before it + # gets disabled + print_warning "Can not determine if ME is disabled, assuming enabled." + echo "Can not determine if ME is disabled, assuming enabled." >> $ERR_LOG_FILE + fi +} + +force_me_update() { + echo + print_warning "Flashing ME when not in disabled state may cause unexpected power management issues." + print_warning "Recovering from such state may require removal of AC power supply and resetting CMOS battery." + print_warning "Keeping an older version of ME may cause a CPU to perform less efficient, e.g. if upgraded the CPU to a newer generation." + print_warning "You have been warned." + while : ; do + echo + read -r -p "Skip ME flashing and proceed with BIOS/firmware flashing/udpating? (Y|n) " OPTION + echo + + case ${OPTION} in + yes|y|Y|Yes|YES) + print_warning "Proceeding without ME flashing, because we were asked to." + break + ;; + n|N) + error_exit "Cancelling flashing process..." + ;; + *) + ;; + esac + done +} + +set_flashrom_update_params() { + # Safe defaults which should always work + if [ $BOARD_HAS_FD_REGION -eq 0 ]; then + FLASHROM_ADD_OPT_UPDATE="" + else + FLASHROM_ADD_OPT_UPDATE="-N --ifd -i bios" + fi + BINARY_HAS_RW_B=0 + # We need to read whole binary (or BIOS region), otherwise cbfstool will + # return different attributes for CBFS regions + echo "Checking flash layout." + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE} -r /tmp/bios.bin > /dev/null 2>&1 + if [ $? -eq 0 ] && [ -f "/tmp/bios.bin" ]; then + BOARD_FMAP_LAYOUT=$(cbfstool /tmp/bios.bin layout -w 2> /dev/null) + BINARY_FMAP_LAYOUT=$(cbfstool $1 layout -w 2> /dev/null) + diff <(echo "$BOARD_FMAP_LAYOUT") <(echo "$BINARY_FMAP_LAYOUT") > /dev/null 2>&1 + # If layout is identical, perform standard update using FMAP only + if [ $? -eq 0 ]; then + # Simply update RW_A fmap region if exists + grep -q "RW_SECTION_A" <<< $BINARY_FMAP_LAYOUT + if [ $? -eq 0 ]; then + FLASHROM_ADD_OPT_UPDATE="-N --fmap -i RW_SECTION_A" + else + # RW_A does not exists, it means no vboot. Update COREBOOT region only + FLASHROM_ADD_OPT_UPDATE="-N --fmap -i COREBOOT" + fi + # If RW_B present, use this variable later to perform 2-step update + grep -q "RW_SECTION_B" <<< $BINARY_FMAP_LAYOUT && BINARY_HAS_RW_B=1 + fi + else + print_warning "Could not read the FMAP region" + echo "Could not read the FMAP region" >> $ERR_LOG_FILE + fi +} + +set_intel_regions_update_params() { + if [ $BOARD_HAS_FD_REGION -eq 0 ]; then + # No FD on board, so no further flashing + FLASHROM_ADD_OPT_REGIONS="" + else + # Safe defaults, only BIOS region and do not verify all regions, + # as some of them may not be readable. First argument is the initial + # params. + FLASHROM_ADD_OPT_REGIONS=$1 + + if [ $BINARY_HAS_FD -ne 0 ]; then + if [ $BOARD_FD_REGION_RW -ne 0 ]; then + # FD writable and the binary provides FD, safe to flash + FLASHROM_ADD_OPT_REGIONS+=" -i fd" + else + print_error "The firmware binary to be flashed contains Flash Descriptor (FD), but FD is not writable!" + print_warning "Proceeding without FD flashing, as it is not critical." + echo "The firmware binary contains Flash Descriptor (FD), but FD is not writable!" >> $ERR_LOG_FILE + fi + fi + + if [ $BINARY_HAS_ME -ne 0 ]; then + if [ $BOARD_ME_REGION_RW -ne 0 ]; then + # ME writable and the binary provides ME, safe to flash if ME disabled + if [ $ME_DISABLED -eq 1 ]; then + FLASHROM_ADD_OPT_REGIONS+=" -i me" + else + echo "The firmware binary to be flashed contains Management Engine (ME), but ME is not disabled!" >> $ERR_LOG_FILE + print_error "The firmware binary contains Management Engine (ME), but ME is not disabled!" + force_me_update + fi + else + echo "The firmware binary to be flashed contains Management Engine (ME), but ME is not writable!" >> $ERR_LOG_FILE + print_error "The firmware binary contains Management Engine (ME), but ME is not writable!" + fi + fi + fi +} diff --git a/meta-dts-distro/recipes-dts/reports/dasharo-hcl-report/dasharo-hcl-report b/meta-dts-distro/recipes-dts/reports/dasharo-hcl-report/dasharo-hcl-report index 0f2d3ab3..60832434 100755 --- a/meta-dts-distro/recipes-dts/reports/dasharo-hcl-report/dasharo-hcl-report +++ b/meta-dts-distro/recipes-dts/reports/dasharo-hcl-report/dasharo-hcl-report @@ -168,11 +168,24 @@ update_result "Input bus types" logs/ioports.err.log printf '################################ |\r' # echo "Trying to read firmware image with flashrom..." -# On MSI boards some regions may be not available so we need to use specific -# ones -if [ "$BOARD_VENDOR" == "Micro-Star International Co., Ltd." ] && [ "$SYSTEM_MODEL" == "MS-7E06" ]; then - FLASHROM_ADD_OPT_READ="--ifd -i fd -i me -i bios" +# Some regions may be not available so we need to use specific regions to read +check_intel_regions +if [ $BOARD_HAS_FD_REGION -eq 0 ]; then + # Use safe defaults. Descriptor may contain additional regions not detected + # by flashrom and will return failure when attempted to be read. BIOS and + # Flash descriptor regions should always be readable. If not, then we have + # some ugly case, hard to deal with. + FLASHROM_ADD_OPT_READ="--ifd -i fd -i bios" + if [ $BOARD_HAS_ME_REGION -eq 0 ] && [ $BOARD_ME_REGION_LOCKED -ne 0 ]; then + # ME region is not locked, read it as well + FLASHROM_ADD_OPT_READ+=" -i me" + fi + if [ $BOARD_HAS_GBE_REGION -eq 0 ] && [ $BOARD_GBE_REGION_LOCKED -ne 0 ]; then + # GBE region is present and not locked, read it as well + FLASHROM_ADD_OPT_READ+=" -i gbe" + fi else + # No descriptor, probably safe to read everything FLASHROM_ADD_OPT_READ=" " fi flashrom -V -p internal:laptop=force_I_want_a_brick ${FLASH_CHIP_SELECT} -r logs/rom.bin ${FLASHROM_ADD_OPT_READ} > logs/flashrom_read.log 2> logs/flashrom_read.err.log