Merge branch 'verified_firmware' into nitropad_x230

Makefile

@@ -87,6 +87,18 @@ $(HEADS_GAWK): $(build)/$(gawk_dir)/.configured
 		$(VERBOSE_REDIRECT)
 endif
 
+# Some things want usernames, we use the current checkout
+# so that they are reproducible
+GIT_HASH		:= $(shell git rev-parse HEAD)
+GIT_HASH_SHORT	:= $(shell git rev-parse --short HEAD)
+GIT_BRANCH  	:= $(shell git branch --show-current)
+GIT_TAG     	:= $(shell git describe --abbrev=0 --tags)
+GIT_STATUS		:= $(shell \
+	if git diff --exit-code >/dev/null ; then \
+		echo clean ; \
+	else \
+		echo dirty ; \
+	fi)
 
 BOARD		?= qemu-coreboot
 CONFIG		:= $(pwd)/boards/$(BOARD)/$(BOARD).config
@@ -100,16 +112,6 @@ include $(CONFIG)
 # Unless otherwise specified, we are building for heads
 CONFIG_HEADS	?= y
 
-# Some things want usernames, we use the current checkout
-# so that they are reproducible
-GIT_HASH	:= $(shell git rev-parse HEAD)
-GIT_STATUS	:= $(shell \
-	if git diff --exit-code >/dev/null ; then \
-		echo clean ; \
-	else \
-		echo dirty ; \
-	fi)
-
 # record the build date / git hashes and other files here
 HASHES		:= $(build)/$(BOARD)/hashes.txt
 
@@ -595,6 +597,8 @@ $(initrd_tmp_dir)/etc/config: FORCE
 	$(call do,HASH,$(GIT_HASH) $(GIT_STATUS) $(BOARD), \
 		echo export GIT_HASH=\'$(GIT_HASH)\' \
 		>> $@ ; \
+		echo export GIT_TAG=\'$(GIT_TAG)\' \
+		>> $@ ; \
 		echo export GIT_STATUS=$(GIT_STATUS) \
 		>> $@ ; \
 		echo export CONFIG_BOARD=$(BOARD) \

boards/x230-hotp-verification/x230-hotp-verification.config

@@ -10,6 +10,7 @@
 export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.8.1
 export CONFIG_LINUX_VERSION=4.14.62
+#export CONFIG_LINUX_VERSION=4.19.139
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-verification.config
 CONFIG_LINUX_CONFIG=config/linux-x230.config
@@ -48,7 +49,7 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOOT_KERNEL_REMOVE="quiet"
 export CONFIG_BOOT_DEV="/dev/sda1"
-export CONFIG_BOOT_GUI_MENU_NAME="NitroPad X230 Heads Boot Menu (v1.1)"
+export CONFIG_BOOT_GUI_MENU_NAME="NitroPad X230 Heads Boot Menu ($(GIT_TAG))"
 export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
 export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
 export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios"

initrd/bin/flash-gui.sh

@@ -22,17 +22,39 @@ while true; do
     ;;
     f|c )
       if (whiptail --title 'Flash the BIOS with a new ROM' \
-          --yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 16 90) then
+          --yesno "You will need to insert a USB drive containing your BIOS image.\nThe image is either a *.rom file or a *.npf archive.\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 16 90) then
         mount_usb
         if grep -q /media /proc/mounts ; then
-          find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt
+          find /media ! -path '*/\.*' -type f -name '*.npf' | sort > /tmp/filelist.txt
+          find /media ! -path '*/\.*' -type f -name '*.rom' | sort >> /tmp/filelist.txt
           file_selector "/tmp/filelist.txt" "Choose the ROM to flash"
           if [ "$FILE" == "" ]; then
             return
           else
             ROM=$FILE
           fi
 
+          # is a .npf provided?
+          if [ -z "${ROM##*.npf}" ]; then
+            # unzip to /tmp/verified_rom
+            mkdir /tmp/verified_rom
+            unzip $ROM -d /tmp/verified_rom
+            # check file integrity
+            if sha256sum -cs /tmp/verified_rom/sha256sum.txt ; then
+              ROM="$(head -n1 /tmp/verified_rom/sha256sum.txt | cut -d ' ' -f 3)"
+            else
+              whiptail --title 'ROM Integrity Check Failed! ' \
+                --msgbox "$ROM integrity check failed. Did not flash.\n\nPlease check your file (e.g. re-download).\n" 16 60
+              exit
+            fi
+          else
+            # exit if we shall not proceed
+            if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \
+                --yesno "You have provided a *.rom file. The integrity of the file can not be\nchecked for this file.\nIf you do not know how to check the file integrity yourself,\nyou should use a *.npf file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 16 60) then
+              exit
+            fi
+          fi
+
           if (whiptail --title 'Flash ROM?' \
               --yesno "This will replace your current ROM with:\n\n$ROM\n\nDo you want to proceed?" 16 60) then
             if [ "$menu_choice" == "c" ]; then

initrd/bin/gui-init

@@ -393,7 +393,7 @@ while true; do
     memtotal=$((${memtotal} / 1024 / 1024 + 1))
     cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //')
     whiptail --title 'System Info' \
-      --msgbox "VER: NitroPad v1.1\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60
+        --msgbox "VER: NitroPad $GIT_TAG ($GIT_HASH)\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60
     continue
   fi
 

modules/coreboot

@@ -83,6 +83,7 @@ $(build)/$(coreboot_dir)/.build: \
 $(build)/$(BOARD)/coreboot.rom: $(build)/$(coreboot_dir)/.build
 	"$(build)/$(coreboot_dir)/cbfstool" "$(dir $<)coreboot.rom" print
 	$(call do-copy,$(dir $<)coreboot.rom,$@)
+	$(call do-copy,$(dir $<)coreboot.rom,$(build)/$(BOARD)/$(GIT_BRANCH)-$(GIT_TAG)-$(GIT_HASH_SHORT).rom)
 	@touch $@   # update the time stamp
 
 #