diff options
| author | Iru Cai | 2017-11-19 16:58:23 +0800 |
|---|---|---|
| committer | Iru Cai | 2017-11-19 16:59:35 +0800 |
| commit | 08a34e6589b0230e10da0a9543b8476cfc717008 (patch) | |
| tree | 98d84da5256c38e9d9d87f8c251d3ad7c9a36769 | |
| parent | e8658f6ce698705c8cfec57426d63187e701620a (diff) | |
| download | aur-08a34e6589b0230e10da0a9543b8476cfc717008.tar.gz | |
add me_cleaner and autoport, patch intelmetool to show bootguard status
| -rw-r--r-- | .SRCINFO | 10 | ||||
| -rw-r--r-- | PKGBUILD | 27 | ||||
| -rw-r--r-- | metool-bg.patch | 442 |
3 files changed, 472 insertions, 7 deletions
@@ -1,19 +1,23 @@ # Generated by mksrcinfo v8 -# Sun Aug 28 18:00:07 UTC 2016 +# Sun Nov 19 08:57:51 UTC 2017 pkgbase = coreboot-utils-git pkgdesc = Tools and utilities to work with Coreboot firmware - pkgver = 4.4.r1339.gdbf3067 + pkgver = 4.6.r2144.gda6b1bc9e2 pkgrel = 1 url = http://www.coreboot.org/ arch = i686 arch = x86_64 license = GPL makedepends = git - depends = glibc + makedepends = go + depends = pciutils + optdepends = python: me_cleaner support source = git+https://review.coreboot.org/coreboot source = git+https://review.coreboot.org/vboot + source = metool-bg.patch sha256sums = SKIP sha256sums = SKIP + sha256sums = 1ffc82505ec8afe141324d008ea680fbc2c4119b4888385d701851539c2263b2 pkgname = coreboot-utils-git @@ -2,19 +2,28 @@ # Maintainer: Iru Cai <mytbk920423@gmail.com> pkgname=coreboot-utils-git -pkgver=4.4.r1339.gdbf3067 +pkgver=4.6.r2144.gda6b1bc9e2 pkgrel=1 pkgdesc='Tools and utilities to work with Coreboot firmware' url='http://www.coreboot.org/' license=(GPL) arch=(i686 x86_64) -depends=(glibc) +depends=(pciutils) +optdepends=("python: me_cleaner support") makedepends=(git) source=(git+https://review.coreboot.org/coreboot # vboot provides vb2_api.h needed by cbfstool - git+https://review.coreboot.org/vboot) + git+https://review.coreboot.org/vboot + metool-bg.patch) sha256sums=('SKIP' - 'SKIP') + 'SKIP' + '1ffc82505ec8afe141324d008ea680fbc2c4119b4888385d701851539c2263b2') + +BUILD_AUTOPORT=y + +if [ "$BUILD_AUTOPORT" == y ]; then + makedepends=("${makedepends[@]}" go) +fi pkgver() { cd coreboot @@ -28,6 +37,8 @@ prepare() { git config -f .gitmodules 'submodule.vboot.url' "$srcdir/vboot" git submodule sync -- 3rdparty/vboot git submodule update -- 3rdparty/vboot + + patch -p1 -i "$srcdir/metool-bg.patch" } build() { @@ -42,12 +53,20 @@ build() { make -C cbmem make -C romcc romcc # tests fail make -C ectool + if [ "$BUILD_AUTOPORT" == y ]; then + cd autoport + go build + fi } package() { cd coreboot/util install -m755 -d "$pkgdir/usr/bin" "$pkgdir/usr/share/man/man8" install -m755 -t "$pkgdir/usr/bin" cbfstool/{cbfstool,rmodtool} ifdtool/ifdtool nvramtool/nvramtool inteltool/inteltool superiotool/superiotool cbmem/cbmem romcc/romcc ectool/ectool intelmetool/intelmetool + install -m755 me_cleaner/me_cleaner.py "$pkgdir/usr/bin/me_cleaner" + if [ "$BUILD_AUTOPORT" == y ]; then + install -m755 -t "$pkgdir/usr/bin" autoport/autoport + fi install -m644 -t "$pkgdir"/usr/share/man/man8 inteltool/inteltool.8 install -Dm644 ../COPYING "$pkgdir/usr/share/licenses/$pkgname/COPYING" diff --git a/metool-bg.patch b/metool-bg.patch new file mode 100644 index 000000000000..ef6acfa7bdba --- /dev/null +++ b/metool-bg.patch @@ -0,0 +1,442 @@ +commit 125f14a2622e2086de2a1b96660605dd50f1ce85 +Author: Philipp Deppenwiese <zaolin@das-labor.org> +Date: Fri Aug 26 02:10:51 2016 +0200 + + util/intelmetool: Add bootguard information dump support + + With this implementation it's possible to detect the state + of bootguard in intel based systems. Currently it's WIP and + in a testphase. Handle it with care! + + Change-Id: Ifeec8e20fa8efc35d7db4c6a84be1f118dccfc4a + Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> + +diff --git a/util/intelmetool/Makefile b/util/intelmetool/Makefile +index 8857d954cd..8ae774d86d 100644 +--- a/util/intelmetool/Makefile ++++ b/util/intelmetool/Makefile +@@ -20,7 +20,7 @@ PREFIX ?= /usr/local + CFLAGS ?= -O0 -g -Wall -W -Wno-unused-parameter -Wno-sign-compare -Wno-unused-function + LDFLAGS += -lpci -lz + +-OBJS = intelmetool.o me.o me_status.o mmap.o ++OBJS = intelmetool.o me.o me_status.o mmap.o msr.o + + OS_ARCH = $(shell uname) + ifeq ($(OS_ARCH), Darwin) +diff --git a/util/intelmetool/intelmetool.c b/util/intelmetool/intelmetool.c +index 2acfec223e..3d3f8e9981 100644 +--- a/util/intelmetool/intelmetool.c ++++ b/util/intelmetool/intelmetool.c +@@ -16,6 +16,8 @@ + #include <stdlib.h> + #include <getopt.h> + #include <unistd.h> ++#include <string.h> ++#include <cpuid.h> + + #ifdef __NetBSD__ + #include <machine/sysarch.h> +@@ -23,6 +25,7 @@ + + #include "me.h" + #include "mmap.h" ++#include "msr.h" + #include "intelmetool.h" + + #define FD2 0x3428 +@@ -34,6 +37,7 @@ int debug = 0; + static uint32_t fd2 = 0; + static const int size = 0x4000; + static volatile uint8_t *rcba; ++static char cpu_id[CPU_ID_SIZE] = { 0 }; + + static void dumpmem(uint8_t *phys, uint32_t size) + { +@@ -73,6 +77,17 @@ static void rehide_me(void) + } + } + ++static void get_cpu_id(char *id) ++{ ++ regs_t regs; ++ unsigned int level = 0; ++ unsigned int eax = 0; ++ ++ __get_cpuid(level, &eax, ®s.ebx, ®s.ecx, ®s.edx); ++ ++ memcpy(id, (char *)®s, CPU_ID_SIZE); ++} ++ + /* You need >4GB total ram, in kernel cmdline, use 'mem=1000m' + * then this code will clone to absolute memory address 0xe0000000 + * which can be read using a mmap tool at that offset. +@@ -296,10 +311,62 @@ static void dump_me_info(void) + munmap((void*)rcba, size); + } + ++static void dump_bootguard_info(void) ++{ ++ struct pci_dev *dev; ++ uint32_t stat = 0; ++ char namebuf[1024]; ++ const char *name; ++ uint64_t bootguard = 0; ++ ++ if (msr_bootguard(&bootguard, debug) < 0) ++ return; ++ ++ pci_platform_scan(); ++ dev = pci_me_interface_scan(&name, namebuf, sizeof(namebuf)); ++ activate_me(); ++ ++ if (dev) ++ stat = pci_read_long(dev, 0x40); ++ ++ if (debug) { ++ printf("BootGuard MSR Output: 0x%" PRIx64 "\n", bootguard); ++ bootguard &= ~0xff; ++ } ++ ++ if (BOOTGUARD_CAPABILITY(bootguard)) { ++ print_cap("BootGuard ", 1); ++ if (dev && (stat & 0x10)) { ++ printf(CYEL "Your southbridge configuration is insecure!! BootGuard keys can be overwritten or wiped or you are in developer mode.\n" RESET); ++ } ++ switch (bootguard) { ++ case BOOTGUARD_DISABLED: ++ printf("ME Capability: BootGuard Mode : " CGRN "Disabled\n" RESET); ++ printf(CGRN "\nYour system is bootguard ready but your vendor disabled it. You can flash other firmware!\n" RESET); ++ break; ++ case BOOTGUARD_ENABLED_COMBI_MODE: ++ printf("ME Capability: BootGuard Mode : " CRED "Verified & Measured Boot\n" RESET); ++ printf(CRED "\nYou can't flash other firmware. Verified boot is enabled!\n" RESET); ++ break; ++ case BOOTGUARD_ENABLED_MEASUREMENT_MODE: ++ printf("ME Capability: BootGuard Mode : " CGRN "Measured Boot\n" RESET); ++ printf(CGRN "\nYour system is bootguard ready but only running the measured boot mode. You can flash other firmware!\n" RESET); ++ break; ++ case BOOTGUARD_ENABLED_VERIFIED_MODE: ++ printf("ME Capability: BootGuard Mode : " CRED "Verified Boot\n" RESET); ++ printf(CRED "\nYou can't flash other firmware. Verified boot is enabled!\n" RESET); ++ break; ++ } ++ } else { ++ print_cap("BootGuard ", 0); ++ printf(CGRN "\nYour system isn't bootguard ready. You can flash other firmware!\n" RESET); ++ } ++} ++ + static void print_version(void) + { + printf("intelmetool v%s -- ", INTELMETOOL_VERSION); +- printf("Copyright (C) 2015 Damien Zammit\n\n"); ++ printf("Copyright (C) 2016 Damien Zammit, Philipp Deppenwiese\n\n"); + printf( + "This program is free software: you can redistribute it and/or modify\n" + "it under the terms of the GNU General Public License as published by\n" +@@ -312,13 +379,14 @@ static void print_version(void) + + static void print_usage(const char *name) + { +- printf("usage: %s [-vh?sd]\n", name); ++ printf("usage: %s [-vh?mdb]\n", name); + printf("\n" +- " -v | --version: print the version\n" +- " -h | --help: print this help\n\n" +- " -s | --show: dump all me information on console\n" +- " -d | --debug: enable debug output\n" +- "\n"); ++ " -v | --version print the version\n" ++ " -h | --help print this help\n\n" ++ " -m | --me dump all me related information on console\n" ++ " -b | --bootguard dump bootguard state of the platform\n" ++ " -d | --debug enable debug output\n" ++ "\n"); + exit(1); + } + +@@ -330,21 +398,25 @@ int main(int argc, char *argv[]) + static struct option long_options[] = { + {"version", 0, 0, 'v'}, + {"help", 0, 0, 'h'}, +- {"show", 0, 0, 's'}, ++ {"me", 0, 0, 'm'}, ++ {"bootguard", 0, 0, 'b'}, + {"debug", 0, 0, 'd'}, + {0, 0, 0, 0} + }; + +- while ((opt = getopt_long(argc, argv, "vh?sd", +- long_options, &option_index)) != EOF) { ++ while ((opt = getopt_long(argc, argv, "vh?mdb", ++ long_options, &option_index)) != EOF) { + switch (opt) { + case 'v': + print_version(); + exit(0); + break; +- case 's': ++ case 'm': + cmd_exec = 1; + break; ++ case 'b': ++ cmd_exec = 2; ++ break; + case 'd': + debug = 1; + break; +@@ -358,37 +430,48 @@ int main(int argc, char *argv[]) + } + + #if defined(__FreeBSD__) +- if (open("/dev/io", O_RDWR) < 0) { +- perror("/dev/io"); ++ if (open("/dev/io", O_RDWR) < 0) { ++ perror("/dev/io"); + #elif defined(__NetBSD__) + # ifdef __i386__ +- if (i386_iopl(3)) { +- perror("iopl"); ++ if (i386_iopl(3)) { ++ perror("iopl"); + # else +- if (x86_64_iopl(3)) { +- perror("iopl"); ++ if (x86_64_iopl(3)) { ++ perror("iopl"); + # endif + #else +- if (iopl(3)) { +- perror("iopl"); ++ if (iopl(3)) { ++ perror("iopl"); + #endif +- printf("You need to be root.\n"); +- exit(1); +- } ++ printf("You need to be root.\n"); ++ exit(1); ++ } + + #ifndef __DARWIN__ +- if ((fd_mem = open("/dev/mem", O_RDWR)) < 0) { +- perror("Can not open /dev/mem"); +- exit(1); +- } ++ fd_mem = open("/dev/mem", O_RDWR); ++ if (fd_mem < 0) { ++ perror("Can not open /dev/mem"); ++ exit(1); ++ } ++ ++ get_cpu_id(cpu_id); ++ if (strncmp(cpu_id, "GenuineIntel", CPU_ID_SIZE-1)) { ++ perror("Error CPU is not from Intel."); ++ exit(1); ++ } + #endif + + switch(cmd_exec) { + case 1: + dump_me_info(); + break; ++ case 2: ++ dump_bootguard_info(); ++ break; + default: +- print_usage(argv[0]); ++ dump_me_info(); ++ dump_bootguard_info(); + break; + } + +diff --git a/util/intelmetool/intelmetool.h b/util/intelmetool/intelmetool.h +index b5fe35ae1a..384c0b4fd3 100644 +--- a/util/intelmetool/intelmetool.h ++++ b/util/intelmetool/intelmetool.h +@@ -22,7 +22,7 @@ + #define ME_PRESENT_CAN_DISABLE 4 + #define ME_PRESENT_CANNOT_DISABLE 5 + +-#define INTELMETOOL_VERSION "1.0" ++#define INTELMETOOL_VERSION "1.1" + + #if defined(__GLIBC__) + #include <sys/io.h> +@@ -48,7 +48,13 @@ + #define CWHT "\x1B[37m" + #define RESET "\033[0m" + ++#define CPU_ID_SIZE 13 ++#define FD2 0x3428 ++#define ME_COMMAND_DELAY 10000 ++#define ME_MESSAGE_LEN 256 ++ + extern int debug; ++extern void print_cap(const char *name, int state); + + #define PCI_VENDOR_ID_INTEL 0x8086 + +diff --git a/util/intelmetool/me.c b/util/intelmetool/me.c +index ff73aee2d6..1ee5b4121d 100644 +--- a/util/intelmetool/me.c ++++ b/util/intelmetool/me.c +@@ -423,7 +423,7 @@ int mkhi_get_fw_version(void) + return 0; + } + +-static inline void print_cap(const char *name, int state) ++void print_cap(const char *name, int state) + { + printf("ME Capability: %-30s : %s\n", + name, state ? CRED "ON" RESET : CGRN "OFF" RESET); +diff --git a/util/intelmetool/me.h b/util/intelmetool/me.h +index 76ee245753..d0f425264c 100644 +--- a/util/intelmetool/me.h ++++ b/util/intelmetool/me.h +@@ -20,6 +20,8 @@ + #include <inttypes.h> + #include <pci/pci.h> + ++#include "intelmetool.h" ++ + #define ME_RETRY 100000 /* 1 second */ + #define ME_DELAY 10 /* 10 us */ + +diff --git a/util/intelmetool/msr.c b/util/intelmetool/msr.c +new file mode 100644 +index 0000000000..82181da4ea +--- /dev/null ++++ b/util/intelmetool/msr.c +@@ -0,0 +1,80 @@ ++/* intelmetool ++ * ++ * Copyright (C) 2013-2016 Philipp Deppenwiese <zaolin@das-labor.org>, ++ * Copyright (C) 2013-2016 Alexander Couzens <lynxis@fe80.eu> ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation; either version 2 of ++ * the License, or any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++#include <fcntl.h> ++#include <unistd.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <errno.h> ++ ++#include "msr.h" ++ ++#ifndef __DARWIN__ ++static int fd_msr = 0; ++ ++static uint64_t rdmsr(int addr) ++{ ++ uint32_t buf[2]; ++ uint64_t msr = 0; ++ ++ if (lseek(fd_msr, (off_t)addr, SEEK_SET) == -1) { ++ perror("Could not lseek() to MSR"); ++ close(fd_msr); ++ return -1; ++ } ++ ++ if (read(fd_msr, buf, 8) == 8) { ++ msr = buf[1]; ++ msr <<= 32; ++ msr |= buf[0]; ++ close(fd_msr); ++ return msr; ++ } ++ ++ if (errno == EIO) { ++ perror("IO error couldn't read MSR."); ++ close(fd_msr); ++ return -2; ++ } else { ++ perror("Couldn't read() MSR"); ++ close(fd_msr); ++ return -1; ++ } ++ ++ return msr; ++} ++#endif ++ ++int msr_bootguard(uint64_t *msr, int debug) ++{ ++ ++#ifndef __DARWIN__ ++ fd_msr = open("/dev/cpu/0/msr", O_RDONLY); ++ if (fd_msr < 0) { ++ perror("Error while opening /dev/cpu/0/msr"); ++ printf("Did you run 'modprobe msr'?\n"); ++ return -1; ++ } ++ ++ *msr = rdmsr(MSR_BOOTGUARD); ++#endif ++ ++ if (!debug) ++ *msr &= ~0xff; ++ ++ return 0; ++} +diff --git a/util/intelmetool/msr.h b/util/intelmetool/msr.h +new file mode 100644 +index 0000000000..2958ff6b40 +--- /dev/null ++++ b/util/intelmetool/msr.h +@@ -0,0 +1,44 @@ ++/* intelmetool ++ * ++ * Copyright (C) 2013-2016 Philipp Deppenwiese <zaolin@das-labor.org> ++ * Copyright (C) 2013-2016 Alexander Couzens <lynxis@fe80.eu> ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation; either version 2 of ++ * the License, or any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++#include <inttypes.h> ++#include <stdlib.h> ++#include <fcntl.h> ++#include <sys/mman.h> ++#include <stdio.h> ++ ++#define MSR_BOOTGUARD 0x13A ++ ++#define BOOTGUARD_DISABLED 0x400000000 ++#define BOOTGUARD_ENABLED_VERIFIED_MODE 0x100000000 ++#define BOOTGUARD_ENABLED_MEASUREMENT_MODE 0x200000000 ++#define BOOTGUARD_ENABLED_COMBI_MODE 0x300000000 ++#define BOOTGUARD_CAPABILITY(x) \ ++ (((x) == BOOTGUARD_DISABLED) || \ ++ ((x) == BOOTGUARD_ENABLED_VERIFIED_MODE) || \ ++ ((x) == BOOTGUARD_ENABLED_MEASUREMENT_MODE) || \ ++ ((x) == BOOTGUARD_ENABLED_COMBI_MODE)) ++ ++#ifndef __DARWIN__ ++ ++typedef struct { ++ unsigned int ebx; ++ unsigned int edx; ++ unsigned int ecx; ++} regs_t; ++ ++extern int msr_bootguard(uint64_t *msr, int debug); ++#endif |