EOL_m900_tower-*: fix review comments -- typos, blob names, board name

Fix the blobs/m900 download script to source shared blobs/lib.sh and
use its chk_sha256sum from the shared library (review comment).
Update board config descriptions and fix typos in README and
m900_me_blobs.mk target paths.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Author: tlaurion

blobs/m900/.gitignore

@@ -1,3 +1,3 @@
-me.bin
 m900_me.bin
+me_cleaned.bin
 

blobs/m900/README.md

@@ -2,13 +2,13 @@
 
 The following blobs are needed:
 
-* `ifd.bin`
-* `gbe.bin`
-* `me.bin`
+* `m900_tower_ifd.bin`
+* `m900_tower_gbe.bin`
+* `m900_me.bin`
 
-## me.bin: automatically extract, deactivate, partially neuter and deguard
+## m900_me.bin: automatically extract, deactivate, partially neuter and deguard
 
-download_clean_deguard_me.sh : Download vulnerable ME from ASRock, verify checksum, extract ME, deactivate ME and paritally neuter it, then apply the deguard patch and place it into me.bin.
+`m900_download_clean_deguard_me.sh`: Download vulnerable ME from ASRock, verify checksum, extract ME, deactivate ME and partially neuter it, then apply the deguard patch and place it into m900_me.bin.
 For the technical details please read the documentation in the script itself, as removing modules is limited on the platform.
 
 The ME blob dumped in this directory comes from the following link: https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip
@@ -27,11 +27,11 @@ As specified in the first link, this ME can be deployed to:
 
 ## ifd.bin and gbe.bin
 
-Both blobs were taken from my donor board.
+Both blobs are from a production unit of this platform.
 
-The GBE MAC address was forged to: `00:DE:AD:C0:FF:EE`
-IFD blob was unlocked using iftool. Moreover, to be sure, the HAP bit was set by altmedisable. 
-The IFD layot was changed: the bios region was expanded to take space after reducing the me blob. 
+The GBE MAC address was forged to: `00:DE:AD:C0:FF:EE`. Unfortunately, after disabling the ME the onboard ethernet stops working. This was tested on coreboot and is true for heads too. So, PCI ethernet or usb/ethernet adapter is needed. 
+IFD blob was unlocked using ifdtool. Moreover, to be sure, the HAP bit was set by altmedisable. 
+The IFD layout was changed: the bios region was expanded to take space after reducing the me blob. 
 
 ## Integrity
 
@@ -47,8 +47,7 @@ Sha256sums: `blobs/m900/hashes.txt`
 
 # Documentation
 
-A guide on how to flash this board (both the Heads rom) can be found here:
-https://osresearch.net/m900_tower-maximized-flashing/ #TODO
+A guide on how to flash this board can be found at https://osresearch.net/m900_tower-maximized-flashing/ (pending: the page needs to be created).
 
 The upstream port for the board can be found here: https://review.coreboot.org/c/coreboot/+/74187
 

blobs/m900/m900_download_clean_deguard_me.sh

@@ -28,7 +28,7 @@ function download_and_clean() {
 	me_cleaner="$(realpath "${1}")"
 	me_output="$(realpath "${2}")"
 
-	# Download and unpack the Dell installer into a temporary directory and
+	# Download and unpack the ASRock BIOS zip (compatible ME for this Lenovo platform) and
 	# extract the deguardable Intel ME blob.
 	pushd "$(mktemp -d)" || exit
 
@@ -96,8 +96,14 @@ function parse_params() {
 	while getopts ":m:" opt; do
 		case $opt in
 		m)
-			if [[ -x "$OPTARG" ]]; then
+			if [[ -f "$OPTARG" ]] && [[ ! -x "$OPTARG" ]]; then
+				# me_cleaner is a Python script — passed to python interpreter,
+				# not executed directly.  Only require readability, not +x.
 				me_cleaner="$OPTARG"
+			elif [[ -x "$OPTARG" ]]; then
+				me_cleaner="$OPTARG"
+			else
+				usage_err "-m path '$OPTARG' does not exist or is not readable"
 			fi
 			;;
 		?)

boards/EOL_m900_tower-hotp-maximized/EOL_m900_tower-hotp-maximized.config

@@ -1,5 +1,5 @@
 # WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
-# Configuration for a m900_tiny running Qubes 4.3 and other Linux Based OSes (through kexec)
+# Configuration for a m900_tower running Qubes 4.3 and other Linux Based OSes (through kexec)
 # CAVEATS:
 # This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running.
 # This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash.
@@ -8,7 +8,7 @@
 # Make sure you understand the implications of the attack for your threat model before using this board.
 # Includes
 # - Deactivated+partially neutered+deguarded ME and expanded consequent IFD BIOS regions
-# - More details can be found in the script under blobs/m900_tiny/m900_tiny_download_clean_deguard_me.sh
+# - More details can be found in the script under blobs/m900/m900_download_clean_deguard_me.sh
 # - Forged GBE MAC address to 00:DE:AD:C0:FF:EE
 # - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 
@@ -81,7 +81,7 @@ export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_ADD=""
 export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOARD_NAME="Thinkcentre m900-hotp-maximized"
+export CONFIG_BOARD_NAME="Thinkcentre m900_tower-hotp-maximized"
 export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
 BOARD_TARGETS := m900_me_blobs

boards/EOL_m900_tower-maximized/EOL_m900_tower-maximized.config

@@ -1,5 +1,5 @@
 # WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
-# Configuration for a m900_tiny running Qubes 4.3 and other Linux Based OSes (through kexec)
+# Configuration for a m900_tower running Qubes 4.3 and other Linux Based OSes (through kexec)
 # CAVEATS:
 # This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running.
 # This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash.
@@ -8,7 +8,7 @@
 # Make sure you understand the implications of the attack for your threat model before using this board.
 # Includes
 # - Deactivated+partially neutered+deguarded ME and expanded consequent IFD BIOS regions
-# - More details can be found in the script under blobs/m900_tiny/m900_tiny_download_clean_deguard_me.sh
+# - More details can be found in the script under blobs/m900/m900_download_clean_deguard_me.sh
 # - Forged GBE MAC address to 00:DE:AD:C0:FF:EE
 # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 
@@ -79,7 +79,7 @@ export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_ADD=""
 export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOARD_NAME="Thinkcentre m900-maximized"
+export CONFIG_BOARD_NAME="Thinkcentre m900_tower-maximized"
 export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
 BOARD_TARGETS := m900_me_blobs

targets/m900_me_blobs.mk

@@ -1,9 +1,14 @@
 # Targets for downloading m900 ME blob, neutering it down to BUP+ROMP region and deactivating ME.
-
-# m900-*-maximized boards require of you initially call one of the
-#  following to have gbe.bin ifd.bin and me.bin
-#  - blobs/m900/download_clean_me.sh
-#     To download Lenovo original ME binary, neuter+deactivate ME
+#
+# m900-*-maximized boards require you to initially call:
+#  make blobs/m900/m900_me.bin
+# which runs blobs/m900/m900_download_clean_deguard_me.sh to:
+#  1. Download the ASRock H110M-DGS BIOS zip containing ME 11.6.0.1126
+#  2. Extract, partially neuter and deguard the ME firmware
+#  3. Place the result into blobs/m900/m900_me.bin
+#
+# The IFD (m900_tower_ifd.bin) and GBE (m900_tower_gbe.bin) blobs are
+# taken from a donor board and committed to the repo directly.
 
 # Make the Coreboot build depend on the following 3rd party blobs:
 $(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \