Firmware security support

coreboot

@@ -1 +1 @@
-Subproject commit 4e370bf6adcf0f0d1f2ecf8f2248a383492e0f10
+Subproject commit 892b31dd8f6c7a732d06077c12311b843cc5c930

scripts/flash.sh

@@ -4,17 +4,11 @@ set -e
 
 if [ -z "$1" ]
 then
-  echo "$0 <model> [--without-ec]" >&2
+  echo "$0 <model>" >&2
   exit 1
 fi
 MODEL="$1"
 
-WITH_EC=true
-if [ "$2" = "--without-ec" ]
-then
-    WITH_EC=false
-fi
-
 if [ ! -d "models/${MODEL}" ]
 then
   echo "model '${MODEL}' not found" >&2
@@ -29,23 +23,83 @@ then
     exit 1
 fi
 
-cargo build --release --manifest-path libs/intel-spi/Cargo.toml
+# Define base directory for firmware-update
-sudo libs/intel-spi/target/release/intel-spi "build/${MODEL}/firmware.rom"
+export BASEDIR="system76-firmware-update"
 
-if [ "$WITH_EC" = true ]
+# Clean build directory
-then
+mkdir -p build
-    if [ -e "build/${MODEL}/ec.rom" ]
+BUILD="$(realpath "build/${MODEL}")"
-    then
+rm -rf "${BUILD}/${BASEDIR}"
-        cargo build --release --manifest-path ec/tool/Cargo.toml
+mkdir -p "${BUILD}/${BASEDIR}"
-        ECTOOL=ec/tool/target/release/system76_ectool
 
-        if sudo $ECTOOL info &> /dev/null
+# Rebuild and copy firmware-update
+pushd apps/firmware-update >/dev/null
+    rm -rf "build/x86_64-unknown-uefi"
+    make "build/x86_64-unknown-uefi/boot.efi"
+    cp -v "build/x86_64-unknown-uefi/boot.efi" "${BUILD}/${BASEDIR}"
+    cp -rv "res" "${BUILD}/${BASEDIR}"
+popd >/dev/null
+
+# Copy firmware
+mkdir -p "${BUILD}/${BASEDIR}/firmware"
+cp -v "${BUILD}/firmware.rom" "${BUILD}/${BASEDIR}/firmware"
+if [ -f "${BUILD}/ec.rom" ]
 then
-            sudo $ECTOOL flash "build/${MODEL}/ec.rom"
+    cp -v "${BUILD}/ec.rom" "${BUILD}/${BASEDIR}/firmware"
-        else
-            echo "WARNING: Skipping EC flash: Could not get System76 EC info"
 fi
+
+# Locate EFI partition mount path
+EFI_PATH="$(bootctl --print-esp-path)"
+if [ -z "${EFI_PATH}" -o ! -d "${EFI_PATH}" ]
+then
+    echo "EFI system partition '${EFI_PATH}' not found" >&2
+    exit 1
 fi
-else
+
-    echo "Skipping EC flash"
+# Locate EFI partition
+EFI_PART_NAME="$(awk '$2 == "'"${EFI_PATH}"'"' /proc/mounts | awk '{print $1}' | awk -F/ '{print $3}')"
+if [ -z "${EFI_PART_NAME}" ]
+then
+    echo "EFI system partition name not found" >&2
+    exit 1
 fi
+EFI_PART="$(cat /sys/class/block/${EFI_PART_NAME}/partition)"
+
+# Locate EFI disk
+EFI_DISK=""
+for block in /sys/block/*; do
+    if test -e "${block}/${EFI_PART_NAME}"
+    then
+        EFI_DISK="/dev/$(basename "${block}")"
+        break
+    fi
+done
+if [ -z "${EFI_DISK}" ]
+then
+    echo "EFI system partition disk device not found" >&2
+    exit 1
+fi
+
+# Install to EFI_PATH
+sudo rsync -rv --delete "${BUILD}/${BASEDIR}/" "${EFI_PATH}/${BASEDIR}/"
+
+# Ensure boot num is deleted
+if [ -f /sys/firmware/efi/efivars/Boot1776-8be4df61-93ca-11d2-aa0d-00e098032b8c ]
+then
+    sudo efibootmgr --quiet --bootnum 1776 --delete-bootnum
+fi
+
+# Add entry to EFI boot variables
+sudo efibootmgr \
+    --quiet \
+    --create \
+    --bootnum 1776 \
+    --disk "${EFI_DISK}" \
+    --part "${EFI_PART}" \
+    --loader "\\${BASEDIR}\\boot.efi" \
+    --label "${BASEDIR}"
+
+# Set entry as next boot item
+sudo efibootmgr --quiet --bootnext 1776
+
+echo "Reboot to flash firmware"

scripts/qemu.sh

@@ -19,7 +19,10 @@ MODEL_DIR="$(realpath "models/${MODEL}")"
 
 qemu-system-x86_64 \
     -enable-kvm \
-    -M q35 -m 4096 -vga std \
+    -M q35 \
+    -m 4096 \
+    -cpu Skylake-Client \
+    -vga std \
     -bios "build/${MODEL}/firmware.rom" \
     -chardev stdio,mux=on,id=debug \
     -device isa-serial,index=2,chardev=debug \