Merge branch 'main' into dev

.github/workflows/build-image.yaml

@@ -26,7 +26,10 @@ jobs:
         uses: actions/checkout@v4
 
       - name: run build
-        run: sudo DEBUG=1 ./build_complete.sh ${{ matrix.board }} compress_img=1 quiet=1
+        run: |
+          sudo apt-get update
+          sudo apt-get upgrade -y
+          sudo DEBUG=1 ./build_complete.sh ${{ matrix.board }} compress_img=1 quiet=1
 
       - name: upload img
         uses: actions/upload-artifact@v4

README.md

@@ -83,6 +83,11 @@ PRs and contributions are welcome to help implement these features.
   - Cheap USB 2.0 drives typically won't work well due to their slow speeds
 - At least 20GB of free disk space
 
+### Video Tutorial:
+[![thumbnail of the tutorial youtube video](https://img.youtube.com/vi/v327np19RXg/mqdefault.jpg)](https://www.youtube.com/watch?v=v327np19RXg)
+
+[@blueiceyt](https://www.youtube.com/channel/UC2yMjQu-NwJSQb0tRclQMYg) made a nice [video tutorial](https://www.youtube.com/watch?v=v327np19RXg) for Shimboot. It's a lot easier to understand than the instructions on this page, and it'll cover most use cases.
+
 ### Build Instructions:
 1. Find the board name of your Chromebook. You can search for the model name on [chrome100.dev](https://chrome100.dev/).
 2. Clone this repository and cd into it.
@@ -172,6 +177,15 @@ Any writes to the squashfs will persist, but they will not be compressed when sa
 
 On the regular XFCE4 image, this brings the rootfs size down to 1.2GB from 3.5GB.
 
+#### I can't connect to some wifi networks.
+You may have to run these commands in order to connect to certain networks:
+```
+$ nmcli connection edit <your connection name>
+> set 802-11-wireless-security.pmf disable
+> save
+> activate
+```
+
 ## Copyright:
 Shimboot is licensed under the [GNU GPL v3](https://www.gnu.org/licenses/gpl-3.0.txt). Unless otherwise indicated, all code has been written by me, [ading2210](https://github.com/ading2210).
 

build_complete.sh

@@ -33,27 +33,52 @@ arch="${args['arch']-amd64}"
 release="${args['release']}"
 distro="${args['distro']-debian}"
 
+#a list of all arm board names
 arm_boards="
   corsola hana jacuzzi kukui strongbad nyan-big kevin bob
   veyron-speedy veyron-jerry veyron-minnie scarlet elm
   kukui peach-pi peach-pit stumpy daisy-spring
 "
-if grep -q "$board" <<< "$arm_boards"; then
+#a list of shims that have a patch for the sh1mmer vulnerability
+bad_boards="reef sand snappy pyro"
+if grep -q "$board" <<< "$arm_boards" > /dev/null; then
   print_info "automatically detected arm64 device name"
   arch="arm64"
 fi
+if grep -q "$board" <<< "$bad_boards" > /dev/null; then
+  print_error "Warning: you are attempting to build Shimboot for a board which has a shim that includes a fix for the sh1mmer vulnerability. The resulting image will not boot if you are enrolled."
+  read -p "Press [enter] to continue "
+fi
+
+kernel_arch="$(uname -m)"
+host_arch="unknown"
+if [ "$kernel_arch" = "x86_64" ]; then
+  host_arch="amd64"
+elif [ "$kernel_arch" = "aarch64" ]; then
+  host_arch="arm64"
+fi
 
 needed_deps="wget python3 unzip zip git debootstrap cpio binwalk pcregrep cgpt mkfs.ext4 mkfs.ext2 fdisk depmod findmnt lz4 pv"
 if [ "$(check_deps "$needed_deps")" ]; then
   #install deps automatically on debian and ubuntu
   if [ -f "/etc/debian_version" ]; then
     print_title "attempting to install build deps"
-    apt-get install wget python3-all unzip zip debootstrap cpio binwalk pcregrep cgpt kmod pv lz4 -y
-    if [ "$arch" = "arm64" ]; then
+    apt-get install wget python3 unzip zip debootstrap cpio binwalk pcregrep cgpt kmod pv lz4 -y
+  fi
+  assert_deps "$needed_deps"
+fi
+
+#install qemu-user-static on debian if needed
+if [ "$arch" != "$host_arch" ]; then
+  if [ -f "/etc/debian_version" ]; then
+    if ! dpkg --get-selections | grep -v deinstall | grep "qemu-user-static\|box64\|fex-emu" > /dev/null; then
+      print_info "automatically installing qemu-user-static because we are building for a different architecture"
       apt-get install qemu-user-static binfmt-support -y
     fi
+  else 
+    print_error "Warning: You are building an image for a different CPU architecture. It may fail if you do not have qemu-user-static installed."
+    sleep 1
   fi
-  assert_deps "$needed_deps"
 fi
 
 cleanup_path=""

shim_utils.sh

@@ -2,6 +2,14 @@
 
 #utilties for reading shim disk images
 
+run_binwalk() {
+  if binwalk -h | grep -- '--run-as' >/dev/null; then
+    binwalk "$@" --run-as=root
+  else
+    binwalk "$@"
+  fi
+}
+
 #extract the initramfs from a kernel image
 extract_initramfs() {
   local kernel_bin="$1"
@@ -10,13 +18,13 @@ extract_initramfs() {
 
   #extract the compressed kernel image from the partition data
   local kernel_file="$(basename $kernel_bin)"
-  local binwalk_out=$(binwalk --extract $kernel_bin --directory=$working_dir --run-as=root)
+  local binwalk_out=$(run_binwalk --extract $kernel_bin --directory=$working_dir)
   local stage1_file=$(echo $binwalk_out | pcregrep -o1 "\d+\s+0x([0-9A-F]+)\s+gzip compressed data")
   local stage1_dir="$working_dir/_$kernel_file.extracted"
   local stage1_path="$stage1_dir/$stage1_file"
 
   #extract the initramfs cpio archive from the kernel image
-  binwalk --extract $stage1_path --directory=$stage1_dir --run-as=root > /dev/null
+  run_binwalk --extract $stage1_path --directory=$stage1_dir > /dev/null
   local stage2_dir="$stage1_dir/_$stage1_file.extracted/"
   local cpio_file=$(file $stage2_dir/* | pcregrep -o1 "([0-9A-F]+):\s+ASCII cpio archive")
   local cpio_path="$stage2_dir/$cpio_file"
@@ -31,7 +39,7 @@ extract_initramfs_arm() {
   local output_dir="$3"
 
   #extract the kernel lz4 archive from the partition
-  local binwalk_out="$(binwalk $kernel_bin --run-as=root)"
+  local binwalk_out="$(run_binwalk $kernel_bin)"
   local lz4_offset="$(echo "$binwalk_out" | pcregrep -o1 "(\d+).+?LZ4 compressed data" | head -n1)"
   local lz4_file="$working_dir/kernel.lz4"
   local kernel_img="$working_dir/kernel_decompressed.bin"
@@ -40,7 +48,7 @@ extract_initramfs_arm() {
 
   #extract the initramfs cpio archive from the kernel image
   local extracted_dir="$working_dir/_kernel_decompressed.bin.extracted"
-  binwalk --extract $kernel_img --directory=$working_dir --run-as=root > /dev/null
+  run_binwalk --extract $kernel_img --directory=$working_dir > /dev/null
   local cpio_file=$(file $extracted_dir/* | pcregrep -o1 "([0-9A-F]+):\s+ASCII cpio archive")
   local cpio_path="$extracted_dir/$cpio_file"