version 1.1, 2021/09/30 04:06:56 |
version 1.56, 2021/12/08 03:44:37 |
|
|
#!/bin/ksh |
#!/bin/ksh |
set -e |
# $OpenBSD$ |
|
# |
|
# Copyright (c) 2021 Andrew Hewus Fresh <afresh1@openbsd.org> |
|
# |
|
# Permission to use, copy, modify, and distribute this software for any |
|
# purpose with or without fee is hereby granted, provided that the above |
|
# copyright notice and this permission notice appear in all copies. |
|
# |
|
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
|
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
|
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
|
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
|
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
|
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
|
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
|
|
scan_dmesg() { |
set -o errexit -o pipefail -o nounset |
# no bsort for now |
|
sed -n "$1" /var/run/dmesg.boot |
|
} |
|
|
|
installed_firmware() { |
CFILE=SHA256.sig |
for fw in ${PKGDIR}/$1-firmware*; do |
DESTDIR=${DESTDIR:-} |
[ -e "$fw" ] || continue |
FWPATTERNS="${DESTDIR}/usr/share/misc/firmware_patterns" |
echo ${fw##*/} |
|
done |
|
} |
|
|
|
set -A _KERNV -- $( scan_dmesg '/^OpenBSD \([1-9][0-9]*\.[0-9]\)\([^ ]*\) .*/ { s//\1 \2/p; q; }' ) |
VNAME=${VNAME:-$(sysctl -n kern.osrelease)} |
VNAME=${_KERNV[0]} |
VERSION=${VERSION:-"${VNAME%.*}${VNAME#*.}"} |
OSDIR=$VNAME |
|
if ((${#_KERNV[*]} > 1)) && [ "$_KERNV[1]" = "-current" -o "$_KERNV[1]" = "-beta" ]; then |
|
OSDIR=snapshots |
|
fi |
|
|
|
FWURL=http://firmware.openbsd.org/firmware/${OSDIR} |
HTTP_FWDIR="$VNAME" |
PKGDIR=${DESTDIR}/var/db/pkg |
VTYPE=$( sed -n "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p" \ |
PATTERNS="file:${0%/*}/firmware_patterns" |
/var/run/dmesg.boot | sed '$!d' ) |
|
[[ $VTYPE == -!(stable) ]] && HTTP_FWDIR=snapshots |
|
|
drivers=$( |
FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR} |
last='' |
FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub |
ftp -D "Detecting" -Vmo- $PATTERNS | |
|
while read d m; do |
|
[ "$last" = "$d" ] && continue |
|
[ "$m" ] || m="^$d[0-9][0-9]* at " |
|
[ "$( scan_dmesg "/$m/ { p; q; }" )" ] || continue |
|
echo $d |
|
last=$d |
|
done |
|
) |
|
|
|
if [ -z "$drivers" ]; then |
tmpdir() { |
echo "No devices found which need firmware files to be downloaded." >&2 |
local _i=1 _dir |
exit 0 |
|
fi |
|
|
|
tmpdir=${DESTDIR}/tmp/fw_update |
# If we're not in the installer, |
[ -e "$tmpdir" ] && rm -rf "$tmpdir" |
# we have mktemp and a more hostile environment |
mkdir -p "$tmpdir" |
if [ -x /usr/bin/mktemp ]; then |
cd "$tmpdir" |
_dir=$( mktemp -d "${1}-XXXXXXXXX" ) |
|
else |
|
until _dir="${1}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do |
|
((++_i < 10000)) || return 1 |
|
done |
|
fi |
|
|
# TODO: Drop privs during fetch and verify |
echo "$_dir" |
ftp -D Get -Vm "$FWURL/SHA256.sig" |
} |
|
|
# Probably should bundle the firmware sigfile on the installer, |
realpath () { |
# although we can just get it from the recently installed system. |
if [ -x /usr/bin/realpath ]; then |
if [ "$DESTDIR" ]; then |
/usr/bin/realpath "$1" |
sigfile=$( sed -n '/^untrusted comment: verify with \(.*\)$/ { s//\1/p; q; }' SHA256.sig ) |
elif [ "$1" = "${1%/*}" ]; then |
if [ ! -e "/etc/signify/$sigfile" ] \ |
echo "${PWD}/$1" |
&& [ -e "${DESTDIR}/etc/signify/$sigfile" ]; then |
else |
cp -a "${DESTDIR}/etc/signify/$sigfile" "/etc/signify/$sigfile" |
echo "$( cd "${1%/*}" && pwd )/${1##*/}" |
fi |
fi |
fi |
} |
|
|
signify -Ve -x SHA256.sig -m - < SHA256.sig > SHA256 |
fetch() { |
|
local _file=$1 _user=_file _exit |
|
|
for d in $drivers; do |
>"$_file" |
firmware=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" SHA256 ) |
chown "$_user" "$_file" |
installed=$( installed_firmware $d ) |
|
|
|
for i in $installed; do |
# If we're not in the installer, we have su(1) |
if [ "$firmware" = "$i.tgz" ]; then |
# and doas(1) is unlikely to be configured. |
echo "Firmware for $d already installed ($installed)" |
if [ -x /usr/bin/su ]; then |
continue 2 |
/usr/bin/su -s /bin/ksh "$_user" -c \ |
fi |
"/usr/bin/ftp -D 'Get/Verify' -Vm \ |
done |
-o '$_file' '${FWURL}/${_file}'" |
|
_exit="$?" |
|
else |
|
/usr/bin/doas -u "$_user" \ |
|
ftp -D 'Get/Verify' -Vm \ |
|
-o "$_file" "${FWURL}/${_file}" |
|
_exit="$?" |
|
fi |
|
|
mkdir $d |
if [ "$_exit" -ne 0 ]; then |
|
rm -f "$_file" |
|
echo "Cannot fetch $_file" >&2 |
|
return 1 |
|
fi |
|
|
# TODO: Drop privs during fetch and verify |
chown root "$_file" |
ftp -D "Get/Verify" -Vmo- "$FWURL/$firmware" | sha256 -bph "$d/h" > "$firmware" |
} |
fgrep -qx "SHA256 ($firmware) = $(<$d/h)" SHA256 |
|
|
|
# TODO: Check hash for files before deleting |
verify() { |
if [ "$installed" ] && [ -e "${PKGDIR}/$installed/+CONTENTS" ]; then |
# On the installer we don't get sha256 -C, so fake it. |
echo "Uninstalling $installed" |
if ! fgrep -qx "SHA256 ($1) = $( /bin/sha256 -qb "$1" )" "$CFILE"; then |
cwd=${PKGDIR}/$installed |
echo "Checksum test for $1 failed." >&2 |
|
return 1 |
|
fi |
|
} |
|
|
remove="${cwd}/+CONTENTS ${cwd}" |
devices_needing_firmware() { |
|
local _d _m _grep _dmesgtail _last='' |
|
|
while read c g; do |
# When we're not in the installer, the dmesg.boot can |
case $c in |
# contain multiple boots, so only look in the last one |
@cwd) cwd=$g |
_dmesgtail=$( sed -n 'H;/^OpenBSD/h;${g;p;}' /var/run/dmesg.boot ) |
;; |
|
@*) continue |
|
;; |
|
*) remove="$cwd/$c $remove" |
|
;; |
|
esac |
|
done < "${PKGDIR}/$installed/+CONTENTS" |
|
|
|
for r in $remove ; do |
grep -v '^[[:space:]]*#' "$FWPATTERNS" | |
if [ -d "$r" ]; then |
while read -r _d _m; do |
# Try hard not to actually remove recursively |
_grep="grep" |
# without rmdir on the install media. |
[ "$_last" = "$_d" ] && continue |
[ "$r/*" = $( echo "$r"/* ) ] && rm -rf "$r" |
[ "$_m" ] || _m="^${_d}[0-9][0-9]* at " |
else |
[ "$_m" = "${_m#^}" ] && _grep="fgrep" |
rm -f "$r" |
|
fi |
|
done |
|
fi |
|
|
|
# TODO: Add some details about the install to +CONTENTS like pkg_add |
echo "$_dmesgtail" | $_grep -q "$_m" || continue |
# TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall |
echo "$_d" |
echo "Installing $firmware" |
_last="$_d" |
tar -zxphf "$firmware" -C /etc "firmware/*" |
done |
mkdir -p ${PKGDIR}/${firmware%.tgz}/ |
} |
tar -zxphf "$firmware" -C "${PKGDIR}/${firmware%.tgz}" "+*" |
|
ed -s "${PKGDIR}/${firmware%.tgz}/+CONTENTS" <<EOL |
firmware_filename() { |
|
local _f |
|
_f="$( sed -n "s/.*(\($1-firmware-.*\.tgz\)).*/\1/p" "$CFILE" | sed '$!d' )" |
|
! [ "$_f" ] && echo "Unable to find firmware for $1" >&2 && return 1 |
|
echo "$_f" |
|
} |
|
|
|
installed_firmware() { |
|
for fw in "${DESTDIR}/var/db/pkg/$1-firmware"*; do |
|
[ -e "$fw" ] || continue |
|
echo "${fw##*/}" |
|
done |
|
} |
|
|
|
add_firmware () { |
|
local _f="$1" _pkgdir="${DESTDIR}/var/db/pkg" |
|
ftp -D "Install" -Vmo- "file:${1}" | |
|
tar -s ",^\+,${_pkgdir}/${_f%.tgz}/+," \ |
|
-s ",^firmware,${DESTDIR}/etc/firmware," \ |
|
-C / -zxphf - "+*" "firmware/*" |
|
|
|
# TODO: Should we mark these so real fw_update can -Drepair? |
|
ed -s "${_pkgdir}/${_f%.tgz}/+CONTENTS" <<EOL |
/^@comment pkgpath/ -1a |
/^@comment pkgpath/ -1a |
@option manual-installation |
@option manual-installation |
@option firmware |
@option firmware |
|
|
. |
. |
w |
w |
EOL |
EOL |
|
} |
|
|
|
delete_firmware() { |
|
local _cwd _pkg="$1" _pkgdir="${DESTDIR}/var/db/pkg" |
|
|
|
# TODO: Check hash for files before deleting |
|
echo "Uninstalling $_pkg" |
|
_cwd="${_pkgdir}/$_pkg" |
|
|
|
set -A _remove -- "${_cwd}/+CONTENTS" "${_cwd}" |
|
|
|
while read -r c g; do |
|
case $c in |
|
@cwd) _cwd="${DESTDIR}$g" |
|
;; |
|
@*) continue |
|
;; |
|
*) set -A _remove -- "$_cwd/$c" "${_remove[@]}" |
|
;; |
|
esac |
|
done < "${_pkgdir}/${_pkg}/+CONTENTS" |
|
|
|
# We specifically rm -f here because not removing files/dirs |
|
# is probably not worth failing over. |
|
for _r in "${_remove[@]}" ; do |
|
if [ -d "$_r" ]; then |
|
# Try hard not to actually remove recursively |
|
# without rmdir on the install media. |
|
[ "$_r/*" = "$( echo "$_r"/* )" ] && rm -rf "$_r" |
|
else |
|
rm -f "$_r" |
|
fi |
|
done |
|
} |
|
|
|
set -A devices -- $( devices_needing_firmware ) |
|
|
|
if [ ! "${devices:-}" ]; then |
|
echo "No devices found which need firmware files to be downloaded." |
|
exit |
|
fi |
|
|
|
TMPDIR=$( tmpdir "${DESTDIR}/tmp/fw_install" ) |
|
cd "$TMPDIR" |
|
|
|
# To unpriv we need to let the unpriv user into this dir |
|
chmod go+x . |
|
|
|
fetch "$CFILE" |
|
! signify -qVep "$FWPUB_KEY" -x "$CFILE" -m "$CFILE" && |
|
echo "Signature check of SHA256.sig failed" >&2 && exit 1 |
|
|
|
for d in "${devices[@]}"; do |
|
f=$( firmware_filename "$d" || true ) |
|
[ "$f" ] || continue |
|
set -A installed -- $( installed_firmware "$d" ) |
|
|
|
if [ "${installed:-}" ]; then |
|
for i in "${installed[@]:-}"; do |
|
if [ "$f" = "$i.tgz" ]; then |
|
echo "$i already installed" |
|
continue 2 |
|
fi |
|
done |
|
fi |
|
|
|
fetch "$f" || continue |
|
verify "$f" || continue |
|
|
|
if [ "${installed:-}" ]; then |
|
for i in "${installed[@]}"; do |
|
delete_firmware "$i" |
|
done |
|
fi |
|
|
|
add_firmware "$f" |
done |
done |
|
|