On Fri, 18 Oct 2024 17:08:56 -0700 Julius Werner <jwer...@chromium.org> wrote:
> Hi Denis, Hi, > There is no real reason for these binaries to be in those test > fixtures — the point of the tests is just to verify parsing for vboot > data structures, the actual contents of the file are not really > relevant. So I think the easiest solution here is to just delete the > offending contents from the images. I have opened a bug for this in > Google's public tracker that you can follow here if you want: > https://issuetracker.google.com/issues/374385985 . Thanks a lot for doing that. Your bug report mainly talks about binaries in CBFS, but there is most probably also Management firmwares in the images (which are less likely to be redistributable than MRC/FSP or microcode updates). I managed to verify signatures with me_cleaner from the latest Coreboot revision (c21bed6de9): > $ ifdtool -x tests/futility/data/bios_link_mp.bin > File tests/futility/data/bios_link_mp.bin is 8388608 bytes > Flash Region 0 (Flash Descriptor): 00000000 - 00000fff > Flash Region 1 (BIOS): 00200000 - 007fffff > Flash Region 2 (Intel ME): 00001000 - 001fffff > Flash Region 3 (GbE): 00fff000 - 00000fff (unused) > Flash Region 4 (Platform Data): 00fff000 - 00000fff (unused) > $ me_cleaner.py -c flashregion_2_intel_me.bin > ME/TXE image detected > Found FPT header at 0x10 > Found 15 partition(s) > Found FTPR header: FTPR partition spans from 0x93000 to 0x108000 > ME/TXE firmware version 8.0.20.1513 > Public key match: Intel ME, firmware versions 7.x.x.x, 8.x.x.x > Checking the FTPR RSA signature... VALID But above I said 'probably' because here I manage to verify the Management engine partitions signatures but me_cleaner doesn't print the names of the partitions, so in theory it could be also just a header and it's harder to verify that it doesn't contain nonfee and/or non-resitributable code, especially because some versions were encoded with huffman compressions. Though given that the images were signed with the release keys for the Chromebooks, I assume this is the real Management Engine firmware that's in there. Denis.
pgpJlUlkuc7Ch.pgp
Description: OpenPGP digital signature
_______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
