dasharo/dts-scripts
0
0
Fork 0
mirror of https://github.com/Dasharo/dts-scripts.git synced 2026-03-06 15:01:22 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
send-logs
dts-scripts/scripts/dasharo-deploy
Pawel Langowski bfa2a3168f Add verbose option to dts-menu and enable sending logs 
Signed-off-by: Pawel Langowski <pawel.langowski@3mdeb.com>
2024-09-17 10:09:14 +02:00

938 lines
33 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2024 3mdeb <contact@3mdeb.com>
#
# SPDX-License-Identifier: Apache-2.0
# shellcheck source=../include/dts-environment.sh
source $DTS_ENV
# shellcheck source=../include/dts-functions.sh
source $DTS_FUNCS
[ -z "$SYSTEM_VENDOR" ] && error_exit "SYSTEM_VENDOR not given"
[ -z "$SYSTEM_MODEL" ] && error_exit "SYSTEM_MODEL not given"
CMD="$1"
FUM="$2"
ask_for_version() {
while : ; do
echo
echo "Please, select Dasharo firmware version to install"
# -v: True if the shell variable varname is set (has been assigned a value).
if [ -v BIOS_HASH_LINK_COMM ]; then
echo " c) Community version"
fi
if [ -v BIOS_HASH_LINK_DPP ]; then
if [ -v DPP_IS_LOGGED ]; then
echo " d) DPP version (coreboot + UEFI)"
else
echo " DPP version (coreboot + UEFI) available, if you are interested, please visit https://shop.3mdeb.com/product-category/dasharo-entry-subscription/"
fi
fi
if [ -v BIOS_HASH_LINK_DPP_SEABIOS ]; then
if [ -v DPP_IS_LOGGED ]; then
echo " s) DPP version (coreboot + SeaBIOS)"
else
echo " DPP version (coreboot + SeaBIOS) available, if you are interested, please visit https://shop.3mdeb.com/product-category/dasharo-entry-subscription/"
fi
fi
echo " b) Back to main menu"
echo
read -r -p "Enter an option: " OPTION
echo
case ${OPTION} in
c|C|comm|community|COMMUNITY|COMM|Community)
if [ -v BIOS_HASH_LINK_COMM ]; then
BIOS_LINK=$BIOS_LINK_COMM
BIOS_HASH_LINK=$BIOS_HASH_LINK_COMM
BIOS_SIGN_LINK=$BIOS_SIGN_LINK_COMM
if [ -v EC_HASH_LINK_COMM ]; then
EC_LINK=$EC_LINK_COMM
EC_HASH_LINK=$EC_HASH_LINK_COMM
EC_SIGN_LINK=$EC_SIGN_LINK_COMM
fi
echo "Community version selected"
break
else
error_exit "Bad option or resignation. Returning to main menu..."
fi
;;
d|D|dpp|DPP|Dpp)
if [ -v BIOS_HASH_LINK_DPP ]; then
BIOS_LINK=$BIOS_LINK_DPP
BIOS_HASH_LINK=$BIOS_HASH_LINK_DPP
BIOS_SIGN_LINK=$BIOS_SIGN_LINK_DPP
if [ -v EC_HASH_LINK_DPP ]; then
EC_LINK=$EC_LINK_DPP
EC_HASH_LINK=$EC_HASH_LINK_DPP
# shellcheck disable=SC2034
EC_SIGN_LINK=$EC_SIGN_LINK_DPP
fi
echo "Dasharo Entry Subscription (coreboot + edk2) version selected"
break
else
error_exit "Bad option. Returning to main menu..."
fi
;;
s|S|sea|seabios|SeaBIOS)
if [ -v BIOS_HASH_LINK_DPP_SEABIOS ]; then
BIOS_LINK=$BIOS_LINK_DPP_SEABIOS
BIOS_HASH_LINK=$BIOS_HASH_LINK_DPP_SEABIOS
BIOS_SIGN_LINK=$BIOS_SIGN_LINK_DPP_SEABIOS
echo "Dasharo Entry Subscription (coreboot + SeaBIOS) version selected"
break
else
error_exit "Bad option. Returning to main menu..."
fi
;;
b|B)
echo "Returning to main menu..."
exit 0
;;
*)
;;
esac
done
}
display_flashing_warning() {
while : ; do
echo
print_warning "Please verify detected hardware!"
echo
if [ -v SYSTEM_VENDOR ]; then
echo "Board vendor: $SYSTEM_VENDOR"
fi
if [ -v SYSTEM_MODEL ]; then
echo "System model: $SYSTEM_MODEL"
fi
if [ -v BOARD_MODEL ]; then
echo "Board model: $BOARD_MODEL"
fi
echo
read -r -p "Does it match your actual specification? (Y|n) " OPTION
echo
case ${OPTION} in
yes|y|Y|Yes|YES)
break
;;
n|N)
echo "Returning to main menu..."
exit 0
;;
*)
;;
esac
done
while : ; do
echo "Following firmware will be used to install Dasharo"
if [ -v BIOS_HASH_LINK ]; then
local _bios_hash
_bios_hash="$(cat $BIOS_HASH_FILE | cut -d ' ' -f 1)"
echo "Dasharo BIOS firmware:"
echo " - link: $BIOS_LINK"
echo " - hash: $_bios_hash"
fi
if [ -v EC_HASH_LINK ]; then
local _ec_hash
_ec_hash="$(cat $EC_HASH_FILE | cut -d ' ' -f 1)"
echo "Dasharo EC firmware:"
echo " - link: $EC_LINK"
echo " - hash: $_ec_hash"
fi
echo
echo "You can learn more about this release on: https://docs.dasharo.com/"
if check_if_dasharo; then
echo
read -r -p "Do you want to update Dasharo firmware on your hardware? (Y|n) " OPTION
echo
else
echo
if [ "$CAN_INSTALL_BIOS" == "false" ] && [ "$SYSTEM_VENDOR" == "Notebook" ]; then
echo "Notebook supports installation of only EC firmware!"
echo "Dasharo BIOS will have to be flashed manually. More on:"
echo "https://docs.dasharo.com/unified/novacustom/initial-deployment/"
fi
read -r -p "Do you want to install Dasharo firmware on your hardware? (Y|n) " OPTION
echo
fi
case ${OPTION} in
yes|y|Y|Yes|YES)
break
;;
n|N)
echo "Returning to main menu..."
exit 0
;;
*)
;;
esac
done
}
backup() {
rm -rf "$FW_BACKUP_DIR"
mkdir -p "$FW_BACKUP_DIR"
echo "Backing up BIOS firmware and store it locally..."
echo "Remember that firmware is also backed up in HCL report."
check_intel_regions
if [ $BOARD_HAS_FD_REGION -eq 1 ]; then
# Use safe defaults. Descriptor may contain additional regions not detected
# by flashrom and will return failure when attempted to be read. BIOS and
# Flash descriptor regions should always be readable. If not, then we have
# some ugly case, hard to deal with.
FLASHROM_ADD_OPT_READ="--ifd -i fd -i bios"
if [ $BOARD_HAS_ME_REGION -eq 1 ] && [ $BOARD_ME_REGION_LOCKED -eq 0 ]; then
# ME region is not locked, read it as well
FLASHROM_ADD_OPT_READ+=" -i me"
fi
if [ $BOARD_HAS_GBE_REGION -eq 1 ] && [ $BOARD_GBE_REGION_LOCKED -eq 0 ]; then
# GBE region is present and not locked, read it as well
FLASHROM_ADD_OPT_READ+=" -i gbe"
fi
else
# No descriptor, probably safe to read everything
FLASHROM_ADD_OPT_READ=""
fi
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r "${FW_BACKUP_DIR}"/rom.bin ${FLASHROM_ADD_OPT_READ} >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to read BIOS firmware backup"
if [ "$HAVE_EC" == "true" ]; then
echo "Checking for Open Source Embedded Controller firmware"
$DASHARO_ECTOOL info >> $ERR_LOG_FILE 2>&1
if [ $? -eq 0 ]; then
echo "Device has already Open Source Embedded Controller firmware, do not backup EC..."
else
echo "Backing up EC firmware..."
$FLASHROM -p "$PROGRAMMER_EC" ${FLASH_CHIP_SELECT} -r "${FW_BACKUP_DIR}"/ec.bin >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to read EC firmware backup"
fi
fi
echo "Saving backup to: $FW_BACKUP_TAR"
tar --gzip -cf "$FW_BACKUP_TAR" "$FW_BACKUP_DIR"
error_check "Failed to create firmware backup archive"
rm -rf "${FW_BACKUP_DIR}"
echo "Successfully backed up firmware locally at: $FW_BACKUP_TAR"
}
romhole_migration() {
cbfstool $BIOS_UPDATE_FILE layout -w | grep -q "ROMHOLE" || return
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r /tmp/rom.bin --ifd -i bios >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to read current firmware to migrate MSI ROMHOLE"
if check_if_dasharo; then
cbfstool /tmp/rom.bin layout -w | grep -q "ROMHOLE" || return
# This one is rather unlikely to fail, but just in case print a warning
cbfstool /tmp/rom.bin read -r ROMHOLE -f /tmp/romhole.bin 2> /dev/null
if [ $? -ne 0 ]; then
print_warning "Failed to migrate MSI ROMHOLE, your platform's unique SMBIOS/DMI data may be lost"
return
fi
else
dd if=/tmp/rom.bin of=/tmp/romhole.bin skip=$((0x17C0000)) bs=128K count=1 iflag=skip_bytes > /dev/null 2>&1
fi
cbfstool "$BIOS_UPDATE_FILE" write -r ROMHOLE -f /tmp/romhole.bin -u 2> /dev/null
}
smbios_migration() {
echo -n "$(dmidecode -s system-uuid)" > $SYSTEM_UUID_FILE
echo -n "$(dmidecode -s baseboard-serial-number)" > $SERIAL_NUMBER_FILE
COREBOOT_SEC=$(cbfstool $BIOS_UPDATE_FILE layout -w | grep "COREBOOT")
FW_MAIN_A_SEC=$(cbfstool $BIOS_UPDATE_FILE layout -w | grep "FW_MAIN_A")
FW_MAIN_B_SEC=$(cbfstool $BIOS_UPDATE_FILE layout -w | grep "FW_MAIN_B")
if [ -n "$COREBOOT_SEC" ]; then
# if the migration can be done there for sure will be COREBOOT section
echo "Beginning SMBIOS migration process..."
echo "Migrate to COREBOOT section."
cbfstool $BIOS_UPDATE_FILE add -f $SERIAL_NUMBER_FILE -n serial_number -t raw -r COREBOOT
cbfstool $BIOS_UPDATE_FILE add -f $SYSTEM_UUID_FILE -n system_uuid -t raw -r COREBOOT
fi
if [ -n "$FW_MAIN_A_SEC" ]; then
echo "Migrate to FW_MAIN_A section."
cbfstool $BIOS_UPDATE_FILE expand -r FW_MAIN_A
cbfstool $BIOS_UPDATE_FILE add -f $SERIAL_NUMBER_FILE -n serial_number -t raw -r FW_MAIN_A
cbfstool $BIOS_UPDATE_FILE add -f $SYSTEM_UUID_FILE -n system_uuid -t raw -r FW_MAIN_A
cbfstool $BIOS_UPDATE_FILE truncate -r FW_MAIN_A
fi
if [ -n "$FW_MAIN_B_SEC" ]; then
echo "Migrate to FW_MAIN_B section."
cbfstool $BIOS_UPDATE_FILE expand -r FW_MAIN_B
cbfstool $BIOS_UPDATE_FILE add -f $SERIAL_NUMBER_FILE -n serial_number -t raw -r FW_MAIN_B
cbfstool $BIOS_UPDATE_FILE add -f $SYSTEM_UUID_FILE -n system_uuid -t raw -r FW_MAIN_B
cbfstool $BIOS_UPDATE_FILE truncate -r FW_MAIN_B
fi
}
smmstore_migration() {
echo -n "Backing up firmware configuration... "
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r /tmp/dasharo_dump.rom ${FLASHROM_ADD_OPT_READ} --fmap -i FMAP -i SMMSTORE >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
cbfstool /tmp/dasharo_dump.rom read -r SMMSTORE -f /tmp/smmstore.bin >> $ERR_LOG_FILE 2>&1 || \
print_warning "Failed! Default settings will be used."
cbfstool "$BIOS_UPDATE_FILE" write -r SMMSTORE -f /tmp/smmstore.bin -u >> $ERR_LOG_FILE 2>&1 || \
print_warning "Failed! Default settings will be used."
print_ok Done.
}
bootsplash_migration() {
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} -r /tmp/dasharo_dump.rom ${FLASHROM_ADD_OPT_READ} --fmap -i FMAP -i BOOTSPLASH >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
# If no custom logo, return from bootsplash_migration early and don't show
# unnecessary messages
cbfstool /tmp/dasharo_dump.rom extract -r BOOTSPLASH -n logo.bmp -f /tmp/logo.bmp >> $ERR_LOG_FILE 2>&1 || return 1
echo -n "Backing up custom boot logo... "
dcu logo $BIOS_UPDATE_FILE -l /tmp/logo.bmp >> $ERR_LOG_FILE 2>&1 || \
print_warning "Failed! Default boot splash will be used." || return 1
print_ok Done.
}
resign_binary() {
if [ "$HAVE_VBOOT" -eq 0 ]; then
download_keys
sign_firmware.sh $BIOS_UPDATE_FILE $KEYS_DIR $RESIGNED_BIOS_UPDATE_FILE
error_check "Cannot resign binary file. Please, make sure if you have proper keys. Aborting..."
BIOS_UPDATE_FILE="$RESIGNED_BIOS_UPDATE_FILE"
fi
}
check_vboot_keys() {
if [ "$HAVE_VBOOT" -eq 0 ]; then
# If we flash whole BIOS region, no need to check if keys match
grep -q "\--ifd" <<< "$FLASHROM_ADD_OPT_UPDATE" && grep -q "\-i bios" <<< "$FLASHROM_ADD_OPT_UPDATE" && return
# No FMAP flashing? Also skip
grep -q "\--fmap" <<< "$FLASHROM_ADD_OPT_UPDATE" || return
BINARY_KEYS=$(CBFSTOOL=$(which cbfstool) futility show $BIOS_UPDATE_FILE| grep -i 'key sha1sum')
if [ $BOARD_HAS_FD_REGION -eq 0 ]; then
FLASHROM_ADD_OPT_READ=""
else
FLASHROM_ADD_OPT_READ="--ifd -i bios"
fi
echo "Checking vboot keys."
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_READ} -r /tmp/bios.bin > /dev/null 2>/dev/null
if [ $? -eq 0 ] && [ -f "/tmp/bios.bin" ]; then
FLASH_KEYS=$(CBFSTOOL=$(which cbfstool) futility show /tmp/bios.bin | grep -i 'key sha1sum')
diff <(echo "$BINARY_KEYS") <(echo "$FLASH_KEYS") > /dev/null 2>&1
# If keys are different we must additionally flash at least GBB region as well
if [ $? -ne 0 ]; then
FLASHROM_ADD_OPT_UPDATE+=" -i GBB"
fi
fi
fi
}
blob_transmission() {
echo "Extracting the UEFI image from BIOS update"
wget -O "$DBT_BIOS_UPDATE_FILENAME" --user-agent='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' "$DBT_BIOS_UPDATE_URL" >> $ERR_LOG_FILE 2>&1
error_file_check "$DBT_BIOS_UPDATE_FILENAME" "Failed to download BIOS for $SYSTEM_MODEL. Please make sure Ethernet cable is connected and try again."
sha256sum --check <(echo "$DBT_BIOS_UPDATE_HASH")
error_check "Failed SHA-256 sum check on the downloaded BIOS for $SYSTEM_MODEL"
binwalk --run-as=root -e "$DBT_BIOS_UPDATE_FILENAME" -C /tmp >> $ERR_LOG_FILE 2>&1
error_file_check "$DBT_UEFI_IMAGE" "Failed to extract UEFI image from BIOS update"
uefi-firmware-parser -e "$DBT_UEFI_IMAGE" -O >> $ERR_LOG_FILE 2>&1
if [ -n "$SINIT_ACM_FILENAME" ] && [ -n "$SINIT_ACM_URL" ]; then
echo "Downloading the Intel SINIT ACM"
wget -O "$SINIT_ACM_FILENAME" "$SINIT_ACM_URL" >> $ERR_LOG_FILE 2>&1
error_file_check "$SINIT_ACM_FILENAME" "Failed to download Intel SINIT ACM. Please make sure Ethernet cable is connected and try again."
# Intel does not provide hash of the package, use SHA256 we know is good
sha256sum --check <(echo "$SINIT_ACM_HASH")
error_check "Failed SHA-256 sum check on the downloaded Intel SINIT ACM."
unzip -o "$SINIT_ACM_FILENAME" -d /tmp >> $ERR_LOG_FILE 2>&1
error_check "Failed to decompress Intel SINIT ACM package."
fi
echo "Beginning Dasharo Blobs Transmission process..."
if [ -n "$SCH5545_FW" ]; then
error_file_check "$SCH5545_FW" "Failed to find SCH5545 EC firmware binary."
echo -n "Adding SCH5545 EC firmware..."
cbfstool "$BIOS_UPDATE_FILE" add -f "$SCH5545_FW" -n sch5545_ecfw.bin -t raw
print_ok "Done"
fi
if [ -n "$ACM_BIN" ]; then
error_file_check "$ACM_BIN" "Failed to find BIOS ACM binary."
echo -n "Adding BIOS ACM..."
cbfstool "$BIOS_UPDATE_FILE" add -f "$ACM_BIN" -n txt_bios_acm.bin -t raw
print_ok "Done"
fi
if [ -n "$SINIT_ACM" ]; then
error_file_check "$SINIT_ACM" "Failed to find Intel SINIT ACM binary."
echo -n "Adding SINIT ACM..."
cbfstool "$BIOS_UPDATE_FILE" add -f "$SINIT_ACM" -n txt_sinit_acm.bin -t raw
print_ok "Done"
fi
}
install_ec() {
verify_artifacts ec
echo "Installing EC..."
$FLASHROM -p "$PROGRAMMER_EC" ${FLASH_CHIP_SELECT} -w "$EC_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to install Dasharo EC firmware"
echo "Successfully installed Dasharo EC firmware"
}
install() {
ask_for_version
if [ "$CAN_INSTALL_BIOS" == "false" ]; then
download_ec
unset BIOS_HASH_LINK
display_flashing_warning
else
download_artifacts
display_flashing_warning
check_flash_lock
verify_artifacts bios
check_intel_regions
check_blobs_in_binary $BIOS_UPDATE_FILE
check_if_me_disabled
set_intel_regions_update_params "-N --ifd -i bios"
fi
if [ "$HAVE_EC" == "true" ]; then
echo "Checking for Open Source Embedded Controller firmware"
$DASHARO_ECTOOL info >> $ERR_LOG_FILE 2>&1
if [ $? -eq 0 ]; then
echo "Device has already Open Source Embedded Controller firmware, do not flash EC..."
else
_ec_fw_version=$($FLASHROM -p "$PROGRAMMER_EC" ${FLASH_CHIP_SELECT} | grep "Mainboard EC Version" | tr -d ' ' | cut -d ':' -f 2)
if [ "$_ec_fw_version" != "$COMPATIBLE_EC_FW_VERSION" ]; then
print_warning "EC version: $_ec_fw_version is not supported, update required"
install_ec
fi
fi
fi
if [ "$CAN_INSTALL_BIOS" == "true" ]; then
cbfstool "$BIOS_UPDATE_FILE" extract -r COREBOOT -n config -f "$BIOS_UPDATE_CONFIG_FILE"
grep "CONFIG_VBOOT=y" "$BIOS_UPDATE_CONFIG_FILE"
HAVE_VBOOT="$?"
if [ "$NEED_ROMHOLE_MIGRATION" = "true" ]; then
romhole_migration
fi
if [ "$NEED_BOOTSPLASH_MIGRATION" = "true" ]; then
bootsplash_migration
fi
if [ "$NEED_SMBIOS_MIGRATION" = "true" ]; then
smbios_migration
resign_binary
fi
if [ "$NEED_BLOB_TRANSMISSION" = "true" ]; then
blob_transmission
fi
echo "Installing Dasharo firmware..."
# FIXME: It seems we do not have an easy way to add some flasrhom extra args
# globally for specific platform and variant
local _flashrom_extra_args=""
if [ "${BIOS_LINK}" = "${BIOS_LINK_DPP_SEABIOS}" ]; then
_flashrom_extra_args="--fmap -i COREBOOT"
fi
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "$BIOS_UPDATE_FILE" ${_flashrom_extra_args} >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to install Dasharo firmware"
print_ok "Successfully installed Dasharo firmware"
fi
echo -n "Syncing disks... "
sync
echo "Done."
if [ "$NEED_EC_RESET" = "true" ]; then
echo "The computer will shut down automatically in 5 seconds"
else
echo "The computer will reboot automatically in 5 seconds"
fi
sleep 0.5
echo "Rebooting in 5s:"
echo "5..."
sleep 1
echo "4..."
sleep 1
echo "3..."
sleep 1
echo "2..."
sleep 1
echo "1..."
sleep 0.5
echo "Rebooting"
sleep 1
if [ "$NEED_EC_RESET" = "true" ]; then
it5570_shutdown
else
send_dts_logs
${CMD_REBOOT}
fi
}
update_ec() {
verify_artifacts ec
echo "Updating EC..."
$DASHARO_ECTOOL flash "$EC_UPDATE_FILE" &>> $ERR_LOG_FILE
error_check "Failed to update EC firmware"
}
update() {
local _can_switch_to_heads="false"
sync_clocks
check_if_ac
error_check "Firmware update process interrupted on user request."
echo "Checking for the latest Dasharo update available..."
echo "Current Dasharo version: $DASHARO_VERSION"
if [ -v DPP_IS_LOGGED ]; then
if [ -v DASHARO_REL_VER_DPP ]; then
if [ "$DASHARO_FLAVOR" != "Dasharo (coreboot+heads)" ]; then
echo "Latest available Dasharo version: $DASHARO_REL_VER_DPP"
fi
curl -sfI -u "$USER_DETAILS" -H "$CLOUD_REQUEST" "$BIOS_LINK_DPP" -o /dev/null
if [ $? -ne 0 ]; then
echo "Current DPP credentials do not match the current platform/firmware flavor."
echo "Latest possible and available update is $DASHARO_REL_VER"
BIOS_HASH_LINK=$BIOS_HASH_LINK_COMM
BIOS_SIGN_LINK=$BIOS_SIGN_LINK_COMM
BIOS_LINK=$BIOS_LINK_COMM
if [ "$HAVE_EC" == "true" ]; then
EC_HASH_LINK=$EC_HASH_LINK_COMM
EC_SIGN_LINK=$EC_SIGN_LINK_COMM
EC_LINK=$EC_LINK_COMM
fi
UPDATE_VERSION=$DASHARO_REL_VER
else
BIOS_HASH_LINK=$BIOS_HASH_LINK_DPP
BIOS_SIGN_LINK=$BIOS_SIGN_LINK_DPP
BIOS_LINK=$BIOS_LINK_DPP
if [ "$HAVE_EC" == "true" ]; then
EC_HASH_LINK=$EC_HASH_LINK_DPP
EC_SIGN_LINK=$EC_SIGN_LINK_DPP
EC_LINK=$EC_LINK_DPP
fi
UPDATE_VERSION=$DASHARO_REL_VER_DPP
fi
else
if [ "$DASHARO_FLAVOR" != "Dasharo (coreboot+heads)" ]; then
echo "Latest available Dasharo version: $DASHARO_REL_VER"
fi
BIOS_HASH_LINK=$BIOS_HASH_LINK_COMM
BIOS_SIGN_LINK=$BIOS_SIGN_LINK_COMM
BIOS_LINK=$BIOS_LINK_COMM
if [ "$HAVE_EC" == "true" ]; then
EC_HASH_LINK=$EC_HASH_LINK_COMM
EC_SIGN_LINK=$EC_SIGN_LINK_COMM
EC_LINK=$EC_LINK_COMM
fi
UPDATE_VERSION=$DASHARO_REL_VER
fi
if [ -v HAVE_HEADS_FW ] && [ "$DASHARO_FLAVOR" != "Dasharo (coreboot+heads)" ]; then
# Check if given DPP credentials give access to heads, if not,
# then it means DPP is for regular releases
curl -sfI -u "$USER_DETAILS" -H "$CLOUD_REQUEST" "$HEADS_LINK_DPP" -o /dev/null
if [ $? -ne 0 ]; then
print_warning "Dasharo Heads firmware version is available, but your"
print_warning "subscription does not give you the access to this firmware."
print_warning "If you are interested, please visit https://shop.3mdeb.com/product-category/dasharo-entry-subscription/"
else
# Access to the heads FW is possible, allow to switch to heads
_can_switch_to_heads="true"
print_ok "Dasharo Heads firmware version is available and your subscription"
print_ok "gives you access to this firmware."
fi
elif [ -v HAVE_HEADS_FW ] && [ "$DASHARO_FLAVOR" == "Dasharo (coreboot+heads)" ]; then
# Set the switch flag to offer switch back
echo "Latest available Dasharo version: $HEADS_REL_VER_DPP"
_can_switch_to_heads="true"
fi
else
if [ -v DASHARO_REL_VER_DPP ]; then
print_green "DPP version (coreboot + UEFI) available, if you are interested"
print_ok "please visit https://shop.3mdeb.com/product-category/dasharo-entry-subscription/"
fi
if [ "$DASHARO_FLAVOR" != "Dasharo (coreboot+heads)" ]; then
echo "Latest available Dasharo version: $DASHARO_REL_VER"
fi
BIOS_HASH_LINK=$BIOS_HASH_LINK_COMM
# shellcheck disable=SC2034
BIOS_SIGN_LINK=$BIOS_SIGN_LINK_COMM
BIOS_LINK=$BIOS_LINK_COMM
if [ "$HAVE_EC" == "true" ]; then
EC_HASH_LINK=$EC_HASH_LINK_COMM
# shellcheck disable=SC2034
EC_SIGN_LINK=$EC_SIGN_LINK_COMM
EC_LINK=$EC_LINK_COMM
fi
UPDATE_VERSION=$DASHARO_REL_VER
if [ -v HAVE_HEADS_FW ] && [ "$DASHARO_FLAVOR" != "Dasharo (coreboot+heads)" ]; then
print_ok "Dasharo heads firmware version is available. If you are interested,"
print_ok "please provide your subscription credentials in the main DTS menu"
print_ok "and select 'Update Dasharo firmware' again to check if you are eligible."
elif [ -v HAVE_HEADS_FW ] && [ "$DASHARO_FLAVOR" == "Dasharo (coreboot+heads)" ]; then
# Set the switch flag to offer switch back
_can_switch_to_heads="true"
fi
fi
handle_fw_switching $_can_switch_to_heads
if [[ "$UPDATE_VERSION" == "1.1.1" && \
( "$BOARD_MODEL" == "PRO Z690-A WIFI DDR4(MS-7D25)" || \
"$BOARD_MODEL" == "PRO Z690-A DDR4(MS-7D25)" || \
"$BOARD_MODEL" == "PRO Z690-A (MS-7D25)" || \
"$BOARD_MODEL" == "PRO Z690-A WIFI (MS-7D25)" ) ]]; then
cpu_gen_check=$(lscpu | grep -F "Model name" | grep -E "\-(13|14)[0-9]{3}" | wc -l)
if [ $cpu_gen_check -ne 0 ]; then
echo "You have a 13th gen or above CPU and are trying to flash Dasharo v1.1.1 on a MSI PRO Z690-A DDR4 or DDR5 board"
echo "That version does not support gen 13 and above CPU. Therefore we cannot continue with flashing."
error_exit "Aborting update process..."
fi
fi
while : ; do
echo
read -r -p "Are you sure you want to proceed with update? (Y|n) " OPTION
echo
case ${OPTION} in
yes|y|Y|Yes|YES)
break
;;
n|N)
error_exit "Aborting update process..."
;;
*)
;;
esac
done
download_artifacts
if [ ! "$FUM" == "fum" ]; then
display_flashing_warning
fi
check_flash_lock
verify_artifacts bios
if [ "$HAVE_EC" == "true" ]; then
$DASHARO_ECTOOL info >> $ERR_LOG_FILE 2>&1
error_check "Device does not have Dasharo EC firmware - cannot continue update!"
fi
if [ "$NEED_SMMSTORE_MIGRATION" = "true" ]; then
smmstore_migration
fi
if [ "$NEED_BOOTSPLASH_MIGRATION" = "true" ]; then
bootsplash_migration
fi
cbfstool "$BIOS_UPDATE_FILE" extract -r COREBOOT -n config -f "$BIOS_UPDATE_CONFIG_FILE"
grep -q "CONFIG_VBOOT=y" "$BIOS_UPDATE_CONFIG_FILE"
HAVE_VBOOT="$?"
check_intel_regions
check_blobs_in_binary $BIOS_UPDATE_FILE
check_if_me_disabled
set_flashrom_update_params $BIOS_UPDATE_FILE
set_intel_regions_update_params "-N --ifd"
check_vboot_keys
echo "Updating Dasharo firmware..."
print_warning "This may take several minutes. Please be patient and do not power off your computer or touch the keyboard!"
# FLASHROM_ADD_OPT_UPDATE_OVERRIDE takes priority over auto-detected update params.
# It set only by platform-specific and firmware version-specific conditions
if [ -v FLASHROM_ADD_OPT_UPDATE_OVERRIDE ]; then
# To standardize the operation of the FLASHROM_ADD_OPT_UPDATE_OVERRIDE flag,
# by default it contains only the bios section, below we verify the
# downloaded binary and add more sections when they were detected after
# using the `check_blobs_in_binary` function.
set_intel_regions_update_params "$FLASHROM_ADD_OPT_UPDATE_OVERRIDE"
FLASHROM_ADD_OPT_UPDATE_OVERRIDE="$FLASHROM_ADD_OPT_REGIONS"
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE_OVERRIDE} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to update Dasharo firmware"
else
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_UPDATE} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to update Dasharo firmware"
if [ $BINARY_HAS_RW_B -eq 0 ]; then
echo "Updating second firmware partition..."
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} --fmap -N -i RW_SECTION_B -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to update second firmware partition"
fi
fi
# We use FLASHROM_ADD_OPT_REGIONS for updating ME and IFD.
# If FLASHROM_ADD_OPT_REGIONS remains the same after
# set_intel_regions_update_params or is cleared, it means
# we either cannot update any region, or were not allowed to,
# or platform has no descriptor.
if [ "$FLASHROM_ADD_OPT_REGIONS" != "-N --ifd" ] && [ "$FLASHROM_ADD_OPT_REGIONS" != "" ]; then
UPDATE_STRING=""
grep -q "\-i fd" <<< "$FLASHROM_ADD_OPT_REGIONS"
UPDATE_IFD=$?
grep -q "\-i me" <<< "$FLASHROM_ADD_OPT_REGIONS"
UPDATE_ME=$?
if [ $UPDATE_IFD -eq 0 ]; then
UPDATE_STRING+="Flash Descriptor"
if [ $UPDATE_ME -eq 0 ]; then
UPDATE_STRING+=" and "
fi
fi
if [ $UPDATE_ME -eq 0 ]; then
UPDATE_STRING+="Management Engine"
fi
echo "Updating $UPDATE_STRING"
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "$BIOS_UPDATE_FILE" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to update $UPDATE_STRING"
fi
if [ ! -z "$SWITCHING_TO" ]; then
# Any post-branch-switch messaging should go here
case "$SWITCHING_TO" in
"uefi")
print_ok "Successfully switched to Dasharo UEFI firmware."
print_warning "You may need to re-create boot manager entries!"
;;
"heads")
print_ok "Successfully switched to Dasharo Heads firmware."
print_warning "On first boot you will see a warning about unsealing TOTP secrets."
print_warning "This is expected. Run OEM Factory Reset / Re-Ownership to finish deploying Heads."
;;
esac
read -p "Press any key to continue" # Make sure the user acknowledges.
else
# Regular update flow
print_ok "Successfully updated Dasharo firmware."
fi
if [ "$HAVE_EC" == "true" ]; then
echo "Updating Embedded Controller firmware. Your computer will power off automatically when done."
update_ec # Ends in a reset, does not exit
else
echo -n "Syncing disks... "
sync
echo "Done."
echo "The computer will reboot automatically in 5 seconds"
sleep 0.5
echo "Rebooting in 5s:"
echo "5..."
sleep 1
echo "4..."
sleep 1
echo "3..."
sleep 1
echo "2..."
sleep 1
echo "1..."
sleep 0.5
echo "Rebooting"
sleep 1
send_dts_logs
${CMD_REBOOT}
fi
}
restore() {
while : ; do
echo
echo "Restoring firmware from HCL report."
echo "Take note that this will only restore BIOS firmware, no EC."
echo "Please select one of available options."
echo " 1) Check for HCL report stored locally"
if [ -n "${DPP_IS_LOGGED}" ]; then
echo " 2) Check for HCL report stored on 3mdeb cloud"
fi
echo " b) Back to main menu"
echo
read -r -p "Enter an option: " OPTION
echo
local network_dev=""
local mac_addr=""
local uuid_string=""
# HCL report should be named as in dasharo-hcl-report so we can find
# the package based on uuid saved in name, we need to check two options
# with and without MAC address
network_dev="$(ip route show default | head -1 | awk '/default/ {print $5}')"
mac_addr="$(cat /sys/class/net/${network_dev}/address)"
uuid_string="$(cat /sys/class/net/)"
# if above gives error then there is no internet connection and first
# part of uuid should be blank
if [ ! $? -eq 0 ]; then
uuid_string=""
fi
uuid_string="${mac_addr}_$(dmidecode -s system-product-name)"
uuid_string+="_$(dmidecode -s system-manufacturer)"
uuid="$(uuidgen -n @x500 -N $uuid_string -s)"
case ${OPTION} in
1)
echo
echo "Searching for HCL report on device..."
HCL_REPORT_PACKAGE="$(find / -name "*$uuid*" | head -n1)"
if [ ! -z $HCL_REPORT_PACKAGE ]; then
tar -zxf "$HCL_REPORT_PACKAGE" -C /tmp
echo "Restoring BIOS firmware..."
if [ -f "/tmp/logs/rom.bin" ]; then
print_ok "Found $HCL_REPORT_PACKAGE"
read -p "Do you want to restore firmware from the given HCL report? [N/y] "
case ${REPLY} in
yes|y|Y|Yes|YES)
# Ideally we would like to write the entire flash when restoring,
# but in reality we may face locked or unaccessible regions.
# To be on the safe side, flash whatever can be flashed by determining
# what is writable.
check_flash_lock
check_intel_regions
check_blobs_in_binary /tmp/logs/rom.bin
check_if_me_disabled
set_intel_regions_update_params "-N --ifd -i bios"
$FLASHROM -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to restore BIOS firmware! You can try one more time."
print_ok "Successfully restored firmware"
echo "Returning to main menu..."
exit 0
;;
*)
echo "Returning to main menu..."
exit 0
;;
esac
else
print_error "Report does not have firmware backup!"
fi
else
print_warning "No HCL report found, cannot restore firmware"
echo "Returning to main menu..."
exit 0
fi
;;
2)
echo
echo "Searching for HCL report on cloud..."
${CMD_CLOUD_LIST} $uuid
error_check "Could not download HCL report from cloud."
HCL_REPORT_PACKAGE="$(find / -name "*$uuid*" | head -n1)"
tar -zxf "$HCL_REPORT_PACKAGE" -C /tmp
echo "Restoring BIOS firmware..."
if [ -f "/tmp/logs/rom.bin" ]; then
# Ideally we would like to write the entire flash when restoring,
# but in reality we may face locked or unaccessible regions.
# To be on the safe side, flash whatever can be flashed by determining
# what is writable.
check_flash_lock
check_intel_regions
check_blobs_in_binary /tmp/logs/rom.bin
check_if_me_disabled
set_intel_regions_update_params "-N --ifd -i bios"
flashrom -p "$PROGRAMMER_BIOS" ${FLASH_CHIP_SELECT} ${FLASHROM_ADD_OPT_REGIONS} -w "/tmp/logs/rom.bin" >> $FLASHROM_LOG_FILE 2>> $ERR_LOG_FILE
error_check "Failed to restore BIOS firmware! You can try one more time."
print_ok "Successfully restored firmware"
else
print_error "Report does not have firmware backup!"
fi
;;
b|B)
echo "Returning to main menu..."
exit 0
;;
*)
;;
esac
done
}
usage() {
echo "Usage:"
echo " $0 install - Install Dasharo on this device"
echo " $0 backup - Backup current firmware"
echo " $0 restore - Restore from a previously saved backup"
}
# for FUM we start in dasharo-deploy so we need to verify that we have internet
# connection to download shasums in board_config
if [ "$FUM" == "fum" ]; then
wait_for_network_connection
fi
board_config
check_flash_chip
if [ -v PLATFORM_SIGN_KEY ]; then
get_signing_keys
fi
case "$CMD" in
install)
if check_if_dasharo; then
error_exit "Dasharo Firmware is already installed. This script is only for\r
initial deployment of Dasharo Firmware. Aborting..."
fi
backup
install
;;
update)
if [ "$FUM" == "fum" ]; then
echo "Firmware Update Mode detected; proceed with automatic update in 5 seconds"
echo "Updating in 5s:"
echo "5..."
sleep 1
echo "4..."
sleep 1
echo "3..."
sleep 1
echo "2..."
sleep 1
echo "1..."
sleep 0.5
fi
update
;;
backup)
backup
;;
restore)
if ! check_if_dasharo; then
error_exit "Dasharo Firmware is not installed. This script is only for\r
restoring original firmware on platforms that runs Dasharo Firmware. Aborting..."
fi
restore
;;
*)
usage
;;
esac
Reference in New Issue View Git Blame Copy Permalink