Talos II: flashrom, flashtools, PNOR handling

boards/talos-2_server/talos-2_server.config

@@ -21,6 +21,8 @@ CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
 CONFIG_GPG2=y
 CONFIG_PCIUTILS=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
 
 #Whiptail in console mode
 CONFIG_SLANG=y
@@ -45,3 +47,22 @@ export CONFIG_BOOT_KERNEL_REMOVE="quiet"
 export CONFIG_BOOT_KERNEL_ADD="console=tty0 console=hvc0 rootdelay=3 rootwait panic=10"
 export CONFIG_BOOT_DEV="/dev/sda1"
 export CONFIG_BOARD_NAME="Talos 2 Server"
+export CONFIG_FLASHROM_OPTIONS="--noverify-all -p linux_mtd"
+
+OUTPUT_PREFIX	:= heads-$(BOARD)-$(HEADS_GIT_VERSION)
+BUNDLED_LINUX	:= $(OUTPUT_PREFIX)-zImage.bundled
+OUTPUT_FILES	:= $(CB_OUTPUT_FILE) $(CB_BOOTBLOCK_FILE) $(BUNDLED_LINUX)
+
+all: $(board_build)/$(BUNDLED_LINUX)
+$(board_build)/$(BUNDLED_LINUX): $(board_build)/zImage.bundled
+	$(call do-copy,$<,$@)
+
+all: $(board_build)/$(OUTPUT_PREFIX).tgz
+$(board_build)/$(OUTPUT_PREFIX).tgz: \
+	$(addprefix $(board_build)/,$(OUTPUT_FILES))
+	rm -rf $(board_build)/pkg # cleanup in case directory exists
+	mkdir $(board_build)/pkg
+	cp $^ $(board_build)/pkg
+	cd $(board_build)/pkg && sha256sum * > hashes.txt
+	cd $(board_build)/pkg && tar zcf $@ *
+	rm -r $(board_build)/pkg

boards/talos-2_workstation/talos-2_workstation.config

@@ -21,6 +21,8 @@ CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
 CONFIG_GPG2=y
 CONFIG_PCIUTILS=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
 
 #whiptail in graphical mode
 CONFIG_CAIRO=y
@@ -45,3 +47,22 @@ export CONFIG_BOOT_KERNEL_REMOVE="quiet"
 export CONFIG_BOOT_KERNEL_ADD="console=tty0 console=hvc0 rootdelay=3 rootwait panic=10"
 export CONFIG_BOOT_DEV="/dev/sda1"
 export CONFIG_BOARD_NAME="Talos 2 Workstation"
+export CONFIG_FLASHROM_OPTIONS="--noverify-all -p linux_mtd"
+
+OUTPUT_PREFIX	:= heads-$(BOARD)-$(HEADS_GIT_VERSION)
+BUNDLED_LINUX	:= $(OUTPUT_PREFIX)-zImage.bundled
+OUTPUT_FILES	:= $(CB_OUTPUT_FILE) $(CB_BOOTBLOCK_FILE) $(BUNDLED_LINUX)
+
+all: $(board_build)/$(BUNDLED_LINUX)
+$(board_build)/$(BUNDLED_LINUX): $(board_build)/zImage.bundled
+	$(call do-copy,$<,$@)
+
+all: $(board_build)/$(OUTPUT_PREFIX).tgz
+$(board_build)/$(OUTPUT_PREFIX).tgz: \
+	$(addprefix $(board_build)/,$(OUTPUT_FILES))
+	rm -rf $(board_build)/pkg # cleanup in case directory exists
+	mkdir $(board_build)/pkg
+	cp $^ $(board_build)/pkg
+	cd $(board_build)/pkg && sha256sum * > hashes.txt
+	cd $(board_build)/pkg && tar zcf $@ *
+	rm -r $(board_build)/pkg

initrd/bin/cbfs.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e -o pipefail
+. /etc/functions
+. /tmp/config
+
+if pnor "$2" -r HBI > /tmp/pnor.part 2>/dev/null; then
+    cbfs "$@" -o /tmp/pnor.part && pnor "$2" -w HBI < /tmp/pnor.part
+else
+    cbfs "$@"
+fi

initrd/bin/config-gui.sh

@@ -82,10 +82,10 @@ while true; do
         exit 1
       fi
 
-      if (cbfs -o /tmp/config-gui.rom -l | grep -q "heads/initrd/etc/config.user") then
-        cbfs -o /tmp/config-gui.rom -d "heads/initrd/etc/config.user"
+      if (cbfs.sh -o /tmp/config-gui.rom -l | grep -q "heads/initrd/etc/config.user") then
+        cbfs.sh -o /tmp/config-gui.rom -d "heads/initrd/etc/config.user"
       fi
-      cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
+      cbfs.sh -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
 
       if (whiptail --title 'Update ROM?' \
           --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80) then
@@ -118,8 +118,8 @@ while true; do
         rm /boot/kexec* | true
         mount -o remount,ro /boot
         # clear GPG keys and user settings
-        for i in `cbfs -o /tmp/config-gui.rom -l | grep -e "heads/"`; do
-          cbfs -o /tmp/config-gui.rom -d $i
+        for i in `cbfs.sh -o /tmp/config-gui.rom -l | grep -e "heads/"`; do
+          cbfs.sh -o /tmp/config-gui.rom -d $i
         done
         # flash cleared ROM
         /bin/flash.sh -c /tmp/config-gui.rom

initrd/bin/flash-gui.sh

@@ -22,10 +22,10 @@ while true; do
     ;;
     f|c )
       if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \
-          --yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80) then
+          --yesno "You will need to insert a USB drive containing your BIOS image (*.rom or *.tgz).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80) then
         mount_usb
         if grep -q /media /proc/mounts ; then
-          find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt
+          find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' \) | sort > /tmp/filelist.txt
           file_selector "/tmp/filelist.txt" "Choose the ROM to flash"
           if [ "$FILE" == "" ]; then
             return

initrd/bin/flash.sh

@@ -123,10 +123,10 @@ flash_rom() {
       || die "$ROM: Config preservation failed"
     fi
     # persist serial number from CBFS
-    if cbfs -r serial_number > /tmp/serial 2>/dev/null; then
+    if cbfs.sh -r serial_number > /tmp/serial 2>/dev/null; then
       echo "Persisting system serial"
-      cbfs -o /tmp/${CONFIG_BOARD}.rom -d serial_number 2>/dev/null || true
-      cbfs -o /tmp/${CONFIG_BOARD}.rom -a serial_number -f /tmp/serial
+      cbfs.sh -o /tmp/${CONFIG_BOARD}.rom -d serial_number 2>/dev/null || true
+      cbfs.sh -o /tmp/${CONFIG_BOARD}.rom -a serial_number -f /tmp/serial
     fi
     # persist PCHSTRP9 from flash descriptor
     if [ "$CONFIG_BOARD" = "librem_l1um" ]; then
@@ -159,8 +159,41 @@ else
 fi
 
 if [ ! -e "$ROM" ]; then
-	die "Usage: $0 [-c|-r] <path_to_image.rom>"
+    die "Usage: $0 [-c|-r] <path/to/image.(rom|tgz)>"
+fi
+
+if [ "$READ" -eq 0 ] && [ "${ROM##*.}" = tgz ]; then
+    if [ "${CONFIG_BOARD%_*}" = talos-2 ]; then
+        rm -rf /tmp/verified_rom
+        mkdir /tmp/verified_rom
+
+        tar -C /tmp/verified_rom -xf $ROM
+        if ! (cd /tmp/verified_rom/ && sha256sum -cs hashes.txt); then
+            die "Provided tgz image did not pass hash verification"
+        fi
+
+        echo "Reading current flash and building an update image"
+        flashrom $CONFIG_FLASHROM_OPTIONS -r /tmp/flash.sh.bak \
+            || die "Read of flash has failed"
+
+        # ROM and bootblock already have ECC
+        bootblock=$(echo /tmp/verified_rom/*.bootblock)
+        rom=$(echo /tmp/verified_rom/*.rom)
+        kernel=$(echo /tmp/verified_rom/*-zImage.bundled)
+        pnor /tmp/flash.sh.bak -aw HBB < $bootblock
+        pnor /tmp/flash.sh.bak -aw HBI < $rom
+        pnor /tmp/flash.sh.bak -aw BOOTKERNEL < $kernel
+        rm -rf /tmp/verified_rom
+
+        ROM=/tmp/flash.sh.bak
+    else
+        die "$CONFIG_BOARD doesn't support tgz image format"
+    fi
 fi
 
 flash_rom $ROM
+
+# don't leave temporary files lying around
+rm -f /tmp/flash.sh.bak
+
 exit 0

initrd/bin/gpg-gui.sh

@@ -19,10 +19,10 @@ gpg_flash_rom() {
   gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
   gpg --update-trust
 
-  if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then
-    cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
-    if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then
-      cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
+  if (cbfs.sh -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then
+    cbfs.sh -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
+    if (cbfs.sh -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then
+      cbfs.sh -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
       if [ -e /.gnupg/pubring.gpg ];then
         rm /.gnupg/pubring.gpg
       fi
@@ -31,33 +31,33 @@ gpg_flash_rom() {
 
   #to be compatible with gpgv1
   if [ -e /.gnupg/pubring.kbx ];then
-    cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
+    cbfs.sh -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
     if [ -e /.gnupg/pubring.gpg ];then
       rm /.gnupg/pubring.gpg
     fi
   fi
   if [ -e /.gnupg/pubring.gpg ];then
-    cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
+    cbfs.sh -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
   fi
 
-  if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
-    cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
+  if (cbfs.sh -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
+    cbfs.sh -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
   fi
   if [ -e /.gnupg/trustdb.gpg ]; then
-    cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
+    cbfs.sh -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
   fi
 
   #Remove old method owner trust exported file
-  if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
-    cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
+  if (cbfs.sh -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
+    cbfs.sh -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
   fi
 
   # persist user config changes
-  if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/etc/config.user") then
-    cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/etc/config.user"
+  if (cbfs.sh -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/etc/config.user") then
+    cbfs.sh -o /tmp/gpg-gui.rom -d "heads/initrd/etc/config.user"
   fi
   if [ -e /etc/config.user ]; then
-    cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
+    cbfs.sh -o /tmp/gpg-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
   fi
   /bin/flash.sh /tmp/gpg-gui.rom
 

initrd/bin/oem-factory-reset

@@ -659,24 +659,24 @@ if ! gpg --update-trust >/dev/null 2>/tmp/error ; then
     whiptail_error_die "Error updating GPG ownertrust:\n\n$ERROR"
 fi
 # clear any existing heads/gpg files from current firmware
-for i in `cbfs -o /tmp/oem-setup.rom -l | grep -e "heads/"`; do
-    cbfs -o /tmp/oem-setup.rom -d $i
+for i in `cbfs.sh -o /tmp/oem-setup.rom -l | grep -e "heads/"`; do
+    cbfs.sh -o /tmp/oem-setup.rom -d $i
 done
 # add heads/gpg files to current firmware
 if [ -e /.gnupg/pubring.kbx ];then
-    cbfs -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
+    cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
     if [ -e /.gnupg/pubring.gpg ];then
         rm /.gnupg/pubring.gpg
     fi
 elif [ -e /.gnupg/pubring.gpg ];then
-    cbfs -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
+    cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
 fi
 if [ -e /.gnupg/trustdb.gpg ]; then
-    cbfs -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
+    cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
 fi
 # persist user config changes (boot device)
 if [ -e /etc/config.user ]; then
-    cbfs -o /tmp/oem-setup.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
+    cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
 fi
 # flash updated firmware image
 echo -e "\nAdding generated key to current firmware and re-flashing...\n"

initrd/etc/functions

@@ -276,12 +276,12 @@ preserve_rom() {
 	old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"`
 
 	for old_file in `echo $old_files`; do
-		new_file=`cbfs -o $1 -l | grep -x $old_file`
+		new_file=`cbfs.sh -o $1 -l | grep -x $old_file`
 		if [ -z "$new_file" ]; then
 			echo "+++ Adding $old_file to $1"
 			cbfs -t 50 -r $old_file >/tmp/rom.$$ \
 			|| die "Failed to read cbfs file from ROM"
-			cbfs -o $1 -a $old_file -f /tmp/rom.$$ \
+			cbfs.sh -o $1 -a $old_file -f /tmp/rom.$$ \
 			|| die "Failed to write cbfs file to new ROM file"
 		fi
 	done

modules/flashrom

@@ -8,15 +8,28 @@ flashrom_tar := $(flashrom_dir).tar.gz
 flashrom_url := https://github.com/flashrom/flashrom/archive/$(flashrom_version).tar.gz
 flashrom_hash := 4873ad50f500629c244fc3fbee64b56403a82307d7f555dfa235336a200c336c
 
-flashrom_target := \
-	$(MAKE_JOBS) \
-	$(CROSS_TOOLS) \
+# Default options for flashrom
+flashrom_cfg := \
 	WARNERROR=no \
 	CONFIG_NOTHING=yes \
 	CONFIG_INTERNAL=yes \
 	CONFIG_DUMMY=yes \
 	CONFIG_AST1100=yes \
 
+ifeq "$(CONFIG_TARGET_ARCH)" "ppc64"
+flashrom_cfg := \
+	WARNERROR=no \
+	CONFIG_NOTHING=yes \
+	CONFIG_LINUX_MTD=yes \
+	CONFIG_DUMMY=yes \
+	CONFIG_AST1100=yes
+endif
+
+flashrom_target := \
+	$(MAKE_JOBS) \
+	$(CROSS_TOOLS) \
+	$(flashrom_cfg)
+
 flashrom_output := \
 	flashrom
 

modules/flashtools

@@ -2,11 +2,11 @@ modules-$(CONFIG_FLASHTOOLS) += flashtools
 
 flashtools_depends := $(musl_dep)
 
-flashtools_version := 40d5170e84a3822552df7a500cd00aa870fdfe76
+flashtools_version := 76bdfa21d65caeb7dbe9c2fa1a837369732f50af
 flashtools_dir := flashtools-$(flashtools_version)
 flashtools_tar := flashtools-$(flashtools_version).tar.gz
-flashtools_url := https://github.com/osresearch/flashtools/archive/$(flashtools_version).tar.gz
-flashtools_hash := dca7f4fd129509bdcbf5e4646905d6dd82e91061d7faf62bbe7193c31bb7cd4c
+flashtools_url := https://github.com/3mdeb/flashtools/archive/$(flashtools_version).tar.gz
+flashtools_hash := 81b3c1f12318bd2942b426a99638e23d24e85819227653cd3b9302fbfc43b220
 
 flashtools_target := \
 	$(CROSS_TOOLS) \
@@ -20,6 +20,10 @@ flashtools_output := \
 	cbfs \
 	uefi \
 
+ifeq "$(CONFIG_TARGET_ARCH)" "ppc64"
+flashtools_output += pnor
+endif
+
 flashtools_libraries := \
 
 flashtools_configure :=