version 1.24, 2021/11/11 02:34:00 |
version 1.106, 2021/12/23 01:25:29 |
|
|
#!/bin/ksh |
#!/bin/ksh |
set -e |
# $OpenBSD$ |
|
# |
|
# Copyright (c) 2021 Andrew Hewus Fresh <afresh1@openbsd.org> |
|
# |
|
# Permission to use, copy, modify, and distribute this software for any |
|
# purpose with or without fee is hereby granted, provided that the above |
|
# copyright notice and this permission notice appear in all copies. |
|
# |
|
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
|
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
|
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
|
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
|
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
|
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
|
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
|
|
scan_dmesg() { |
set -o errexit -o pipefail -o nounset -o noclobber -o noglob |
# no bsort for now |
set +o monitor |
sed -n "$1" /var/run/dmesg.boot |
export PATH=/usr/bin:/bin:/usr/sbin:/sbin |
} |
|
|
|
# Fake up some things from install.sub that we don't need to actually do |
CFILE=SHA256.sig |
prefetcharea_fs_list() { |
DESTDIR=${DESTDIR:-} |
echo "/mnt/tmp" |
FWPATTERNS="${DESTDIR}/usr/share/misc/firmware_patterns" |
} |
|
reset_watchdog() { |
|
} |
|
|
|
# tmpdir, do_as, unpriv, and unpriv2 are from install.sub |
VNAME=${VNAME:-$(sysctl -n kern.osrelease)} |
|
VERSION=${VERSION:-"${VNAME%.*}${VNAME#*.}"} |
|
|
# Create a temporary directory based on the supplied directory name prefix. |
HTTP_FWDIR="$VNAME" |
|
VTYPE=$( sed -n "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p" \ |
|
/var/run/dmesg.boot | sed '$!d' ) |
|
[[ $VTYPE == -!(stable) ]] && HTTP_FWDIR=snapshots |
|
|
|
FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR} |
|
FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub |
|
|
|
VERBOSE=false |
|
DOWNLOAD=true |
|
INSTALL=true |
|
LOCALSRC= |
|
|
tmpdir() { |
tmpdir() { |
local _i=1 _dir |
local _i=1 _dir |
|
|
until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do |
# If we're not in the installer, |
((++_i < 10000)) || return 1 |
# we have mktemp and a more hostile environment. |
done |
if [ -x /usr/bin/mktemp ]; then |
|
_dir=$( mktemp -d "${1}-XXXXXXXXX" ) |
|
else |
|
until _dir="${1}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do |
|
((++_i < 10000)) || return 1 |
|
done |
|
fi |
|
|
echo "$_dir" |
echo "$_dir" |
} |
} |
|
|
# Run a command ($2+) as unprivileged user ($1). |
fetch() { |
# Take extra care that after "cmd" no "user" processes exist. |
local _src="${FWURL}/${1##*/}" _dst=$1 _user=_file _pid _exit _error='' |
# |
|
# Optionally: |
|
# - create "file" and chown it to "user" |
|
# - after "cmd", chown "file" back to root |
|
# |
|
# Usage: do_as user [-f file] cmd |
|
do_as() { |
|
(( $# >= 2 )) || return |
|
|
|
local _file _rc _user=$1 |
# If we're not in the installer, |
shift |
# we have su(1) and doas(1) is unlikely to be configured. |
|
set -o monitor # make sure ftp gets its own process group |
|
( |
|
flags=-VM |
|
"$VERBOSE" && flags=-vm |
|
if [ -x /usr/bin/su ]; then |
|
exec /usr/bin/su -s /bin/ksh "$_user" -c \ |
|
"/usr/bin/ftp -D 'Get/Verify' $flags -o- '$_src'" > "$_dst" |
|
else |
|
exec /usr/bin/doas -u "$_user" \ |
|
/usr/bin/ftp -D 'Get/Verify' $flags -o- "$_src" > "$_dst" |
|
fi |
|
) & _pid=$! |
|
set +o monitor |
|
|
if [[ $1 == -f ]]; then |
trap "kill -TERM '-$_pid' 2>/dev/null; exit 1" EXIT INT QUIT ABRT TERM |
_file=$2 |
|
shift 2 |
SECONDS=0 |
|
_last=0 |
|
while kill -0 -"$_pid" 2>/dev/null; do |
|
if [[ $SECONDS -gt 12 ]]; then |
|
set -- $( ls -ln "$_dst" 2>/dev/null ) |
|
if [[ $_last -ne $5 ]]; then |
|
_last=$5 |
|
SECONDS=0 |
|
sleep 1 |
|
else |
|
kill -INT -"$_pid" |
|
_error=" (timed out)" |
|
fi |
|
else |
|
sleep 1 |
|
fi |
|
done |
|
|
|
set +o errexit |
|
wait "$_pid" |
|
_exit=$? |
|
set -o errexit |
|
|
|
trap "" EXIT INT QUIT ABRT TERM |
|
|
|
if [ "$_exit" -ne 0 ]; then |
|
rm -f "$_dst" |
|
echo "Cannot fetch $_src$_error" >&2 |
|
return 1 |
fi |
fi |
|
} |
|
|
if [[ -n $_file ]]; then |
verify() { |
>$_file |
# On the installer we don't get sha256 -C, so fake it. |
chown "$_user" "$_file" |
if ! fgrep -qx "SHA256 (${1##*/}) = $( /bin/sha256 -qb "$1" )" "$CFILE"; then |
|
echo "Checksum test for ${1##*/} failed." >&2 |
|
return 1 |
fi |
fi |
|
} |
|
|
doas -u "$_user" "$@" |
devices_needing_firmware() { |
_rc=$? |
local _d _m _line _dmesgtail _last='' _nl=$( echo ) |
|
|
while doas -u "$_user" kill -9 -1 2>/dev/null; do |
# When we're not in the installer, the dmesg.boot can |
echo "Processes still running for user $_user after: $@" |
# contain multiple boots, so only look in the last one |
sleep 1 |
_dmesgtail="$( echo ; sed -n 'H;/^OpenBSD/h;${g;p;}' /var/run/dmesg.boot | |
done |
grep -e "^[a-z][a-z]*[0-9]" -e " not configured " )" |
|
|
[[ -n $_file ]] && chown root "$_file" |
grep -v '^[[:space:]]*#' "$FWPATTERNS" | |
|
while read -r _d _m; do |
|
[ "$_d" = "$_last" ] && continue |
|
[ "$_m" ] || _m="${_nl}${_d}[0-9] at " |
|
[ "$_m" = "${_m#^}" ] || _m="${_nl}${_m#^}" |
|
|
return $_rc |
if [[ $_dmesgtail = *$_m* ]]; then |
|
echo "$_d" |
|
_last="$_d" |
|
fi |
|
done |
} |
} |
|
|
unpriv() { |
firmware_filename() { |
do_as _sndio "$@" |
local _f |
|
_f="$( sed -n "s/.*(\($1-firmware-.*\.tgz\)).*/\1/p" "$CFILE" | sed '$!d' )" |
|
! [ "$_f" ] && echo "Unable to find firmware for $1" >&2 && return 1 |
|
echo "$_f" |
} |
} |
|
|
unpriv2() { |
firmware_devicename() { |
do_as _file "$@" |
local _d="${1##*/}" |
|
_d="${_d%-firmware-*}" |
|
echo "$_d" |
} |
} |
|
|
# "fail" needs to be replaced with the "ask_yn" loop like in the installer. |
installed_firmware() { |
_issue= |
set +o noglob |
fail() { |
for fw in "${DESTDIR}/var/db/pkg/$1-firmware"*; do |
echo $_issue >&2 |
[ -e "$fw/+CONTENTS" ] || continue |
exit 1 |
echo "${fw##*/}" |
|
done |
|
set -o noglob |
} |
} |
|
|
VNAME=$(sysctl -n kern.osrelease) |
add_firmware () { |
VERSION="${VNAME%.*}${VNAME#*.}" |
local _f="${1##*/}" _pkgname |
FWDIR="$VNAME" |
local _tmpdir="$( tmpdir "${DESTDIR}/var/db/pkg/.firmware" )" |
|
local flags=-VM |
|
"$VERBOSE" && flags=-vm |
|
ftp -D "Install" "$flags" -o- "file:${1}" | |
|
tar -s ",^\+,${_tmpdir}/+," \ |
|
-s ",^firmware,${DESTDIR}/etc/firmware," \ |
|
-C / -zxphf - "+*" "firmware/*" |
|
|
# TODO: We need the firmware for the system we just installed |
_pkgname="$( sed -n '/^@name /{s///p;q;}' "${_tmpdir}/+CONTENTS" )" |
# not the one we booted from. For example: |
if [ ! "$_pkgname" ]; then |
# * booting from a snapshot bsd.rd that thinks it is the 7.0 release |
echo "Failed to extract name from $1, partial install" 2>&1 |
# will install the firmware from the 7.0 directory instead of |
rm -rf "$_tmpdir" |
# from the snapshots dir. |
return 1 |
# If they're using sysupgrade, then the installer kernel will be correct. |
fi |
# If we're doing this in the installer we can check what they picked |
|
# for downloading sets and use that value. |
|
# Otherwise, the fw_update after first boot will fix it up for us. |
|
|
|
HTTP_FWDIR=$FWDIR |
# TODO: Should we mark these so real fw_update can -Drepair? |
set -- $(scan_dmesg "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p") |
ed -s "${_tmpdir}/+CONTENTS" <<EOL |
[[ $1 == -!(stable) ]] && HTTP_FWDIR=snapshots |
/^@comment pkgpath/ -1a |
|
@option manual-installation |
|
@option firmware |
|
@comment install-script |
|
. |
|
w |
|
EOL |
|
|
FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR} |
chmod 755 "$_tmpdir" |
FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub |
mv "$_tmpdir" "${DESTDIR}/var/db/pkg/${_pkgname}" |
FWPATTERNS="file:${0%/*}/firmware_patterns" |
} |
|
|
# TODO: support srclocal installation of firmware somehow |
delete_firmware() { |
fw_update() { |
local _cwd _pkg="$1" _pkgdir="${DESTDIR}/var/db/pkg" |
local _src=$1 _tmpfs_list _tmpfs _tmpsrc \ |
|
_t=Get _cfile="/tmp/SHA256" _pkgdir=/mnt/var/db/pkg \ |
|
_f _r _remove _i _installed |
|
local _srclocal=false _unpriv=unpriv |
|
local _d _drivers=$( |
|
last='' |
|
$_unpriv ftp -D "Detecting" -Vmo- $FWPATTERNS | |
|
while read _d _m; do |
|
grep=grep |
|
[ "$last" = "$_d" ] && continue |
|
[ "$_m" ] || _m="^$_d[0-9][0-9]* at " |
|
[ "$_m" = "${_m#^}" ] && grep=fgrep |
|
$grep -q "$_m" /var/run/dmesg.boot || continue |
|
echo $_d |
|
last=$_d |
|
done |
|
) |
|
|
|
if [ -z "$_drivers" ]; then |
# TODO: Check hash for files before deleting |
echo "No devices found which need firmware files to be downloaded." |
"$VERBOSE" && echo "Uninstalling $_pkg" |
return |
_cwd="${_pkgdir}/$_pkg" |
fi |
|
|
|
! _tmpfs_list=$(prefetcharea_fs_list) && |
set -A _remove -- "${_cwd}/+CONTENTS" "${_cwd}" |
echo "Cannot determine prefetch area" >&2 && return |
|
|
|
for _tmpfs in $_tmpfs_list; do |
while read -r c g; do |
# Try to clean up from previous runs, assuming |
case $c in |
# the _tmpfs selection yields the same mount |
@cwd) _cwd="${DESTDIR}$g" |
# point. |
;; |
for _tmpsrc in $_tmpfs/firmware.+([0-9]).+([0-9]); do |
@*) continue |
[[ -d $_tmpsrc ]] && rm -r $_tmpsrc |
;; |
done |
*) set -A _remove -- "$_cwd/$c" "${_remove[@]}" |
|
;; |
|
esac |
|
done < "${_pkgdir}/${_pkg}/+CONTENTS" |
|
|
# Create a download directory for the firmware and |
# We specifically rm -f here because not removing files/dirs |
# check that the _sndio user can read files from |
# is probably not worth failing over. |
# it. Otherwise cleanup and skip the filesystem. |
for _r in "${_remove[@]}" ; do |
if _tmpsrc=$(tmpdir "$_tmpfs/firmware"); then |
if [ -d "$_r" ]; then |
( |
# Try hard not to actually remove recursively |
>$_tmpsrc/t && |
# without rmdir on the install media. |
$_unpriv cat $_tmpsrc/t |
set +o noglob |
) >/dev/null 2>&1 && break || |
[ "$_r/*" = "$( echo "$_r"/* )" ] && rm -rf "$_r" |
rm -r $_tmpsrc |
set -o noglob |
|
else |
|
rm -f "$_r" |
fi |
fi |
done |
done |
|
} |
|
|
[[ ! -d $_tmpsrc ]] && |
usage() { |
echo "Cannot create prefetch area" >&2 && return 1 |
echo "usage: ${0##*/} [-v] [-D | -L] [driver | file ...]" |
|
exit 2 |
|
} |
|
|
# Cleanup from previous runs. |
OPT_D= |
rm -f $_cfile $_cfile.sig |
OPT_L= |
|
while getopts :DLv name |
|
do |
|
case "$name" in |
|
D) OPT_D=true ;; |
|
L) OPT_L=true ;; |
|
v) VERBOSE=true ;; |
|
?) echo "${0##*/}: unknown option -- -$OPTARG"; usage 2 ;; |
|
esac |
|
done |
|
shift $((OPTIND - 1)) |
|
|
_t=Get/Verify |
[ "$OPT_D" ] && [ "$OPT_L" ] && usage 1 |
|
|
! $_unpriv ftp -D "$_t" -Vmo - "$_src/SHA256.sig" >"$_cfile.sig" && |
if [ "$OPT_D" ]; then |
echo "Cannot fetch SHA256.sig" >&2 && return 1 |
# "Download only" means local dir and don't install |
|
INSTALL=false |
|
LOCALSRC=. |
|
elif [ "$OPT_L" ]; then |
|
# "Local" means don't download, install from local dir |
|
DOWNLOAD=false |
|
LOCALSRC=. |
|
else |
|
LOCALSRC="$( tmpdir "${DESTDIR}/tmp/${0##*/}" )" |
|
fi |
|
|
# Verify signature file with public keys. |
CFILE="$LOCALSRC/$CFILE" |
! $_unpriv -f "$_cfile" \ |
|
signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" && |
|
echo "Signature check of SHA256.sig failed" >&2 && return 1 |
|
|
|
for _d in $_drivers; do |
if "$INSTALL" && [ -x /usr/bin/id ] && [ "$(/usr/bin/id -u)" != 0 ]; then |
$UU && reset_watchdog |
echo "need root privileges" >&2 |
_f=$( sed -n "s/.*(\($_d-firmware-.*\.tgz\)).*/\1/p" "$_cfile" ) |
exit 1 |
_installed=$( |
fi |
for fw in "${_pkgdir}/$_d-firmware"*; do |
|
[ -e "$fw" ] || continue |
|
echo ${fw##*/} |
|
done |
|
) |
|
|
|
for _i in $_installed; do |
set -A devices -- "$@" |
if [ "$_f" = "$_i.tgz" ]; then |
|
echo "$_i already installed" |
|
continue 2 |
|
fi |
|
done |
|
|
|
rm -f /tmp/h /tmp/fail |
if [ ! "${devices[*]:-}" ]; then |
|
"$VERBOSE" && echo -n "Detecting firmware ..." |
|
set -A devices -- $( devices_needing_firmware ) |
|
"$VERBOSE" && |
|
{ [ "${devices[*]:-}" ] && echo " found." || echo " done." ; } |
|
fi |
|
|
# Fetch firmware file and create a checksum by piping through |
[ "${devices[*]:-}" ] || exit |
# sha256. Create a flag file in case ftp failed. Firmware |
|
# from net is written to the prefetch area. |
|
( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) | |
|
( $_srclocal && unpriv2 sha256 -b >/tmp/h || |
|
unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" ) |
|
|
|
# Handle failed transfer. |
if "$DOWNLOAD"; then |
if [[ -f /tmp/fail ]]; then |
fetch "$CFILE" |
rm -f "$_tmpsrc/$_f" |
! signify -qVep "$FWPUB_KEY" -x "$CFILE" -m "$CFILE" && |
echo "Fetching of $_f failed!" >&2 |
echo "Signature check of SHA256.sig failed" >&2 && exit 1 |
continue |
fi |
fi |
|
|
|
# Verify firmware by comparing its checksum with SHA256. |
added='' |
if ! fgrep -qx "SHA256 ($_f) = $(</tmp/h)" "$_cfile"; then |
updated='' |
[[ -d "$_tmpsrc" ]] && rm -rf "$_tmpsrc" |
for f in "${devices[@]}"; do |
echo "Checksum test for $_f failed." >&2 |
d="$( firmware_devicename "$f" )" |
continue |
|
fi |
|
|
|
# TODO: Check hash for files before deleting |
if [ "$f" = "$d" ]; then |
if [ "$_installed" ] && [ -e "${_pkgdir}/$_installed/+CONTENTS" ]; then |
f=$( firmware_filename "$d" || true ) |
echo "Uninstalling $_installed" |
[ "$f" ] || continue |
cwd=${_pkgdir}/$_installed |
f="$LOCALSRC/$f" |
|
elif ! "$INSTALL" && ! grep -Fq "($f)" "$CFILE" ; then |
|
echo "Cannot download local file $f" >&2 |
|
exit 2 |
|
fi |
|
|
set -A _remove -- "${cwd}/+CONTENTS" "${cwd}" |
set -A installed -- $( installed_firmware "$d" ) |
|
|
while read c g; do |
if "$INSTALL" && [ "${installed[*]:-}" ]; then |
case $c in |
for i in "${installed[@]}"; do |
@cwd) cwd="/mnt/$g" |
if [ "${f##*/}" = "$i.tgz" ]; then |
;; |
"$VERBOSE" && echo "$i already installed" |
@*) continue |
continue 2 |
;; |
fi |
*) set -A _remove -- "$cwd/$c" "${_remove[@]}" |
done |
;; |
fi |
esac |
|
done < "${_pkgdir}/$_installed/+CONTENTS" |
|
|
|
# We specifically rm -f here because not removing files/dirs |
if [ -e "$f" ]; then |
# is probably not worth failing over. |
if "$DOWNLOAD"; then |
for _r in "${_remove[@]}" ; do |
"$VERBOSE" && echo "Verify existing ${f##*/}" |
if [ -d "$_r" ]; then |
verify "$f" || continue |
# Try hard not to actually remove recursively |
# else assume it was verified when downloaded |
# without rmdir on the install media. |
|
[ "$_r/*" = $( echo "$_r"/* ) ] && rm -rf "$_r" |
|
else |
|
rm -f "$_r" |
|
fi |
|
done |
|
fi |
fi |
|
elif "$DOWNLOAD"; then |
|
fetch "$f" || continue |
|
verify "$f" || continue |
|
elif "$INSTALL"; then |
|
echo "Cannot install ${f##*/}, not found" >&2 |
|
continue |
|
fi |
|
|
# TODO: Should we mark these so real fw_update can -Drepair? |
"$INSTALL" || continue |
$_unpriv ftp -D "Install" -Vmo- "file:$_tmpsrc/$_f" | |
|
tar -s ",^\+,${_pkgdir}/${_f%.tgz}/+," \ |
|
-s ",^firmware,mnt/etc/firmware," \ |
|
-C / -zxphf - \ |
|
"+*" "firmware/*" |
|
|
|
ed -s "${_pkgdir}/${_f%.tgz}/+CONTENTS" <<EOL |
removed=false |
/^@comment pkgpath/ -1a |
if [ "${installed[*]:-}" ]; then |
@option manual-installation |
for i in "${installed[@]}"; do |
@option firmware |
delete_firmware "$i" |
@comment install-script |
removed=true |
. |
done |
w |
fi |
EOL |
|
done |
|
} |
|
|
|
fw_update "$FWURL" |
add_firmware "$f" |
|
|
|
if "$removed"; then |
|
[ "$updated" ] && updated="$updated," |
|
updated="$updated$d" |
|
else |
|
[ "$added" ] && added="$added," |
|
added="$added$d" |
|
fi |
|
done |
|
|
|
if ! $VERBOSE && { [ "$added" ] || [ "$updated" ]; }; then |
|
echo "${0##*/}: $( |
|
[ "$added" ] && echo -n "added ${added}" |
|
[ "$added" ] && [ "$updated" ] && echo -n "; " |
|
[ "$updated" ] && echo -n "updated ${updated}" |
|
)" |
|
fi |