From d5054bc2f8b786be491b03bd1e9a19dbfd742cd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Mon, 11 Dec 2023 17:43:02 +0100 Subject: [PATCH 1/9] meta-dts-distro/recipes-dts: Add checks for readable and flashable regions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- .../dts/dasharo-deploy/dasharo-deploy | 68 +++++-- .../recipes-dts/dts/dts/dts-functions.sh | 191 +++++++++++++++++- .../dasharo-hcl-report/dasharo-hcl-report | 21 +- 3 files changed, 248 insertions(+), 32 deletions(-) diff --git a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy index 9f97e251..d8013898 100644 --- a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy +++ b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy @@ -154,11 +154,23 @@ backup() { echo "Backing up BIOS firmware and store it locally..." echo "Remember that firmware is also backed up in HCL report." - # On MSI boards some regions may be not available so we need to use specific - # ones - if [ "$BOARD_VENDOR" == "Micro-Star International Co., Ltd." ] && [ "$SYSTEM_MODEL" == "MS-7E06" ]; then - FLASHROM_ADD_OPT_READ="--ifd -i fd -i me -i bios" + check_intel_regions + if [ $BOARD_HAS_FD_REGION -eq 0 ]; then + # Use safe defaults. Descriptor may contain additional regions not detected + # by flashrom and will return failure when attempted to be read. BIOS and + # Flash descriptor regions should always be readable. If not, then we have + # some ugly case, hard to deal with. + FLASHROM_ADD_OPT_READ="--ifd -i fd -i bios" + if [ $BOARD_HAS_ME_REGION -eq 0 ] && [ $BOARD_ME_REGION_LOCKED -ne 0 ]; then + # ME region is not locked, read it as well + FLASHROM_ADD_OPT_READ+=" -i me" + fi + if [ $BOARD_HAS_GBE_REGION -eq 0 ] && [ $BOARD_GBE_REGION_LOCKED -ne 0 ]; then + # GBE region is present and not locked, read it as well + FLASHROM_ADD_OPT_READ+=" -i gbe" + fi else + # No descriptor, probably safe to read everything FLASHROM_ADD_OPT_READ=" " fi flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r "${FW_BACKUP_DIR}"/rom.bin ${FLASHROM_ADD_OPT_READ} >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE @@ -186,7 +198,7 @@ backup() { romhole_migration() { echo "Beginning ROM hole migration process..." - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r /tmp/rom.bin ${FLASHROM_ADD_OPT_READ} >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r /tmp/rom.bin --ifd -i bios >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE dd if=/tmp/rom.bin of=/tmp/romhole.bin skip=$((0x17C0000)) bs=128K count=1 iflag=skip_bytes echo "Migrate to ROMHOLE section." cbfstool "$BIOS_UPDATE_FILE" write -r ROMHOLE -f /tmp/romhole.bin -u @@ -320,6 +332,10 @@ install() { check_flash_lock verify_artifacts bios + check_intel_regions + check_blobs_in_binary $BIOS_UPDATE_FILE + check_if_me_disabled + if [ "$HAVE_EC" = "true" ]; then echo "Checking for Open Source Embedded Controller firmware" dasharo_ectool info >> $ERR_LOG_FILE 2>&1 @@ -355,6 +371,8 @@ install() { blob_transmission fi + update_flashrom_params + echo "Installing Dasharo firmware..." flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_DEPLOY} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to install Dasharo firmware" @@ -546,22 +564,29 @@ restore() { tar -zxf "$HCL_REPORT_PACKAGE" -C /tmp echo "Restoring BIOS firmware..." if [ -f "/tmp/logs/rom.bin" ]; then - # Write to entire flash when restoring, ask if user want to restore print_green "Found $HCL_REPORT_PACKAGE" read -p "Do you want to restore firmware from the given HCL report? [N/y] " case ${REPLY} in yes|y|Y|Yes|YES) - check_flash_lock - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE - error_check "Failed to restore BIOS firmware! You can try one more time." - print_green "Successfully restored firmware" - echo "Returning to main menu..." - exit 0 - ;; + # Ideally we would like to write the entire flash when restoring, + # but in reality we may face locked or unaccessible regions. + # To be on the safe side, flash whatever can be flashed by determining + # what is writable. + check_flash_lock + check_intel_regions + check_blobs_in_binary /tmp/logs/rom.bin + check_if_me_disabled + update_flashrom_params + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to restore BIOS firmware! You can try one more time." + print_green "Successfully restored firmware" + echo "Returning to main menu..." + exit 0 + ;; *) - echo "Returning to main menu..." - exit 0 - ;; + echo "Returning to main menu..." + exit 0 + ;; esac else print_error "Report does not have firmware backup!" @@ -583,9 +608,16 @@ restore() { tar -zxf "$HCL_REPORT_PACKAGE" -C /tmp echo "Restoring BIOS firmware..." if [ -f "/tmp/logs/rom.bin" ]; then - # Write to entire flash when restoring + # Ideally we would like to write the entire flash when restoring, + # but in reality we may face locked or unaccessible regions. + # To be on the safe side, flash whatever can be flashed by determining + # what is writable. check_flash_lock - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + check_intel_regions + check_blobs_in_binary /tmp/logs/rom.bin + check_if_me_disabled + update_flashrom_params + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_DEPLOY} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to restore BIOS firmware! You can try one more time." print_green "Successfully restored firmware" else diff --git a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh index d2c9bba8..1eda2dc0 100644 --- a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh +++ b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh @@ -178,7 +178,6 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" if check_if_dasharo; then # if v1.5.1 or older, flash the whole bios region compare_versions $DASHARO_VERSION 1.5.2 @@ -211,7 +210,6 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" if check_if_dasharo; then # if v1.5.0 or older, flash the whole bios region compare_versions $DASHARO_VERSION 1.5.1 @@ -243,7 +241,6 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" if check_if_dasharo; then # if v1.7.1 or older, flash the whole bios region compare_versions $DASHARO_VERSION 1.7.2 @@ -276,7 +273,6 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" if check_if_dasharo; then # if v1.7.1 or older, flash the whole bios region compare_versions $DASHARO_VERSION 1.7.2 @@ -318,7 +314,6 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" if check_if_dasharo; then # if v1.1.1 or older, flash the whole bios region, as per: # https://docs.dasharo.com/variants/msi_z690/firmware-update/#version-older-than-v110 @@ -352,7 +347,6 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - FLASHROM_ADD_OPT_DEPLOY="--ifd -i bios" if check_if_dasharo; then # if v1.1.1 or older, flash the whole bios region, as per: # https://docs.dasharo.com/variants/msi_z690/firmware-update/#version-older-than-v110 @@ -393,8 +387,6 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - FLASHROM_ADD_OPT_DEPLOY="-N --ifd -i bios" - FLASHROM_ADD_OPT_READ="--ifd -i fd -i me -i bios" if ! check_if_dasharo; then NEED_ROMHOLE_MIGRATION="true" fi @@ -418,8 +410,6 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - FLASHROM_ADD_OPT_DEPLOY="-N --ifd -i bios" - FLASHROM_ADD_OPT_READ="--ifd -i fd -i me -i bios" if ! check_if_dasharo; then NEED_ROMHOLE_MIGRATION="true" fi @@ -741,3 +731,184 @@ verify_artifacts() { fi print_green "Done" } + +check_intel_regions() { + + FLASH_REGIONS=$(flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} 2> /dev/null) + + # 0 will mean that region is present/writable, else + + grep -q "Flash Descriptor region" "$FLASH_REGIONS" + BOARD_HAS_FD_REGION=$? + grep -qE "Flash Descriptor region.*read-write" "$FLASH_REGIONS" + BOARD_FD_REGION_RW=$? + + grep -q "Management Engine region" "$FLASH_REGIONS" + BOARD_HAS_ME_REGION=$? + grep -qE "Management Engine region.*read-write" "$FLASH_REGIONS" + BOARD_ME_REGION_RW=$? + grep -qE "Management Engine region.*locked" "$FLASH_REGIONS" + BOARD_ME_REGION_LOCKED=$? + + grep -q "Gigabit Ethernet region" "$FLASH_REGIONS" + BOARD_HAS_GBE_REGION=$? + grep -qE "Gigabit Ethernet region.*read-write" "$FLASH_REGIONS" + BOARD_GBE_REGION_RW=$? + grep -qE "Gigabit Ethernet region.*locked" "$FLASH_REGIONS" + BOARD_GBE_REGION_LOCKED=$? +} + +check_blobs_in_binary() { + + # Non-zero value means no FD/ME for consistency with Intel regions + # presence from check_intel_regions + BINARY_HAS_FD=1 + BINARY_HAS_ME=1 + + # If there is no descriptor, there is no ME as well, so skip the check + if [ $BOARD_HAS_FD_REGION -eq 0 ]; then + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} --ifd -i fd -r /tmp/descriptor.bin > /dev/null 2>&1 + if [ $? -eq 0 ] && [ -f "/tmp/descriptor.bin" ]; then + ME_OFFSET=$(ifdtool -d /tmp/descriptor.bin | grep "Flash Region 2 (Intel ME):" | sed 's/Flash Region 2 (Intel ME)\://' |awk '{print $1;}') + # Check for IFD signature at offset 0 (old descriptors) + if [ $(tail -c +0 $1|head -c 2|xxd -ps) == "5aa5f00f"]; then + BINARY_HAS_FD=0 + fi + # Check for IFD signature at offset 16 (new descriptors) + if [ $(tail -c +17 $1|head -c 2|xxd -ps) == "5aa5f00f"]; then + BINARY_HAS_FD=0 + fi + # Check for ME FPT signature at ME offset + 16 (old ME) + if [ $(tail -c +$((0x$ME_OFFSET + 17)) |head -c 4) == "\$FPT" ]; then + BINARY_HAS_ME=0 + fi + # Check for aa55 signature at ME offset + 4096 (new ME) + if [ $(tail -c +$((0x$ME_OFFSET + 4097)) |head -c 2|xxd -ps) == "aa55" ]; then + BINARY_HAS_ME=0 + fi + else + echo "Failed to read flash descriptor" >> $ERR_LOG_FILE + fi + fi +} + +check_if_me_disabled() { + + ME_DISABLED=1 + + if [ $BOARD_HAS_ME_REGION -ne 0 ]; then + # No ME region + ME_DISABLED=0 + return + fi + + # Check if HECI present + # FIXME: what if HECI is not device 16.0? + if [ $(setpci -s 00:00.0 00.W) == "8086" ]; then + # Check ME Current Operation Mode at offset 0x40 bits 19:16 + ME_OPMODE="$(setpci -s 00:16.0 42.B| cut -c2-)" + if [ $ME_OPMODE == "0" ]; then + echo "ME is not disabled" >> $ERR_LOG_FILE + return + elif [ $ME_OPMODE == "2" ]; then + echo "ME is disabled (HAP/Debug Mode)" >> $ERR_LOG_FILE + ME_DISABLED=0 + return + elif [ $ME_OPMODE == "3" ]; then + echo "ME is soft disabled (HECI)" >> $ERR_LOG_FILE + ME_DISABLED=0 + return + elif [ $ME_OPMODE == "4" ]; then + echo "ME disabled by Security Override Jumper/FDOPS" >> $ERR_LOG_FILE + ME_DISABLED=0 + return + elif [ $ME_OPMODE == "5" ]; then + echo "ME disabled by Security Override MEI Message/HMRFPO" >> $ERR_LOG_FILE + ME_DISABLED=0 + return + elif [ $ME_OPMODE == "5" ]; then + echo "ME disabled by Security Override MEI Message/HMRFPO" >> $ERR_LOG_FILE + ME_DISABLED=0 + return + elif [ $ME_OPMODE == "7" ]; then + echo "ME disabled (Enhanced Debug Mode) or runs Ignition FW" >> $ERR_LOG_FILE + ME_DISABLED=0 + return + else + echo "Unknown ME operation mode" >> $ERR_LOG_FILE + return + fi + else + # If we are running coreboot, check for status in logs + cbmem -1 | grep "ME is disabled" # HECI (soft) disabled + if [ $? -eq 0 ]; then + ME_DISABLED=0 + return + fi + cbmem -1 | grep "ME is HAP disabled" # HAP disabled + if [ $? -eq 0 ]; then + ME_DISABLED=0 + return + fi + echo "Can not determine if ME is disabled" >> $ERR_LOG_FILE + fi +} + +force_me_update() { + while : ; do + echo + read -r -p "Force the flashing without ME? (Y|n) " OPTION + echo + + case ${OPTION} in + yes|y|Y|Yes|YES) + print_warning "Proceeding without ME flashing, because we were forced to." + break + ;; + n|N) + error_exit "Cancelling flashing process..." + ;; + *) + ;; + esac + done +} + +update_flashrom_params() { + if [ $BOARD_HAS_FD_REGION -ne 0 ]; then + # No FD on board, so flash everything + FLASHROM_ADD_OPT_DEPLOY="" + else + # Safe defaults, only BIOS region and do not verify all regions, + # as some of them may not be readable. + FLASHROM_ADD_OPT_DEPLOY="-N --ifd -i bios" + + if [ $BINARY_HAS_FD -eq 0 ]; then + if [ $BOARD_FD_REGION_RW -eq 0 ]; then + # FD writable and the binary provides FD, safe to flash + FLASHROM_ADD_OPT_DEPLOY+=" -i fd" + else + print_error "The firmware binary contains Flash Descriptor (FD), but FD is not writable!" + print_warning "Proceeding without FD flashing, as it is not critical." + echo "The firmware binary contains Flash Descriptor (FD), but FD is not writable!" >> $ERR_LOG_FILE + fi + fi + + if [ $BINARY_HAS_ME -eq 0 ]; then + if [ $BOARD_ME_REGION_RW -eq 0 ]; then + # ME writable and the binary provides ME, safe to flash if ME disabled + if [ $ME_DISABLED -eq 0 ]; then + FLASHROM_ADD_OPT_DEPLOY+=" -i me" + else + echo "The firmware binary contains Management Engine (ME), but ME is not disabled!" >> $ERR_LOG_FILE + print_error "The firmware binary contains Management Engine (ME), but ME is not disabled!" + force_me_update + fi + else + echo "The firmware binary contains Management Engine (ME), but ME is not writable!" >> $ERR_LOG_FILE + print_error "The firmware binary contains Management Engine (ME), but ME is not writable!" + force_me_update + fi + fi + fi +} diff --git a/meta-dts-distro/recipes-dts/reports/dasharo-hcl-report/dasharo-hcl-report b/meta-dts-distro/recipes-dts/reports/dasharo-hcl-report/dasharo-hcl-report index 0f2d3ab3..60832434 100755 --- a/meta-dts-distro/recipes-dts/reports/dasharo-hcl-report/dasharo-hcl-report +++ b/meta-dts-distro/recipes-dts/reports/dasharo-hcl-report/dasharo-hcl-report @@ -168,11 +168,24 @@ update_result "Input bus types" logs/ioports.err.log printf '################################ |\r' # echo "Trying to read firmware image with flashrom..." -# On MSI boards some regions may be not available so we need to use specific -# ones -if [ "$BOARD_VENDOR" == "Micro-Star International Co., Ltd." ] && [ "$SYSTEM_MODEL" == "MS-7E06" ]; then - FLASHROM_ADD_OPT_READ="--ifd -i fd -i me -i bios" +# Some regions may be not available so we need to use specific regions to read +check_intel_regions +if [ $BOARD_HAS_FD_REGION -eq 0 ]; then + # Use safe defaults. Descriptor may contain additional regions not detected + # by flashrom and will return failure when attempted to be read. BIOS and + # Flash descriptor regions should always be readable. If not, then we have + # some ugly case, hard to deal with. + FLASHROM_ADD_OPT_READ="--ifd -i fd -i bios" + if [ $BOARD_HAS_ME_REGION -eq 0 ] && [ $BOARD_ME_REGION_LOCKED -ne 0 ]; then + # ME region is not locked, read it as well + FLASHROM_ADD_OPT_READ+=" -i me" + fi + if [ $BOARD_HAS_GBE_REGION -eq 0 ] && [ $BOARD_GBE_REGION_LOCKED -ne 0 ]; then + # GBE region is present and not locked, read it as well + FLASHROM_ADD_OPT_READ+=" -i gbe" + fi else + # No descriptor, probably safe to read everything FLASHROM_ADD_OPT_READ=" " fi flashrom -V -p internal:laptop=force_I_want_a_brick ${FLASH_CHIP_SELECT} -r logs/rom.bin ${FLASHROM_ADD_OPT_READ} > logs/flashrom_read.log 2> logs/flashrom_read.err.log From 470dff1eb2a70fd7da474f730b4e74de3c46d0ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Tue, 12 Dec 2023 10:49:17 +0100 Subject: [PATCH 2/9] meta-dts-distro/recipes-dts/dts: Add logic for determining flashrom update params MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- .../dts/dasharo-deploy/dasharo-deploy | 45 +++++++++++++-- .../recipes-dts/dts/dts/dts-functions.sh | 55 ++++++++++++++++--- 2 files changed, 89 insertions(+), 11 deletions(-) diff --git a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy index d8013898..270d6266 100644 --- a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy +++ b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy @@ -371,7 +371,7 @@ install() { blob_transmission fi - update_flashrom_params + set_intel_regions_update_params "-N --ifd -i bios" echo "Installing Dasharo firmware..." flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_DEPLOY} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE @@ -487,11 +487,48 @@ update() { bootsplash_migration fi + check_intel_regions + check_blobs_in_binary $BIOS_UPDATE_FILE + check_if_me_disabled + set_flashrom_update_params $BIOS_UPDATE_FILE + echo "Updating Dasharo firmware..." - print_warning "This will take around 3 minutes. Please be patient and do not reset your computer, or touch the keyboard!" + print_warning "This may take several minutes. Please be patient and do not reset your computer, or touch the keyboard!" flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to update Dasharo firmware" + if [ $BINARY_HAS_RW_B -eq 0 ]; then + echo "Updating second firmware partition..." + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} --fmap -N -i RW_SECTION_B -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to update second firmware partition" + fi + + set_intel_regions_update_params "-N --ifd" + # We use FLASHROM_ADD_OPT_DEPLOY for updating ME and IFD. + # If FLASHROM_ADD_OPT_DEPLOY remains the same after + # set_intel_regions_update_params or is cleared, it means + # we either cannot update any region, or were not allowed to, + # or platform has no descriptor. + if [ "$FLASHROM_ADD_OPT_DEPLOY" != "-N --ifd" ] && [ "$FLASHROM_ADD_OPT_DEPLOY" != "" ]; then + UPDATE_STRING="" + grep "-i fd" $FLASHROM_ADD_OPT_DEPLOY + UPDATE_IFD=$? + grep "-i me" $FLASHROM_ADD_OPT_DEPLOY + UPDATE_ME=$? + if [ $UPDATE_IFD -eq 0 ]; then + UPDATE_STRING+="Flash Descriptor" + if [ $UPDATE_ME -eq 0 ]; then + UPDATE_STRING+=" and " + fi + fi + if [ $$UPDATE_ME -eq 0 ]; then + UPDATE_STRING+="Managment Engine" + fi + echo "Updating $UPDATE_STRING" + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_DEPLOY} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to update $UPDATE_STRING" + fi + if [ "$HAVE_EC" = "true" ]; then echo "Dasharo EC update process will start in a moment." sleep 3 @@ -576,7 +613,7 @@ restore() { check_intel_regions check_blobs_in_binary /tmp/logs/rom.bin check_if_me_disabled - update_flashrom_params + set_intel_regions_update_params "-N --ifd -i bios" flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to restore BIOS firmware! You can try one more time." print_green "Successfully restored firmware" @@ -616,7 +653,7 @@ restore() { check_intel_regions check_blobs_in_binary /tmp/logs/rom.bin check_if_me_disabled - update_flashrom_params + set_intel_regions_update_params "-N --ifd -i bios" flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_DEPLOY} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to restore BIOS firmware! You can try one more time." print_green "Successfully restored firmware" diff --git a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh index 1eda2dc0..d3888b3c 100644 --- a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh +++ b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh @@ -806,7 +806,7 @@ check_if_me_disabled() { # FIXME: what if HECI is not device 16.0? if [ $(setpci -s 00:00.0 00.W) == "8086" ]; then # Check ME Current Operation Mode at offset 0x40 bits 19:16 - ME_OPMODE="$(setpci -s 00:16.0 42.B| cut -c2-)" + ME_OPMODE="$(setpci -s 00:16.0 42.B | cut -c2-)" if [ $ME_OPMODE == "0" ]; then echo "ME is not disabled" >> $ERR_LOG_FILE return @@ -835,7 +835,8 @@ check_if_me_disabled() { ME_DISABLED=0 return else - echo "Unknown ME operation mode" >> $ERR_LOG_FILE + print_warning "Unknown ME operation mode, assuming enabled." + echo "Unknown ME operation mode, assuming enabled." >> $ERR_LOG_FILE return fi else @@ -850,11 +851,19 @@ check_if_me_disabled() { ME_DISABLED=0 return fi - echo "Can not determine if ME is disabled" >> $ERR_LOG_FILE + # TODO: If proprietary BIOS, then also try to check SMBIOS for ME FWSTS + # BTW we could do the same in coreboot, expose FWSTS in SMBIOS before it + # gets disabled + print_warning "Can not determine if ME is disabled, assuming enabled." + echo "Can not determine if ME is disabled, assuming enabled." >> $ERR_LOG_FILE fi } force_me_update() { + echo + print_warning "Flashing ME when not in disabled state may cause unexpected power management issues." + print_warning "Recovering from such state may require removal of AC power supply and resetting CMOS battery." + print_warning "You have been warned." while : ; do echo read -r -p "Force the flashing without ME? (Y|n) " OPTION @@ -874,14 +883,47 @@ force_me_update() { done } -update_flashrom_params() { +set_flashrom_update_params() { + # Safe defaults which should always work + if [ $BOARD_HAS_FD_REGION -ne 0 ]; then + FLASHROM_ADD_OPT_UPDATE="" + else + FLASHROM_ADD_OPT_UPDATE="-N --ifd -i bios" + fi + BINARY_HAS_RW_B=1 + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} --fmap -i FMAP -r /tmp/fmap.bin > /dev/null 2>&1 + if [ $? -eq 0 ] && [ -f "/tmp/fmap.bin" ]; then + BOARD_FMAP_LAYOUT=$(cbfstool /tmp/fmap.bin layout -w) + BINARY_FMAP_LAYOUT=$(cbfstool $1 layout -w) + # If layout is identical, perform standard update using FMAP only + if [ "$BOARD_FMAP_LAYOUT" == "$BINARY_FMAP_LAYOUT" ]; then + # Simply update RW_A fmap region if exists + grep "RW_SECTION_A" $BINARY_FMAP_LAYOUT + if [ $? -eq 0 ]; then + FLASHROM_ADD_OPT_UPDATE="-N --fmap -i RW_SECTION_A" + else + # RW_A does not exists, it means no vboot. Update COREBOOT region only + FLASHROM_ADD_OPT_UPDATE="-N --fmap -i COREBOOT" + fi + grep "RW_SECTION_B" $BINARY_FMAP_LAYOUT + # If RW_B present, use this variable later to perform 2-step update + BINARY_HAS_RW_B=$? + fi + else + print_warning "Could not read the FMAP region" + echo "Could not read the FMAP region" >> $ERR_LOG_FILE + fi +} + +set_intel_regions_update_params() { if [ $BOARD_HAS_FD_REGION -ne 0 ]; then # No FD on board, so flash everything FLASHROM_ADD_OPT_DEPLOY="" else # Safe defaults, only BIOS region and do not verify all regions, - # as some of them may not be readable. - FLASHROM_ADD_OPT_DEPLOY="-N --ifd -i bios" + # as some of them may not be readable. First argument is the initial + # params. + FLASHROM_ADD_OPT_DEPLOY=$1 if [ $BINARY_HAS_FD -eq 0 ]; then if [ $BOARD_FD_REGION_RW -eq 0 ]; then @@ -907,7 +949,6 @@ update_flashrom_params() { else echo "The firmware binary contains Management Engine (ME), but ME is not writable!" >> $ERR_LOG_FILE print_error "The firmware binary contains Management Engine (ME), but ME is not writable!" - force_me_update fi fi fi From a6f31155d665317f5beb3723927f2a74a542d66f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Tue, 9 Jan 2024 17:29:59 +0100 Subject: [PATCH 3/9] meta-dts-distro/recipes-dts/dts: Fix bugs and syntax MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- .../dts/dasharo-deploy/dasharo-deploy | 32 ++-- .../recipes-dts/dts/dts/dts-functions.sh | 175 ++++++++---------- 2 files changed, 95 insertions(+), 112 deletions(-) diff --git a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy index 270d6266..fa9395fa 100644 --- a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy +++ b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy @@ -155,23 +155,23 @@ backup() { echo "Backing up BIOS firmware and store it locally..." echo "Remember that firmware is also backed up in HCL report." check_intel_regions - if [ $BOARD_HAS_FD_REGION -eq 0 ]; then + if [ $BOARD_HAS_FD_REGION -ne 0 ]; then # Use safe defaults. Descriptor may contain additional regions not detected # by flashrom and will return failure when attempted to be read. BIOS and # Flash descriptor regions should always be readable. If not, then we have # some ugly case, hard to deal with. FLASHROM_ADD_OPT_READ="--ifd -i fd -i bios" - if [ $BOARD_HAS_ME_REGION -eq 0 ] && [ $BOARD_ME_REGION_LOCKED -ne 0 ]; then + if [ $BOARD_HAS_ME_REGION -ne 0 ] && [ $BOARD_ME_REGION_LOCKED -eq 0 ]; then # ME region is not locked, read it as well FLASHROM_ADD_OPT_READ+=" -i me" fi - if [ $BOARD_HAS_GBE_REGION -eq 0 ] && [ $BOARD_GBE_REGION_LOCKED -ne 0 ]; then + if [ $BOARD_HAS_GBE_REGION -ne 0 ] && [ $BOARD_GBE_REGION_LOCKED -eq 0 ]; then # GBE region is present and not locked, read it as well FLASHROM_ADD_OPT_READ+=" -i gbe" fi else # No descriptor, probably safe to read everything - FLASHROM_ADD_OPT_READ=" " + FLASHROM_ADD_OPT_READ="" fi flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r "${FW_BACKUP_DIR}"/rom.bin ${FLASHROM_ADD_OPT_READ} >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to read BIOS firmware backup" @@ -335,6 +335,7 @@ install() { check_intel_regions check_blobs_in_binary $BIOS_UPDATE_FILE check_if_me_disabled + set_intel_regions_update_params "-N --ifd -i bios" if [ "$HAVE_EC" = "true" ]; then echo "Checking for Open Source Embedded Controller firmware" @@ -371,10 +372,8 @@ install() { blob_transmission fi - set_intel_regions_update_params "-N --ifd -i bios" - echo "Installing Dasharo firmware..." - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_DEPLOY} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_INTEL_REGIONS} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to install Dasharo firmware" print_green "Successfully installed Dasharo firmware" @@ -503,17 +502,16 @@ update() { error_check "Failed to update second firmware partition" fi - set_intel_regions_update_params "-N --ifd" - # We use FLASHROM_ADD_OPT_DEPLOY for updating ME and IFD. - # If FLASHROM_ADD_OPT_DEPLOY remains the same after + # We use FLASHROM_ADD_OPT_REGIONS for updating ME and IFD. + # If FLASHROM_ADD_OPT_REGIONS remains the same after # set_intel_regions_update_params or is cleared, it means # we either cannot update any region, or were not allowed to, # or platform has no descriptor. - if [ "$FLASHROM_ADD_OPT_DEPLOY" != "-N --ifd" ] && [ "$FLASHROM_ADD_OPT_DEPLOY" != "" ]; then + if [ "$FLASHROM_ADD_OPT_REGIONS" != "-N --ifd" ] && [ "$FLASHROM_ADD_OPT_REGIONS" != "" ]; then UPDATE_STRING="" - grep "-i fd" $FLASHROM_ADD_OPT_DEPLOY + grep -q "\-i fd" <<< "$FLASHROM_ADD_OPT_REGIONS" UPDATE_IFD=$? - grep "-i me" $FLASHROM_ADD_OPT_DEPLOY + grep -q "\-i me" <<< "$FLASHROM_ADD_OPT_REGIONS" UPDATE_ME=$? if [ $UPDATE_IFD -eq 0 ]; then UPDATE_STRING+="Flash Descriptor" @@ -521,11 +519,11 @@ update() { UPDATE_STRING+=" and " fi fi - if [ $$UPDATE_ME -eq 0 ]; then + if [ $UPDATE_ME -eq 0 ]; then UPDATE_STRING+="Managment Engine" fi echo "Updating $UPDATE_STRING" - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_DEPLOY} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to update $UPDATE_STRING" fi @@ -614,7 +612,7 @@ restore() { check_blobs_in_binary /tmp/logs/rom.bin check_if_me_disabled set_intel_regions_update_params "-N --ifd -i bios" - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to restore BIOS firmware! You can try one more time." print_green "Successfully restored firmware" echo "Returning to main menu..." @@ -654,7 +652,7 @@ restore() { check_blobs_in_binary /tmp/logs/rom.bin check_if_me_disabled set_intel_regions_update_params "-N --ifd -i bios" - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_DEPLOY} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to restore BIOS firmware! You can try one more time." print_green "Successfully restored firmware" else diff --git a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh index d3888b3c..f92bc8ec 100644 --- a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh +++ b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh @@ -734,105 +734,95 @@ verify_artifacts() { check_intel_regions() { - FLASH_REGIONS=$(flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} 2> /dev/null) - - # 0 will mean that region is present/writable, else - - grep -q "Flash Descriptor region" "$FLASH_REGIONS" - BOARD_HAS_FD_REGION=$? - grep -qE "Flash Descriptor region.*read-write" "$FLASH_REGIONS" - BOARD_FD_REGION_RW=$? - - grep -q "Management Engine region" "$FLASH_REGIONS" - BOARD_HAS_ME_REGION=$? - grep -qE "Management Engine region.*read-write" "$FLASH_REGIONS" - BOARD_ME_REGION_RW=$? - grep -qE "Management Engine region.*locked" "$FLASH_REGIONS" - BOARD_ME_REGION_LOCKED=$? - - grep -q "Gigabit Ethernet region" "$FLASH_REGIONS" - BOARD_HAS_GBE_REGION=$? - grep -qE "Gigabit Ethernet region.*read-write" "$FLASH_REGIONS" - BOARD_GBE_REGION_RW=$? - grep -qE "Gigabit Ethernet region.*locked" "$FLASH_REGIONS" - BOARD_GBE_REGION_LOCKED=$? + FLASH_REGIONS=$(flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} 2>&1) + BOARD_HAS_FD_REGION=0 + BOARD_FD_REGION_RW=0 + BOARD_HAS_ME_REGION=0 + BOARD_ME_REGION_RW=0 + BOARD_ME_REGION_LOCKED=0 + BOARD_HAS_GBE_REGION=0 + BOARD_GBE_REGION_RW=0 + BOARD_GBE_REGION_LOCKED=0 + + grep -q "Flash Descriptor region" <<< "$FLASH_REGIONS" && BOARD_HAS_FD_REGION=1 + grep -qE "Flash Descriptor region.*read-write" <<< "$FLASH_REGIONS" && BOARD_FD_REGION_RW=1 + + grep -q "Management Engine region" <<< "$FLASH_REGIONS" && BOARD_HAS_ME_REGION=1 + grep -qE "Management Engine region.*read-write" <<< "$FLASH_REGIONS" && BOARD_ME_REGION_RW=1 + grep -qE "Management Engine region.*locked" <<< "$FLASH_REGIONS" && BOARD_ME_REGION_LOCKED=1 + + grep -q "Gigabit Ethernet region" <<< "$FLASH_REGIONS" && BOARD_HAS_GBE_REGION=1 + grep -qE "Gigabit Ethernet region.*read-write" <<< "$FLASH_REGIONS" && BOARD_GBE_REGION_RW=1 + grep -qE "Gigabit Ethernet region.*locked" <<< "$FLASH_REGIONS" && BOARD_GBE_REGION_LOCKED=1 } check_blobs_in_binary() { - - # Non-zero value means no FD/ME for consistency with Intel regions - # presence from check_intel_regions - BINARY_HAS_FD=1 - BINARY_HAS_ME=1 + BINARY_HAS_FD=0 + BINARY_HAS_ME=0 # If there is no descriptor, there is no ME as well, so skip the check - if [ $BOARD_HAS_FD_REGION -eq 0 ]; then - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} --ifd -i fd -r /tmp/descriptor.bin > /dev/null 2>&1 - if [ $? -eq 0 ] && [ -f "/tmp/descriptor.bin" ]; then - ME_OFFSET=$(ifdtool -d /tmp/descriptor.bin | grep "Flash Region 2 (Intel ME):" | sed 's/Flash Region 2 (Intel ME)\://' |awk '{print $1;}') - # Check for IFD signature at offset 0 (old descriptors) - if [ $(tail -c +0 $1|head -c 2|xxd -ps) == "5aa5f00f"]; then - BINARY_HAS_FD=0 - fi - # Check for IFD signature at offset 16 (new descriptors) - if [ $(tail -c +17 $1|head -c 2|xxd -ps) == "5aa5f00f"]; then - BINARY_HAS_FD=0 - fi - # Check for ME FPT signature at ME offset + 16 (old ME) - if [ $(tail -c +$((0x$ME_OFFSET + 17)) |head -c 4) == "\$FPT" ]; then - BINARY_HAS_ME=0 - fi - # Check for aa55 signature at ME offset + 4096 (new ME) - if [ $(tail -c +$((0x$ME_OFFSET + 4097)) |head -c 2|xxd -ps) == "aa55" ]; then - BINARY_HAS_ME=0 - fi - else - echo "Failed to read flash descriptor" >> $ERR_LOG_FILE + if [ $BOARD_HAS_FD_REGION -ne 0 ]; then + ME_OFFSET=$(ifdtool -d $1 2> /dev/null | grep "Flash Region 2 (Intel ME):" | sed 's/Flash Region 2 (Intel ME)\://' |awk '{print $1;}') + # Check for IFD signature at offset 0 (old descriptors) + if [ $(tail -c +0 $1|head -c 4|xxd -ps) == "5aa5f00f" ]; then + BINARY_HAS_FD=1 + fi + # Check for IFD signature at offset 16 (new descriptors) + if [ $(tail -c +17 $1|head -c 4|xxd -ps) == "5aa5f00f" ]; then + BINARY_HAS_FD=1 + fi + # Check for ME FPT signature at ME offset + 16 (old ME) + if [ $(tail -c +$((0x$ME_OFFSET + 17)) $1|head -c 4|tr -d '\0') == "\$FPT" ]; then + BINARY_HAS_ME=1 + fi + # Check for aa55 signature at ME offset + 4096 (new ME) + if [ $(tail -c +$((0x$ME_OFFSET + 4097)) $1|head -c 2|xxd -ps) == "aa55" ]; then + BINARY_HAS_ME=1 fi fi } check_if_me_disabled() { - ME_DISABLED=1 + ME_DISABLED=0 - if [ $BOARD_HAS_ME_REGION -ne 0 ]; then + if [ $BOARD_HAS_ME_REGION -eq 0 ]; then # No ME region - ME_DISABLED=0 + ME_DISABLED=1 return fi # Check if HECI present # FIXME: what if HECI is not device 16.0? - if [ $(setpci -s 00:00.0 00.W) == "8086" ]; then + if [ -d /sys/class/pci_bus/0000:00/device/0000:00:16.0 ]; then # Check ME Current Operation Mode at offset 0x40 bits 19:16 - ME_OPMODE="$(setpci -s 00:16.0 42.B | cut -c2-)" + ME_OPMODE="$(setpci -s 00:16.0 42.B 2> /dev/null | cut -c2-)" if [ $ME_OPMODE == "0" ]; then echo "ME is not disabled" >> $ERR_LOG_FILE return elif [ $ME_OPMODE == "2" ]; then echo "ME is disabled (HAP/Debug Mode)" >> $ERR_LOG_FILE - ME_DISABLED=0 + ME_DISABLED=1 return elif [ $ME_OPMODE == "3" ]; then echo "ME is soft disabled (HECI)" >> $ERR_LOG_FILE - ME_DISABLED=0 + ME_DISABLED=1 return elif [ $ME_OPMODE == "4" ]; then echo "ME disabled by Security Override Jumper/FDOPS" >> $ERR_LOG_FILE - ME_DISABLED=0 + ME_DISABLED=1 return elif [ $ME_OPMODE == "5" ]; then echo "ME disabled by Security Override MEI Message/HMRFPO" >> $ERR_LOG_FILE - ME_DISABLED=0 + ME_DISABLED=1 return elif [ $ME_OPMODE == "5" ]; then echo "ME disabled by Security Override MEI Message/HMRFPO" >> $ERR_LOG_FILE - ME_DISABLED=0 + ME_DISABLED=1 return elif [ $ME_OPMODE == "7" ]; then echo "ME disabled (Enhanced Debug Mode) or runs Ignition FW" >> $ERR_LOG_FILE - ME_DISABLED=0 + ME_DISABLED=1 return else print_warning "Unknown ME operation mode, assuming enabled." @@ -841,16 +831,8 @@ check_if_me_disabled() { fi else # If we are running coreboot, check for status in logs - cbmem -1 | grep "ME is disabled" # HECI (soft) disabled - if [ $? -eq 0 ]; then - ME_DISABLED=0 - return - fi - cbmem -1 | grep "ME is HAP disabled" # HAP disabled - if [ $? -eq 0 ]; then - ME_DISABLED=0 - return - fi + cbmem -1 | grep -q "ME is disabled" && ME_DISABLED=1 && return # HECI (soft) disabled + cbmem -1 | grep -q "ME is HAP disabled" && ME_DISABLED=1 && return # HAP disabled # TODO: If proprietary BIOS, then also try to check SMBIOS for ME FWSTS # BTW we could do the same in coreboot, expose FWSTS in SMBIOS before it # gets disabled @@ -863,10 +845,11 @@ force_me_update() { echo print_warning "Flashing ME when not in disabled state may cause unexpected power management issues." print_warning "Recovering from such state may require removal of AC power supply and resetting CMOS battery." + print_warning "Keeping an older version of ME may cause a CPU to perform less efficient, e.g. if upgraded the CPU to a newer generation." print_warning "You have been warned." while : ; do echo - read -r -p "Force the flashing without ME? (Y|n) " OPTION + read -r -p "Force the flashing without updating ME? (Y|n) " OPTION echo case ${OPTION} in @@ -885,29 +868,31 @@ force_me_update() { set_flashrom_update_params() { # Safe defaults which should always work - if [ $BOARD_HAS_FD_REGION -ne 0 ]; then + if [ $BOARD_HAS_FD_REGION -eq 0 ]; then FLASHROM_ADD_OPT_UPDATE="" else FLASHROM_ADD_OPT_UPDATE="-N --ifd -i bios" fi - BINARY_HAS_RW_B=1 - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} --fmap -i FMAP -r /tmp/fmap.bin > /dev/null 2>&1 - if [ $? -eq 0 ] && [ -f "/tmp/fmap.bin" ]; then - BOARD_FMAP_LAYOUT=$(cbfstool /tmp/fmap.bin layout -w) - BINARY_FMAP_LAYOUT=$(cbfstool $1 layout -w) + BINARY_HAS_RW_B=0 + # We need to read whole binary (or BIOS region), otherwise cbfstool will + # return different attributes for CBFS regions + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE} -r /tmp/bios.bin > /dev/null 2>&1 + if [ $? -eq 0 ] && [ -f "/tmp/bios.bin" ]; then + BOARD_FMAP_LAYOUT=$(cbfstool /tmp/bios.bin layout -w 2> /dev/null) + BINARY_FMAP_LAYOUT=$(cbfstool $1 layout -w 2> /dev/null) + diff <(echo "$BOARD_FMAP_LAYOUT") <(echo "$BINARY_FMAP_LAYOUT") > /dev/null 2>&1 # If layout is identical, perform standard update using FMAP only - if [ "$BOARD_FMAP_LAYOUT" == "$BINARY_FMAP_LAYOUT" ]; then + if [ $? -eq 0 ]; then # Simply update RW_A fmap region if exists - grep "RW_SECTION_A" $BINARY_FMAP_LAYOUT + grep -q "RW_SECTION_A" <<< $BINARY_FMAP_LAYOUT if [ $? -eq 0 ]; then FLASHROM_ADD_OPT_UPDATE="-N --fmap -i RW_SECTION_A" else # RW_A does not exists, it means no vboot. Update COREBOOT region only FLASHROM_ADD_OPT_UPDATE="-N --fmap -i COREBOOT" fi - grep "RW_SECTION_B" $BINARY_FMAP_LAYOUT # If RW_B present, use this variable later to perform 2-step update - BINARY_HAS_RW_B=$? + grep -q "RW_SECTION_B" <<< $BINARY_FMAP_LAYOUT && BINARY_HAS_RW_B=1 fi else print_warning "Could not read the FMAP region" @@ -916,38 +901,38 @@ set_flashrom_update_params() { } set_intel_regions_update_params() { - if [ $BOARD_HAS_FD_REGION -ne 0 ]; then - # No FD on board, so flash everything - FLASHROM_ADD_OPT_DEPLOY="" + if [ $BOARD_HAS_FD_REGION -eq 0 ]; then + # No FD on board, so no further flashing + FLASHROM_ADD_OPT_REGIONS="" else # Safe defaults, only BIOS region and do not verify all regions, # as some of them may not be readable. First argument is the initial # params. - FLASHROM_ADD_OPT_DEPLOY=$1 + FLASHROM_ADD_OPT_REGIONS=$1 - if [ $BINARY_HAS_FD -eq 0 ]; then - if [ $BOARD_FD_REGION_RW -eq 0 ]; then + if [ $BINARY_HAS_FD -ne 0 ]; then + if [ $BOARD_FD_REGION_RW -ne 0 ]; then # FD writable and the binary provides FD, safe to flash - FLASHROM_ADD_OPT_DEPLOY+=" -i fd" + FLASHROM_ADD_OPT_REGIONS+=" -i fd" else - print_error "The firmware binary contains Flash Descriptor (FD), but FD is not writable!" + print_error "The firmware binary to be flashed contains Flash Descriptor (FD), but FD is not writable!" print_warning "Proceeding without FD flashing, as it is not critical." echo "The firmware binary contains Flash Descriptor (FD), but FD is not writable!" >> $ERR_LOG_FILE fi fi - if [ $BINARY_HAS_ME -eq 0 ]; then - if [ $BOARD_ME_REGION_RW -eq 0 ]; then + if [ $BINARY_HAS_ME -ne 0 ]; then + if [ $BOARD_ME_REGION_RW -ne 0 ]; then # ME writable and the binary provides ME, safe to flash if ME disabled - if [ $ME_DISABLED -eq 0 ]; then - FLASHROM_ADD_OPT_DEPLOY+=" -i me" + if [ $ME_DISABLED -eq 1 ]; then + FLASHROM_ADD_OPT_REGIONS+=" -i me" else - echo "The firmware binary contains Management Engine (ME), but ME is not disabled!" >> $ERR_LOG_FILE + echo "The firmware binary to be flashed contains Management Engine (ME), but ME is not disabled!" >> $ERR_LOG_FILE print_error "The firmware binary contains Management Engine (ME), but ME is not disabled!" force_me_update fi else - echo "The firmware binary contains Management Engine (ME), but ME is not writable!" >> $ERR_LOG_FILE + echo "The firmware binary to be flashed contains Management Engine (ME), but ME is not writable!" >> $ERR_LOG_FILE print_error "The firmware binary contains Management Engine (ME), but ME is not writable!" fi fi From 79154d896e458310e322323a8114ae90f7d2dd67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Tue, 9 Jan 2024 17:30:34 +0100 Subject: [PATCH 4/9] meta-dts-distro/recipes-dts/dts: Check if vboot keys need to be updated MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- .../dts/dasharo-deploy/dasharo-deploy | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy index fa9395fa..db854796 100644 --- a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy +++ b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy @@ -267,6 +267,34 @@ resign_binary() { fi } +check_vboot_keys() { + if [ "$HAVE_VBOOT" -eq 0 ]; then + # If we flash whole BIOS region, no need to check if keys match + grep -q "\-\-ifd" <<< "$FLASHROM_ADD_OPT_UPDATE" && grep -q "\-i bios" <<< "$FLASHROM_ADD_OPT_UPDATE" && return + # No FMAP flashing? Also skip + grep -q "\-\-fmap" <<< "$FLASHROM_ADD_OPT_UPDATE" || return + + CBFSTOOL=$(which cbfstool) + BINARY_KEYS=$(futility show $BIOS_UPDATE_FILE| grep -i 'key sha1sum') + + if [ $BOARD_HAS_FD_REGION -eq 0 ]; then + FLASHROM_ADD_OPT_READ="" + else + FLASHROM_ADD_OPT_READ="--ifd -i bios" + fi + + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_READ} -r /tmp/bios.bin > /dev/null 2>/dev/null + if [ $? -eq 0 ] && [ -f "/tmp/bios.bin" ]; then + FLASH_KEYS=$(futility show /tmp/bios.bin | grep -i 'key sha1sum') + diff <(echo "$BINARY_KEYS") <(echo "$FLASH_KEYS") > /dev/null 2>&1 + # If keys are different we must additionally flash at least GBB region as well + if [ $? -ne 0 ]; then + FLASHROM_ADD_OPT_UPDATE+=" -i GBB" + fi + fi + fi +} + blob_transmission() { echo "Extracting the UEFI image from BIOS update" wget -O "$DBT_BIOS_UPDATE_FILENAME" --user-agent='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' "$DBT_BIOS_UPDATE_URL" >> $ERR_LOG_FILE 2>&1 @@ -486,10 +514,16 @@ update() { bootsplash_migration fi + cbfstool "$BIOS_UPDATE_FILE" extract -r COREBOOT -n config -f "$BIOS_UPDATE_CONFIG_FILE" + grep -q "CONFIG_VBOOT=y" "$BIOS_UPDATE_CONFIG_FILE" + HAVE_VBOOT="$?" + check_intel_regions check_blobs_in_binary $BIOS_UPDATE_FILE check_if_me_disabled set_flashrom_update_params $BIOS_UPDATE_FILE + set_intel_regions_update_params "-N --ifd" + check_vboot_keys echo "Updating Dasharo firmware..." print_warning "This may take several minutes. Please be patient and do not reset your computer, or touch the keyboard!" From 08c84ee3c4ebad83ecb72cec44315657b89e5f4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Wed, 10 Jan 2024 10:39:59 +0100 Subject: [PATCH 5/9] meta-dts-distro/recipes-dts/dts: Add prints in section which may take a while MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy | 2 +- meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy index db854796..38c9d946 100644 --- a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy +++ b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy @@ -282,7 +282,7 @@ check_vboot_keys() { else FLASHROM_ADD_OPT_READ="--ifd -i bios" fi - + echo "Checking vboot keys." flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_READ} -r /tmp/bios.bin > /dev/null 2>/dev/null if [ $? -eq 0 ] && [ -f "/tmp/bios.bin" ]; then FLASH_KEYS=$(futility show /tmp/bios.bin | grep -i 'key sha1sum') diff --git a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh index f92bc8ec..7a68c20e 100644 --- a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh +++ b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh @@ -876,6 +876,7 @@ set_flashrom_update_params() { BINARY_HAS_RW_B=0 # We need to read whole binary (or BIOS region), otherwise cbfstool will # return different attributes for CBFS regions + echo "Checking flash layout." flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE} -r /tmp/bios.bin > /dev/null 2>&1 if [ $? -eq 0 ] && [ -f "/tmp/bios.bin" ]; then BOARD_FMAP_LAYOUT=$(cbfstool /tmp/bios.bin layout -w 2> /dev/null) From 0bb5b46cce1c70fe4500e92bef620cb0b14c6376 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Tue, 16 Jan 2024 14:15:58 +0100 Subject: [PATCH 6/9] meta-dts-distro/recipes-dts/dts: Add option to override flashrom update parameters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- .../dts/dasharo-deploy/dasharo-deploy | 20 ++++++++++----- .../recipes-dts/dts/dts/dts-functions.sh | 25 +++++-------------- 2 files changed, 20 insertions(+), 25 deletions(-) diff --git a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy index 38c9d946..c42a232d 100644 --- a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy +++ b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy @@ -527,13 +527,21 @@ update() { echo "Updating Dasharo firmware..." print_warning "This may take several minutes. Please be patient and do not reset your computer, or touch the keyboard!" - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE - error_check "Failed to update Dasharo firmware" - if [ $BINARY_HAS_RW_B -eq 0 ]; then - echo "Updating second firmware partition..." - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} --fmap -N -i RW_SECTION_B -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE - error_check "Failed to update second firmware partition" + # FLASHROM_ADD_OPT_UPDATE_OVERRIDE takes priority over auto-detected udpate params. + # It set only by platform-specific and firmware version-specific conditions + if [ -v FLASHROM_ADD_OPT_UPDATE_OVERRIDE ]; then + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE_OVERRIDE} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to update Dasharo firmware" + else + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to update Dasharo firmware" + + if [ $BINARY_HAS_RW_B -eq 0 ]; then + echo "Updating second firmware partition..." + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} --fmap -N -i RW_SECTION_B -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + error_check "Failed to update second firmware partition" + fi fi # We use FLASHROM_ADD_OPT_REGIONS for updating ME and IFD. diff --git a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh index 7a68c20e..8402a803 100644 --- a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh +++ b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh @@ -184,10 +184,7 @@ board_config() { if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.5.2 NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.5.2 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A" + FLASHROM_ADD_OPT_UPDATE_OVERRIDE="--ifd -i bios" fi fi ;; @@ -216,10 +213,7 @@ board_config() { if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.5.1 NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.5.1 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A" + FLASHROM_ADD_OPT_UPDATE_OVERRIDE="--ifd -i bios" fi fi ;; @@ -242,15 +236,12 @@ board_config() { PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" if check_if_dasharo; then - # if v1.7.1 or older, flash the whole bios region + # if v1.7.2 or older, flash the whole bios region compare_versions $DASHARO_VERSION 1.7.2 if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.7.2 NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.7.2 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A" + FLASHROM_ADD_OPT_UPDATE_OVERRIDE="--ifd -i bios" fi fi ;; @@ -274,16 +265,12 @@ board_config() { PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" if check_if_dasharo; then - # if v1.7.1 or older, flash the whole bios region + # if v1.7.2 or older, flash the whole bios region compare_versions $DASHARO_VERSION 1.7.2 if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.7.2 NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.7.2 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A" - fi + FLASHROM_ADD_OPT_UPDATE_OVERRIDE="--ifd -i bios" fi ;; *) From e501d26b5d3e915ee99cc7322ad6e3f5bf2c76d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Tue, 16 Jan 2024 14:26:38 +0100 Subject: [PATCH 7/9] meta-dts-distro/recipes-dts/dts: Handle all migration and update operations automatically MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- .../dts/dasharo-deploy/dasharo-deploy | 13 +++++-- .../recipes-dts/dts/dts/dts-functions.sh | 36 +++---------------- 2 files changed, 15 insertions(+), 34 deletions(-) diff --git a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy index c42a232d..cc81fff0 100644 --- a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy +++ b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy @@ -197,11 +197,20 @@ backup() { } romhole_migration() { + cbfstool $BIOS_UPDATE_FILE layout -w | grep -q "ROMHOLE" || return + echo "Beginning ROM hole migration process..." flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r /tmp/rom.bin --ifd -i bios >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE - dd if=/tmp/rom.bin of=/tmp/romhole.bin skip=$((0x17C0000)) bs=128K count=1 iflag=skip_bytes + error_check "Failed to read current firmware" + if check_if_dasharo; then + cbfstool /tmp/rom.bin layout -w | grep -q "ROMHOLE" || return + cbfstool /tmp/rom.bin read -r ROMHOLE -f /tmp/romhole.bin || return + else + dd if=/tmp/rom.bin of=/tmp/romhole.bin skip=$((0x17C0000)) bs=128K count=1 iflag=skip_bytes + fi + echo "Migrate to ROMHOLE section." - cbfstool "$BIOS_UPDATE_FILE" write -r ROMHOLE -f /tmp/romhole.bin -u + cbfstool "$BIOS_UPDATE_FILE" write -r ROMHOLE -f /tmp/romhole.bin -u 2> /dev/null } smbios_migration() { diff --git a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh index 8402a803..50ec9a46 100644 --- a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh +++ b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh @@ -301,19 +301,7 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - if check_if_dasharo; then - # if v1.1.1 or older, flash the whole bios region, as per: - # https://docs.dasharo.com/variants/msi_z690/firmware-update/#version-older-than-v110 - compare_versions $DASHARO_VERSION 1.1.2 - if [ $? -eq 1 ]; then - # For Dasharo version lesser than 1.1.2 - NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.1.2 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A -i RW_SECTION_B" - fi - fi + NEED_ROMHOLE_MIGRATION="true" ;; "PRO Z690-A WIFI (MS-7D25)" | "PRO Z690-A (MS-7D25)") DASHARO_REL_NAME="msi_ms7d25" @@ -334,19 +322,7 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - if check_if_dasharo; then - # if v1.1.1 or older, flash the whole bios region, as per: - # https://docs.dasharo.com/variants/msi_z690/firmware-update/#version-older-than-v110 - compare_versions $DASHARO_VERSION 1.1.2 - if [ $? -eq 1 ]; then - # For Dasharo version lesser than 1.1.2 - NEED_BOOTSPLASH_MIGRATION="true" - FLASHROM_ADD_OPT_UPDATE="--ifd -i bios" - else - # For Dasharo version greater or equal 1.1.2 - FLASHROM_ADD_OPT_UPDATE="--fmap -i RW_SECTION_A -i RW_SECTION_B" - fi - fi + NEED_ROMHOLE_MIGRATION="true" ;; *) error_exit "Board model $BOARD_MODEL is currently not supported" @@ -374,9 +350,7 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - if ! check_if_dasharo; then - NEED_ROMHOLE_MIGRATION="true" - fi + NEED_ROMHOLE_MIGRATION="true" ;; "PRO Z790-P WIFI (MS-7E06)" | "PRO Z790-P (MS-7E06)") DASHARO_REL_NAME="msi_ms7e06" @@ -397,9 +371,7 @@ board_config() { NEED_BLOB_TRANSMISSION="false" PROGRAMMER_BIOS="internal" PROGRAMMER_EC="" - if ! check_if_dasharo; then - NEED_ROMHOLE_MIGRATION="true" - fi + NEED_ROMHOLE_MIGRATION="true" ;; *) error_exit "Board model $BOARD_MODEL is currently not supported" From e0126c937e692bd7aae54c768877400b2dcab700 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= Date: Tue, 16 Jan 2024 15:33:22 +0100 Subject: [PATCH 8/9] meta-dts-distro/recipes-dts/dts: Address review discussions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Żygowski --- .../dts/dasharo-deploy/dasharo-deploy | 20 +++++++------- .../recipes-dts/dts/dts/dts-functions.sh | 26 +++++++++++++++---- 2 files changed, 32 insertions(+), 14 deletions(-) diff --git a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy index cc81fff0..48dc50cf 100644 --- a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy +++ b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy @@ -199,17 +199,20 @@ backup() { romhole_migration() { cbfstool $BIOS_UPDATE_FILE layout -w | grep -q "ROMHOLE" || return - echo "Beginning ROM hole migration process..." flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r /tmp/rom.bin --ifd -i bios >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE - error_check "Failed to read current firmware" + error_check "Failed to read current firmware to migrate MSI ROMHOLE" if check_if_dasharo; then cbfstool /tmp/rom.bin layout -w | grep -q "ROMHOLE" || return - cbfstool /tmp/rom.bin read -r ROMHOLE -f /tmp/romhole.bin || return + # This one is rather unlikely to fail, but just in case print a warning + cbfstool /tmp/rom.bin read -r ROMHOLE -f /tmp/romhole.bin 2> /dev/null + if [ $? -ne 0 ]; then + print_warning "Failed to migrate MSI ROMHOLE, your platform's unique SMBIOS/DMI data may be lost" + return + else else - dd if=/tmp/rom.bin of=/tmp/romhole.bin skip=$((0x17C0000)) bs=128K count=1 iflag=skip_bytes + dd if=/tmp/rom.bin of=/tmp/romhole.bin skip=$((0x17C0000)) bs=128K count=1 iflag=skip_bytes > /dev/null 2>&1 fi - echo "Migrate to ROMHOLE section." cbfstool "$BIOS_UPDATE_FILE" write -r ROMHOLE -f /tmp/romhole.bin -u 2> /dev/null } @@ -283,8 +286,7 @@ check_vboot_keys() { # No FMAP flashing? Also skip grep -q "\-\-fmap" <<< "$FLASHROM_ADD_OPT_UPDATE" || return - CBFSTOOL=$(which cbfstool) - BINARY_KEYS=$(futility show $BIOS_UPDATE_FILE| grep -i 'key sha1sum') + BINARY_KEYS=$(CBFSTOOL=$(which cbfstool) futility show $BIOS_UPDATE_FILE| grep -i 'key sha1sum') if [ $BOARD_HAS_FD_REGION -eq 0 ]; then FLASHROM_ADD_OPT_READ="" @@ -294,7 +296,7 @@ check_vboot_keys() { echo "Checking vboot keys." flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_READ} -r /tmp/bios.bin > /dev/null 2>/dev/null if [ $? -eq 0 ] && [ -f "/tmp/bios.bin" ]; then - FLASH_KEYS=$(futility show /tmp/bios.bin | grep -i 'key sha1sum') + FLASH_KEYS=$(CBFSTOOL=$(which cbfstool) futility show /tmp/bios.bin | grep -i 'key sha1sum') diff <(echo "$BINARY_KEYS") <(echo "$FLASH_KEYS") > /dev/null 2>&1 # If keys are different we must additionally flash at least GBB region as well if [ $? -ne 0 ]; then @@ -410,7 +412,7 @@ install() { fi echo "Installing Dasharo firmware..." - flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_INTEL_REGIONS} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE + flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE error_check "Failed to install Dasharo firmware" print_green "Successfully installed Dasharo firmware" diff --git a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh index 50ec9a46..981734ba 100644 --- a/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh +++ b/meta-dts-distro/recipes-dts/dts/dts/dts-functions.sh @@ -180,6 +180,10 @@ board_config() { PROGRAMMER_EC="ite_ec" if check_if_dasharo; then # if v1.5.1 or older, flash the whole bios region + # TODO: Let DTS determine which parameters are suitable. + # FIXME: Can we ever get rid of that? We change so much in each release, + # that we almost always need to flash whole BIOS regions + # because of non-backward compatbile or breaking changes. compare_versions $DASHARO_VERSION 1.5.2 if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.5.2 @@ -208,7 +212,11 @@ board_config() { PROGRAMMER_BIOS="internal" PROGRAMMER_EC="ite_ec" if check_if_dasharo; then - # if v1.5.0 or older, flash the whole bios region + # if v1.5.1 or older, flash the whole bios region + # TODO: Let DTS determine which parameters are suitable. + # FIXME: Can we ever get rid of that? We change so much in each release, + # that we almost always need to flash whole BIOS regions + # because of non-backward compatbile or breaking changes. compare_versions $DASHARO_VERSION 1.5.1 if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.5.1 @@ -237,6 +245,10 @@ board_config() { PROGRAMMER_EC="ite_ec" if check_if_dasharo; then # if v1.7.2 or older, flash the whole bios region + # TODO: Let DTS determine which parameters are suitable. + # FIXME: Can we ever get rid of that? We change so much in each release, + # that we almost always need to flash whole BIOS regions + # because of non-backward compatbile or breaking changes. compare_versions $DASHARO_VERSION 1.7.2 if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.7.2 @@ -266,6 +278,10 @@ board_config() { PROGRAMMER_EC="ite_ec" if check_if_dasharo; then # if v1.7.2 or older, flash the whole bios region + # TODO: Let DTS determine which parameters are suitable. + # FIXME: Can we ever get rid of that? We change so much in each release, + # that we almost always need to flash whole BIOS regions + # because of non-backward compatbile or breaking changes. compare_versions $DASHARO_VERSION 1.7.2 if [ $? -eq 1 ]; then # For Dasharo version lesser than 1.7.2 @@ -775,7 +791,7 @@ check_if_me_disabled() { echo "ME disabled by Security Override MEI Message/HMRFPO" >> $ERR_LOG_FILE ME_DISABLED=1 return - elif [ $ME_OPMODE == "5" ]; then + elif [ $ME_OPMODE == "6" ]; then echo "ME disabled by Security Override MEI Message/HMRFPO" >> $ERR_LOG_FILE ME_DISABLED=1 return @@ -808,12 +824,12 @@ force_me_update() { print_warning "You have been warned." while : ; do echo - read -r -p "Force the flashing without updating ME? (Y|n) " OPTION + read -r -p "Skip ME flashing and proceed with BIOS/firmware flashing/udpating? (Y|n) " OPTION echo case ${OPTION} in yes|y|Y|Yes|YES) - print_warning "Proceeding without ME flashing, because we were forced to." + print_warning "Proceeding without ME flashing, because we were asked to." break ;; n|N) @@ -887,7 +903,7 @@ set_intel_regions_update_params() { if [ $ME_DISABLED -eq 1 ]; then FLASHROM_ADD_OPT_REGIONS+=" -i me" else - echo "The firmware binary to be flashed contains Management Engine (ME), but ME is not disabled!" >> $ERR_LOG_FILE + echo "The firmware binary to be flashed contains Management Engine (ME), but ME is not disabled!" >> $ERR_LOG_FILE print_error "The firmware binary contains Management Engine (ME), but ME is not disabled!" force_me_update fi From 1a1e4e7e96bb80e947fef2bc601bdadaa3a3f311 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomasz=20=C5=BByjewski?= Date: Tue, 16 Jan 2024 16:09:51 +0100 Subject: [PATCH 9/9] distro: dasharo-deploy: small syntax fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomasz Żyjewski --- .../recipes-dts/dts/dasharo-deploy/dasharo-deploy | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy index 48dc50cf..8736c316 100644 --- a/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy +++ b/meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy @@ -210,7 +210,7 @@ romhole_migration() { return else else - dd if=/tmp/rom.bin of=/tmp/romhole.bin skip=$((0x17C0000)) bs=128K count=1 iflag=skip_bytes > /dev/null 2>&1 + dd if=/tmp/rom.bin of=/tmp/romhole.bin skip=$((0x17C0000)) bs=128K count=1 iflag=skip_bytes > /dev/null 2>&1 fi cbfstool "$BIOS_UPDATE_FILE" write -r ROMHOLE -f /tmp/romhole.bin -u 2> /dev/null @@ -539,7 +539,7 @@ update() { echo "Updating Dasharo firmware..." print_warning "This may take several minutes. Please be patient and do not reset your computer, or touch the keyboard!" - # FLASHROM_ADD_OPT_UPDATE_OVERRIDE takes priority over auto-detected udpate params. + # FLASHROM_ADD_OPT_UPDATE_OVERRIDE takes priority over auto-detected update params. # It set only by platform-specific and firmware version-specific conditions if [ -v FLASHROM_ADD_OPT_UPDATE_OVERRIDE ]; then flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE_OVERRIDE} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE @@ -556,7 +556,7 @@ update() { fi # We use FLASHROM_ADD_OPT_REGIONS for updating ME and IFD. - # If FLASHROM_ADD_OPT_REGIONS remains the same after + # If FLASHROM_ADD_OPT_REGIONS remains the same after # set_intel_regions_update_params or is cleared, it means # we either cannot update any region, or were not allowed to, # or platform has no descriptor.