From 0690df4f24c7066f122ccc9d0c4db20c50963f3b Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Wed, 26 Dec 2018 19:51:07 -0500
Subject: [PATCH] flash.sh x200: board addition. Generic flash.sh to use cbfs
 extraction to replace flashrom whole flash extraction (KGPE-D16 is 16MB.
 Useless to read it all. Plus, s3nv changes each boot so it's impossible to
 read the whole flash and compare for integrity attestation.) unseal-hotp: use
 cbfs file extraction loop to measure modules.

---
 initrd/bin/flash.sh    | 10 +++++++---
 initrd/bin/unseal-hotp | 11 ++++++-----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh
index 1b9bfdfcf..eb22fc51e 100755
--- a/initrd/bin/flash.sh
+++ b/initrd/bin/flash.sh
@@ -16,6 +16,9 @@ case "$CONFIG_BOARD" in
   "kgpe-d16" )
     FLASHROM_OPTIONS='--force --noverify --programmer internal'
   ;;
+  "x200" )
+    FLASHROM_OPTIONS='--force --noverify --programmer internal'
+  ;;
   * )
     die "ERROR: No board has been configured!\n\nEach board requires specific flashrom options and it's unsafe to flash without them.\n\nAborting."
   ;;
@@ -37,9 +40,10 @@ flash_rom() {
       die "$ROM: Read inconsistent"
     fi
   elif [ "$SHA" -eq 1 ]; then
-    flashrom $FLASHROM_OPTIONS -r "${ROM}" 1&>2 >/dev/null \
-    || die "$ROM: Read failed"
-    sha256sum ${ROM} | cut -f1 -d ' '
+    #flashrom $FLASHROM_OPTIONS -r "${ROM}" 1&>2 >/dev/null \
+    #|| die "$ROM: Read failed"
+    #sha256sum ${ROM} | cut -f1 -d ' '
+    cbfs --list | grep -E 'fallback|heads|microcode|bootblock' | while read CBFS_FILES; do cbfs -r $CBFS_FILES; done | sha256sum | cut -f1 -d ' '
   else
     cp "$ROM" /tmp/${CONFIG_BOARD}.rom
     sha256sum /tmp/${CONFIG_BOARD}.rom
diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp
index c6baa78c6..9fc28162f 100755
--- a/initrd/bin/unseal-hotp
+++ b/initrd/bin/unseal-hotp
@@ -35,11 +35,12 @@ else
 # without a TPM, use the first 20 characters of the ROM SHA256sum 
   echo "TPM not configured, measuring ROM directly" 1>&2
   # use a previously-copied image if it exists
-  if [ -f ${ROM_IMAGE} ]; then
-    sha256sum ${ROM_IMAGE} | cut -f1 -d ' ' | cut -c 1-20 | tr -d '\n' > $HOTP_SECRET
-  else
-    flash.sh -s ${ROM_IMAGE} | cut -c 1-20 | tr -d '\n' > $HOTP_SECRET
-  fi
+  #if [ -f ${ROM_IMAGE} ]; then
+  #  sha256sum ${ROM_IMAGE} | cut -f1 -d ' ' | cut -c 1-20 | tr -d '\n' > $HOTP_SECRET
+  #else
+    #flash.sh -s ${ROM_IMAGE} | cut -c 1-20 | tr -d '\n' > $HOTP_SECRET
+  cbfs --list | grep -E 'fallback|heads|microcode|bootblock' | while read CBFS_FILES; do cbfs -r $CBFS_FILES; done | sha256sum | cut -f1 -d ' ' | cut -c 1-20 | tr -d '\n' > $HOTP_SECRET 
+  #fi
 fi
 
 # Store counter in file instead of TPM for now, as it conflicts with Heads