sravan/system76-firmware-open
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Firmware security support

Browse Source
This commit is contained in:
Jeremy Soller 2023-03-06 15:02:33 -07:00
parent 62d9b5db3f
commit b212d78343
3 changed files with 85 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
coreboot

@ -1 +1 @@
Subproject commit 4e370bf6adcf0f0d1f2ecf8f2248a383492e0f10
Subproject commit 892b31dd8f6c7a732d06077c12311b843cc5c930

106
scripts/flash.sh
View File

@ -4,17 +4,11 @@ set -e
if [ -z "$1" ]
then
echo "$0 <model> [--without-ec]" >&2
echo "$0 <model>" >&2
exit 1
fi
MODEL="$1"
WITH_EC=true
if [ "$2" = "--without-ec" ]
then
WITH_EC=false
fi
if [ ! -d "models/${MODEL}" ]
then
echo "model '${MODEL}' not found" >&2
@ -25,27 +19,87 @@ MODEL_DIR="$(realpath "models/${MODEL}")"
DMI_MODEL="$(cat /sys/class/dmi/id/product_version)"
if [ "${DMI_MODEL}" != "${MODEL}" ]
then
echo "Refusing to flash model '${MODEL}' to model '${DMI_MODEL}'" >&2
exit 1
echo "Refusing to flash model '${MODEL}' to model '${DMI_MODEL}'" >&2
exit 1
fi
cargo build --release --manifest-path libs/intel-spi/Cargo.toml
sudo libs/intel-spi/target/release/intel-spi "build/${MODEL}/firmware.rom"
# Define base directory for firmware-update
export BASEDIR="system76-firmware-update"
if [ "$WITH_EC" = true ]
# Clean build directory
mkdir -p build
BUILD="$(realpath "build/${MODEL}")"
rm -rf "${BUILD}/${BASEDIR}"
mkdir -p "${BUILD}/${BASEDIR}"
# Rebuild and copy firmware-update
pushd apps/firmware-update >/dev/null
rm -rf "build/x86_64-unknown-uefi"
make "build/x86_64-unknown-uefi/boot.efi"
cp -v "build/x86_64-unknown-uefi/boot.efi" "${BUILD}/${BASEDIR}"
cp -rv "res" "${BUILD}/${BASEDIR}"
popd >/dev/null
# Copy firmware
mkdir -p "${BUILD}/${BASEDIR}/firmware"
cp -v "${BUILD}/firmware.rom" "${BUILD}/${BASEDIR}/firmware"
if [ -f "${BUILD}/ec.rom" ]
then
if [ -e "build/${MODEL}/ec.rom" ]
then
cargo build --release --manifest-path ec/tool/Cargo.toml
ECTOOL=ec/tool/target/release/system76_ectool
if sudo $ECTOOL info &> /dev/null
then
sudo $ECTOOL flash "build/${MODEL}/ec.rom"
else
echo "WARNING: Skipping EC flash: Could not get System76 EC info"
fi
fi
else
echo "Skipping EC flash"
cp -v "${BUILD}/ec.rom" "${BUILD}/${BASEDIR}/firmware"
fi
# Locate EFI partition mount path
EFI_PATH="$(bootctl --print-esp-path)"
if [ -z "${EFI_PATH}" -o ! -d "${EFI_PATH}" ]
then
echo "EFI system partition '${EFI_PATH}' not found" >&2
exit 1
fi
# Locate EFI partition
EFI_PART_NAME="$(awk '$2 == "'"${EFI_PATH}"'"' /proc/mounts | awk '{print $1}' | awk -F/ '{print $3}')"
if [ -z "${EFI_PART_NAME}" ]
then
echo "EFI system partition name not found" >&2
exit 1
fi
EFI_PART="$(cat /sys/class/block/${EFI_PART_NAME}/partition)"
# Locate EFI disk
EFI_DISK=""
for block in /sys/block/*; do
if test -e "${block}/${EFI_PART_NAME}"
then
EFI_DISK="/dev/$(basename "${block}")"
break
fi
done
if [ -z "${EFI_DISK}" ]
then
echo "EFI system partition disk device not found" >&2
exit 1
fi
# Install to EFI_PATH
sudo rsync -rv --delete "${BUILD}/${BASEDIR}/" "${EFI_PATH}/${BASEDIR}/"
# Ensure boot num is deleted
if [ -f /sys/firmware/efi/efivars/Boot1776-8be4df61-93ca-11d2-aa0d-00e098032b8c ]
then
sudo efibootmgr --quiet --bootnum 1776 --delete-bootnum
fi
# Add entry to EFI boot variables
sudo efibootmgr \
--quiet \
--create \
--bootnum 1776 \
--disk "${EFI_DISK}" \
--part "${EFI_PART}" \
--loader "\\${BASEDIR}\\boot.efi" \
--label "${BASEDIR}"
# Set entry as next boot item
sudo efibootmgr --quiet --bootnext 1776
echo "Reboot to flash firmware"

5
scripts/qemu.sh
View File

@ -19,7 +19,10 @@ MODEL_DIR="$(realpath "models/${MODEL}")"
qemu-system-x86_64 \
-enable-kvm \
-M q35 -m 4096 -vga std \
-M q35 \
-m 4096 \
-cpu Skylake-Client \
-vga std \
-bios "build/${MODEL}/firmware.rom" \
-chardev stdio,mux=on,id=debug \
-device isa-serial,index=2,chardev=debug \