On Fri, 18 Oct 2024 17:08:56 -0700 Julius Werner jwerner@chromium.org wrote:
Hi Denis,
Hi,
There is no real reason for these binaries to be in those test fixtures — the point of the tests is just to verify parsing for vboot data structures, the actual contents of the file are not really relevant. So I think the easiest solution here is to just delete the offending contents from the images. I have opened a bug for this in Google's public tracker that you can follow here if you want: https://issuetracker.google.com/issues/374385985 .
Thanks a lot for doing that.
Your bug report mainly talks about binaries in CBFS, but there is most probably also Management firmwares in the images (which are less likely to be redistributable than MRC/FSP or microcode updates).
I managed to verify signatures with me_cleaner from the latest Coreboot revision (c21bed6de9):
$ ifdtool -x tests/futility/data/bios_link_mp.bin File tests/futility/data/bios_link_mp.bin is 8388608 bytes Flash Region 0 (Flash Descriptor): 00000000 - 00000fff Flash Region 1 (BIOS): 00200000 - 007fffff Flash Region 2 (Intel ME): 00001000 - 001fffff Flash Region 3 (GbE): 00fff000 - 00000fff (unused) Flash Region 4 (Platform Data): 00fff000 - 00000fff (unused) $ me_cleaner.py -c flashregion_2_intel_me.bin ME/TXE image detected Found FPT header at 0x10 Found 15 partition(s) Found FTPR header: FTPR partition spans from 0x93000 to 0x108000 ME/TXE firmware version 8.0.20.1513 Public key match: Intel ME, firmware versions 7.x.x.x, 8.x.x.x Checking the FTPR RSA signature... VALID
But above I said 'probably' because here I manage to verify the Management engine partitions signatures but me_cleaner doesn't print the names of the partitions, so in theory it could be also just a header and it's harder to verify that it doesn't contain nonfee and/or non-resitributable code, especially because some versions were encoded with huffman compressions.
Though given that the images were signed with the release keys for the Chromebooks, I assume this is the real Management Engine firmware that's in there.
Denis.