blobs/xx30 scripts: cleanup and don't continue if hash is good

tlaurion · tlaurion · commit f2079dbe4435 · 2024-01-04T14:21:11.000-05:00
Signed-off-by: Thierry Laurion &lt;insurgo@riseup.net&gt;
diff --git a/blobs/xx30/download_clean_me.sh b/blobs/xx30/download_clean_me.sh
@@ -6,47 +6,54 @@ function printusage {
 
 ME_BIN_HASH="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4"
 
-if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
-    if [[ "${1:-}" == "--help" ]]; then
-        usage
-    else
-        if [[ -z "${COREBOOT_DIR}" ]]; then
-            echo "ERROR: No COREBOOT_DIR variable defined."
-            exit 1
-      fi
-
-        output_dir="$(realpath "${1:-./}")"
-
-        if [[ ! -f "${output_dir}/me.bin" ]]; then
-            # Unpack Lenovo's Windows installer into a temporary directory and
-            # extract the Intel ME blob.
-            pushd "$(mktemp -d)"
+if [ -e "${output_dir}/me.bin" ]; then
+  echo "me.bin already exists"
+  if echo "${ME_BIN_HASH} ${output_dir}/me.bin" | sha256sum --check; then
+    echo "SKIPPING: SHA256 checksum for me.bin matches."
+    exit 0
+  fi
+  echo "me.bin exists but checksum doesn't match. Continuing..."
+fi
 
-            curl -O https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
-            innoextract g1rg24ww.exe
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+  if [[ "${1:-}" == "--help" ]]; then
+    usage
+  else
+    if [[ -z "${COREBOOT_DIR}" ]]; then
+      echo "ERROR: No COREBOOT_DIR variable defined."
+      exit 1
+    fi
 
-            mv app/ME8_5M_Production.bin "${COREBOOT_DIR}/util/me_cleaner"
+    output_dir="$(realpath "${1:-./}")"
 
-            popd
+    if [[ ! -f "${output_dir}/me.bin" ]]; then
+      # Unpack Lenovo's Windows installer into a temporary directory and
+      # extract the Intel ME blob.
+      pushd "$(mktemp -d)" || exit
 
-            # Neutralize and shrink Intel ME. Note that this doesn't include
-            # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
-            # High Assurance Program) bits, as they are defined within the Flash
-            # Descriptor.
-            # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
-            pushd "${COREBOOT_DIR}/util/me_cleaner"
+      curl -O https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
+      innoextract g1rg24ww.exe
 
-            python me_cleaner.py -r -t -O me_shrinked.bin ME8_5M_Production.bin
+      mv app/ME8_5M_Production.bin "${COREBOOT_DIR}/util/me_cleaner"
+      rm -rf ./*
+      popd || exit
 
-            mv me_shrinked.bin "${output_dir}/me.bin"
-            #rm ./*.bin
+      # Neutralize and shrink Intel ME. Note that this doesn't include
+      # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
+      # High Assurance Program) bits, as they are defined within the Flash
+      # Descriptor.
+      # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+      pushd "${COREBOOT_DIR}/util/me_cleaner" || exit
 
-            popd
-        fi
+      python me_cleaner.py -r -t -O me_shrinked.bin ME8_5M_Production.bin
+      rm -f ME8_5M_Production.bin
+      mv me_shrinked.bin "${output_dir}/me.bin"
+      popd || exit
+    fi
 
-        if ! echo "${ME_BIN_HASH} ${output_dir}/me.bin" | sha256sum --check; then
-            echo "ERROR: SHA256 checksum for me.bin doesn't match."
-            exit 1
-        fi
+    if ! echo "${ME_BIN_HASH} ${output_dir}/me.bin" | sha256sum --check; then
+      echo "ERROR: SHA256 checksum for me.bin doesn't match."
+      exit 1
     fi
+  fi
 fi
diff --git a/blobs/xx30/download_clean_me_manually.sh b/blobs/xx30/download_clean_me_manually.sh
@@ -4,53 +4,66 @@ function printusage {
   echo "Usage: $0 -m <me_cleaner>(optional)"
 }
 
-BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+BLOBDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4  $BLOBDIR/me.bin"
+ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153  g1rg24ww.exe"
+ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa  app/ME8_5M_Production.bin"
 
 if [ "$#" -eq 0 ]; then printusage; fi
 
 while getopts ":m:" opt; do
   case $opt in
-    m)
-      if [ -x "$OPTARG" ]; then
-        MECLEAN="$OPTARG"
-      fi
-      ;;
+  m)
+    if [ -x "$OPTARG" ]; then
+      MECLEAN="$OPTARG"
+    fi
+    ;;
+  *)
+    ;;
   esac
 done
 
-FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4  $BLOBDIR/me.bin"
-ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153  g1rg24ww.exe"
-ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa  app/ME8_5M_Production.bin"
-
+if [ -e "$BLOBDIR/me.bin" ]; then
+  echo "$BLOBDIR/me.bin found..."
+  if ! echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check; then
+    echo "$BLOBDIR/me.bin doesn't pass integrity validation. Continuing..."
+    rm -f "$BLOBDIR/me.bin"
+  else
+    echo "$BLOBDIR/me.bin already extracted and neutered outside of ROMP and BUP"
+    exit 0
+  fi
+fi
 
 if [ -z "$MECLEAN" ]; then
-  MECLEAN=`command -v $BLOBDIR/../../build/x86/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
+  MECLEAN=$(command -v "$BLOBDIR/../../build/x86/coreboot-"*/util/me_cleaner/me_cleaner.py 2>&1 | head -n1)
   if [ -z "$MECLEAN" ]; then
     echo "me_cleaner.py required but not found or specified with -m. Aborting."
-    exit 1;
+    exit 1
   fi
 fi
 
 echo "### Creating temp dir"
 extractdir=$(mktemp -d)
-cd "$extractdir"
+cd "$extractdir" || exit
 
 echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..."
-wget  https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe || { echo "ERROR: wget not found" && exit 1; }
+wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe || { echo "ERROR: wget not found" && exit 1; }
 echo "### Verifying expected hash of g1rg24ww.exe"
 echo "$ME_EXE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; }
 
 echo "### Extracting g1rg24ww.exe..."
-innoextract ./g1rg24ww.exe || { echo "Failed calling innoextract. Tool installed on host?" && exit 1;}
+innoextract ./g1rg24ww.exe || { echo "Failed calling innoextract. Tool installed on host?" && exit 1; }
 echo "### Verifying expected hash of app/ME8_5M_Production.bin"
 echo "$ME8_5M_PRODUCTION_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; }
 
-echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... "
-$MECLEAN -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin
+bioscopy="some_value" # Assign a value to the bioscopy variable
+
+echo "### Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... "
+"$MECLEAN" -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin
 echo "### Verifying expected hash of me.bin"
 echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on final binary..." && exit 1; }
 
+echo "### Cleaning up..."
+cd - >/dev/null
 
-echo "###Cleaning up..."
-cd - 
 rm -r "$extractdir"
