Skip to content

Commit a17c190

Browse files
tlauriontlaurion
committed
blobs/m900: address review comments for flashing URL and blob hash verification
- Remove pending URL with TODO marker from README; reword as future guide - Add make stamp target (.hashes-verified) that verifies IFD/GBE blob sha256 against hashes.txt at build time - Track .hashes-verified stamp in .gitignore Signed-off-by: Thierry Laurion <insurgo@riseup.net>
1 parent 273f52f commit a17c190

3 files changed

Lines changed: 22 additions & 2 deletions

File tree

blobs/m900/.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
11
m900_me.bin
22
me_cleaned.bin
3+
.hashes-verified
34

blobs/m900/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ Sha256sums: `blobs/m900/hashes.txt`
4747
4848
# Documentation
4949

50-
A guide on how to flash this board can be found at https://osresearch.net/m900_tower-maximized-flashing/ (pending: the page needs to be created).
50+
A guide on how to flash this board (once written) will be linked from https://osresearch.net/ .
5151

5252
The upstream port for the board can be found here: https://review.coreboot.org/c/coreboot/+/74187
5353

targets/m900_me_blobs.mk

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,28 @@
1010
# The IFD (m900_tower_ifd.bin) and GBE (m900_tower_gbe.bin) blobs are
1111
# taken from a donor board and committed to the repo directly.
1212

13+
# Verify hashes of committed blobs (IFD and GBE) before building the board.
14+
# A stamp file tracks completion; it is regenerated whenever hashes.txt changes.
15+
$(pwd)/blobs/m900/.hashes-verified: $(pwd)/blobs/m900/hashes.txt \
16+
$(pwd)/blobs/m900/m900_tower_ifd.bin $(pwd)/blobs/m900/m900_tower_gbe.bin
17+
@while read -r hash filename; do \
18+
case "$$filename" in \
19+
m900_tower_ifd.bin|m900_tower_gbe.bin) \
20+
path="$(pwd)/blobs/m900/$$filename"; \
21+
if ! echo "$$hash $$path" | sha256sum --check >/dev/null 2>&1; then \
22+
echo "ERROR: $$filename hash mismatch"; \
23+
exit 1; \
24+
fi; \
25+
;; \
26+
esac; \
27+
done < $(pwd)/blobs/m900/hashes.txt
28+
@echo "IFD/GBE blob hashes verified"
29+
@touch "$@"
30+
1331
# Make the Coreboot build depend on the following 3rd party blobs:
1432
$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \
15-
$(pwd)/blobs/m900/m900_me.bin
33+
$(pwd)/blobs/m900/m900_me.bin \
34+
$(pwd)/blobs/m900/.hashes-verified
1635

1736

1837
$(pwd)/blobs/m900/m900_me.bin:

0 commit comments

Comments
 (0)