#169 Hardened build system for releases with blobs

Cerrada
shmalebx9 desexa fusionar 2 achegas de shmalebx9/blobrelease en libreboot/master
Modificáronse 2 ficheiros con 94 adicións e 11 borrados
  1. 83 11
      resources/scripts/blobs/inject
  2. 11 0
      resources/scripts/build/release/roms

+ 83 - 11
resources/scripts/blobs/inject

@@ -23,6 +23,7 @@ Fail(){
 }
 
 Modify_gbe(){
+	rom=${1}
 	printf "changing mac address in gbe to ${new_mac}\n"
 	_gbe_location=${CONFIG_GBE_BIN_PATH#../../}
 
@@ -42,7 +43,7 @@ Modify_gbe(){
 listboards() {
 	for boarddir in resources/coreboot/*; do
 		if [ ! -d "${boarddir}" ]; then continue; fi
-		board="${boarddir##resources/coreboot/}"
+		board="${boarddir/##resources/coreboot/}"
 		board="${board%/}"
 		printf '%s\n' "${board##*/}"
 	done
@@ -51,7 +52,8 @@ listboards() {
 # This function tries to determine the board from the filename of the rom.
 # It will only succeed if the filename is not changed from the build/download
 Detect_board(){
-	filename=$(basename ${rom})
+	path=${1}
+	filename=$(basename ${path})
 	case ${filename} in
 		grub_*)
 		board=$(echo "${filename}" | cut -d '_' -f2-3)
@@ -59,6 +61,10 @@ Detect_board(){
 		seabios_withgrub_*)
 		board=$(echo "${filename}" | cut -d '_' -f3-4)
 		;;
+		*.tar.xz)
+		_stripped_prefix=${filename#*_}
+		board="${_stripped_prefix%.tar.xz}"
+		;;
 		*)
 		return 1
 	esac	
@@ -71,6 +77,7 @@ Detect_board(){
 }
 
 Patch(){
+rom="${1}"
 set -- "resources/coreboot/${board}/config/*"
 . ${1} 2>/dev/null
 . "resources/coreboot/${board}/board.cfg"
@@ -86,9 +93,56 @@ set -- "resources/coreboot/${board}/config/*"
 		./coreboot/default/util/ifdtool/ifdtool -i me:${_me_location} ${rom} -O ${rom} || exit 1
 	fi
 
+	if [ "${modifygbe}" = "true" ] && ! [ "${release}" = "true" ]; then
+		Modify_gbe ${rom}
+	fi
+}
+
+Patch_release(){
+	_tmpdir=$(mktemp -d "/tmp/${board}_tmpXXXX")
+	tar xf "${releasearchive}" -C "${_tmpdir}" || \
+	Fail 'could not extract release archive'
+	
+	for rom in ${_tmpdir}/bin/*/*.rom ; do
+		echo "patching rom $rom"
+		Patch ${rom} || \
+		Fail "could not patch ${rom}"
+	done
+
+	( cd ${_tmpdir}/bin/*
+	sha1sum --status -c blobhashes || \
+	Fail 'ROMs did not match expected hashes'
+	)
+	
+
 	if [ "${modifygbe}" = "true" ]; then
-		Modify_gbe
+		for rom in ${_tmpdir}/bin/*/*.rom ; do
+			Modify_gbe ${rom}
+		done
+	fi
+
+	if ! [ -d bin/release ]; then
+		mkdir -p bin/release
 	fi
+
+	mv ${_tmpdir}/bin/* bin/release/ && \
+	printf '%s\n' 'Success! Your ROMs are in bin/release'
+
+	rm -r "${_tmpdir}"
+}
+
+Check_release(){
+if ! [ -f ${1} ]; then
+	return 1
+fi
+
+_filetype=$(file -b "${1}")
+
+if [ "${_filetype%%,*}" = "XZ compressed data" ]; then
+	printf "%s\n" "Release archive ${1} detected"
+else
+	return 1
+fi
 }
 
 if [ "${1}" = "listboards" ]; then
@@ -110,15 +164,25 @@ do
     esac
 done
 
-if [ -z ${rom+x} ]; then
-	Fail 'no rom specified'
-elif [ ! -f "${rom}" ]; then
-	Fail "${rom} is not a valid path"
-elif [ -z ${board+x} ]; then
-	board=$(Detect_board) || \
-	Fail 'no board specified'
+
+
+if ! Check_release ${1} ; then
+	if [ ! -f "${rom}" ]; then
+		Fail "${rom} is not a valid path"
+	elif [ -z ${rom+x} ]; then
+		Fail 'no rom specified'
+	elif [ -z ${board+x} ]; then
+		board=$(Detect_board ${rom}) || \
+		Fail 'no board specified'
+	fi
+else
+	release=true
+	releasearchive="${1}"
+	board=$(Detect_board ${1}) || \
+	Fail 'Could not detect board type'
 fi
 
+
 if [ ! -d "resources/coreboot/${board}/" ]; then
 	Fail "board ${board} not found"
 fi
@@ -138,4 +202,12 @@ printf "building cbfstool from coreboot\n"
 ./build module cbutils default || Fail 'could not build cbfstool'
 fi
 
-./blobutil download ${board} && Patch
+./blobutil download ${board} || \
+Fail "Could not download blobs for ${board}, check network connection"
+
+if [ "${release}" = "true" ]; then
+	echo 'patching release file'
+	Patch_release
+else
+	Patch ${rom}
+fi

+ 11 - 0
resources/scripts/build/release/roms

@@ -86,6 +86,15 @@ for romdir in bin/*; do
 		rm -Rf "${romdir}_tmp" # dirty hack, to reduce  disk io later
 		# rather than using /tmp, which might not be tmpfs
 		mkdir "${romdir}_tmp"
+		
+		if [ ! -f "${romdir}/blobhashes" ]; then
+			printf "%s\n" "The roms in this archive should match the following hashes AFTER blobs are inserted" > "${romdir}/blobhashes"
+		fi
+
+		# Hash the rom before removing blobs
+		( cd ${romdir}
+		sha1sum *.rom >> blobhashes
+		)
 
 		for romfile in "${romdir}"/*.rom
 		do
@@ -93,6 +102,7 @@ for romdir in bin/*; do
 			then
 				continue
 			fi
+
 			${ifdtool} --nuke me "${romfile}" || exit 1
 			mv "${romfile}" "${romdir}_tmp"/
 			mv "${romfile}.new" "${romfile}"
@@ -102,6 +112,7 @@ for romdir in bin/*; do
 				${cbfstool} "${romfile}" remove -n mrc.bin || exit 1
 				${cbfstool} "${romfile}" print
 			fi
+			
 		done
 	fi