Skip to content

Commit 744774b

Browse files
miczyg1miczyg1
committed
meta-dts-distro/recipes-dts/dts: Check if vboot keys need to be updated
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
1 parent b7a2755 commit 744774b

File tree

1 file changed

+34
-0
lines changed

1 file changed

+34
-0
lines changed

meta-dts-distro/recipes-dts/dts/dasharo-deploy/dasharo-deploy

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -267,6 +267,34 @@ resign_binary() {
267267
fi
268268
}
269269

270+
check_vboot_keys() {
271+
if [ "$HAVE_VBOOT" -eq 0 ]; then
272+
# If we flash whole BIOS region, no need to check if keys match
273+
grep -q "\-\-ifd" <<< "$FLASHROM_ADD_OPT_UPDATE" && grep -q "\-i bios" <<< "$FLASHROM_ADD_OPT_UPDATE" && return
274+
# No FMAP flashing? Also skip
275+
grep -q "\-\-fmap" <<< "$FLASHROM_ADD_OPT_UPDATE" || return
276+
277+
CBFSTOOL=$(which cbfstool)
278+
BINARY_KEYS=$(futility show $BIOS_UPDATE_FILE| grep -i 'key sha1sum')
279+
280+
if [ $BOARD_HAS_FD_REGION -eq 0 ]; then
281+
FLASHROM_ADD_OPT_READ=""
282+
else
283+
FLASHROM_ADD_OPT_READ="--ifd -i bios"
284+
fi
285+
286+
flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_READ} -r /tmp/bios.bin > /dev/null 2>/dev/null
287+
if [ $? -eq 0 ] && [ -f "/tmp/bios.bin" ]; then
288+
FLASH_KEYS=$(futility show /tmp/bios.bin | grep -i 'key sha1sum')
289+
diff <(echo "$BINARY_KEYS") <(echo "$FLASH_KEYS") > /dev/null 2>&1
290+
# If keys are different we must additionally flash at least GBB region as well
291+
if [ $? -ne 0 ]; then
292+
FLASHROM_ADD_OPT_UPDATE+=" -i GBB"
293+
fi
294+
fi
295+
fi
296+
}
297+
270298
blob_transmission() {
271299
echo "Extracting the UEFI image from BIOS update"
272300
wget -O "$DBT_BIOS_UPDATE_FILENAME" --user-agent='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' "$DBT_BIOS_UPDATE_URL" >> $ERR_LOG_FILE 2>&1
@@ -489,10 +517,16 @@ update() {
489517
bootsplash_migration
490518
fi
491519

520+
cbfstool "$BIOS_UPDATE_FILE" extract -r COREBOOT -n config -f "$BIOS_UPDATE_CONFIG_FILE"
521+
grep -q "CONFIG_VBOOT=y" "$BIOS_UPDATE_CONFIG_FILE"
522+
HAVE_VBOOT="$?"
523+
492524
check_intel_regions
493525
check_blobs_in_binary $BIOS_UPDATE_FILE
494526
check_if_me_disabled
495527
set_flashrom_update_params $BIOS_UPDATE_FILE
528+
set_intel_regions_update_params "-N --ifd"
529+
check_vboot_keys
496530

497531
echo "Updating Dasharo firmware..."
498532
print_warning "This may take several minutes. Please be patient and do not reset your computer, or touch the keyboard!"

0 commit comments

Comments
 (0)