[BACK]Return to fw_install.sh CVS log [TXT][DIR] Up to [local] / openbsd / fw_update

Diff for /openbsd/fw_update/fw_install.sh between version 1.7 and 1.51

version 1.7, 2021/10/14 03:00:02 version 1.51, 2021/12/07 02:42:01
Line 1 
Line 1 
 #!/bin/ksh  #!/bin/ksh
 set -e  #       $OpenBSD$
   #
   # Copyright (c) 2021 Andrew Hewus Fresh <afresh1@openbsd.org>
   #
   # Permission to use, copy, modify, and distribute this software for any
   # purpose with or without fee is hereby granted, provided that the above
   # copyright notice and this permission notice appear in all copies.
   #
   # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
   # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
   # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
   # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
   # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   
 scan_dmesg() {  set -o errexit -o pipefail -o nounset
         # no bsort for now  
         sed -n "$1" /var/run/dmesg.boot  
 }  
   
 installed_firmware() {  CFILE=SHA256.sig
         for fw in ${PKGDIR}/$1-firmware*; do  DESTDIR=${DESTDIR:-}
                 [ -e "$fw" ] || continue  FWPATTERNS="${DESTDIR}/usr/share/misc/firmware_patterns"
                 echo ${fw##*/}  
         done  
 }  
   
 # do_as, unpriv, and unpriv2 are from install.sub  VNAME=${VNAME:-$(sysctl -n kern.osrelease)}
   VERSION=${VERSION:-"${VNAME%.*}${VNAME#*.}"}
   
 # Run a command ($2+) as unprivileged user ($1).  HTTP_FWDIR="$VNAME"
 # Take extra care that after "cmd" no "user" processes exist.  VTYPE=$( sed -n "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p" /var/run/dmesg.boot | sed '$!d' )
 #  [[ $VTYPE == -!(stable) ]] && HTTP_FWDIR=snapshots
 # Optionally:  
 #       - create "file" and chown it to "user"  
 #       - after "cmd", chown "file" back to root  
 #  
 # Usage: do_as user [-f file] cmd  
 do_as() {  
         (( $# >= 2 )) || return  
   
         local _file _rc _user=$1  FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR}
         shift  FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub
   
         if [[ $1 == -f ]]; then  tmpdir() {
                 _file=$2          local _i=1 _dir
                 shift 2  
         fi  
   
         if [[ -n $_file ]]; then          # If we're not in the installer,
                 >$_file          # we have mktemp and a more hostile environment
                 chown "$_user" "$_file"          if [ -x /usr/bin/mktemp ]; then
                   _dir=$( mktemp -d "${1}-XXXXXXXXX" )
           else
                   until _dir="${1}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do
                       ((++_i < 10000)) || return 1
                   done
         fi          fi
   
         doas -u "$_user" "$@"          echo "$_dir"
         _rc=$?  }
   
         while doas -u "$_user" kill -9 -1 2>/dev/null; do  fetch() {
                 echo "Processes still running for user $_user after: $@"          local _file=$1 _user=_file _exit
                 sleep 1  
         done  
   
         [[ -n $_file ]] && chown root "$_file"          >"$_file"
           chown "$_user" "$_file"
   
         return $_rc          # If we're not in the installer, we have su(1)
 }          # and doas(1) is unlikely to be configured.
           if [ -x /usr/bin/sh ]; then
                   /usr/bin/su -s /bin/ksh "$_user" -c \
                       "/usr/bin/ftp -D 'Get/Verify' -Vm \
                           -o '$_file' '${FWURL}/${_file}'"
                   _exit="$?"
           else
                   /usr/bin/doas -u "$_user" \
                       ftp -D 'Get/Verify' -Vm \
                           -o "$_file" "${FWURL}/${_file}"
                   _exit="$?"
           fi
   
 unpriv() {          if [ "$_exit" -ne 0 ]; then
         do_as _sndio "$@"                  rm -f "$_file"
                   echo "Cannot fetch $_file" >&2
                   return 1
           fi
   
           chown root "$_file"
 }  }
   
 unpriv2() {  verify() {
         do_as _file "$@"          # On the installer we don't get sha256 -C, so fake it.
           if ! fgrep -qx "SHA256 ($1) = $( /bin/sha256 -qb "$1" )" "$CFILE"; then
                   echo "Checksum test for $1 failed." >&2
                   return 1
           fi
 }  }
   
 VNAME=$(sysctl -n kern.osrelease)  devices_needing_firmware() {
 VERSION="${VNAME%.*}${VNAME#*.}"          local _d _m _grep _dmesgtail _last=''
 FWDIR="$VNAME"  
   
 HTTP_FWDIR=$FWDIR          # When we're not in the installer, the dmesg.boot can
 set -- $(scan_dmesg "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p")          # contain multiple boots, so only look in the last one
 [[ $1 == -!(stable) ]] && HTTP_FWDIR=snapshots          _dmesgtail=$( sed -n 'H;/^OpenBSD/h;${g;p;}' /var/run/dmesg.boot )
   
 FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR}          grep -v '^[[:space:]]*#' "$FWPATTERNS" |
 FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub              while read -r _d _m; do
 PKGDIR=${DESTDIR}/var/db/pkg                  _grep="grep"
 PATTERNS="file:${0%/*}/firmware_patterns"                  [ "$_last" = "$_d" ] && continue
                   [ "$_m" ] || _m="^${_d}[0-9][0-9]* at "
                   [ "$_m" = "${_m#^}" ] && _grep="fgrep"
   
 drivers=$(                  echo "$_dmesgtail" | $_grep -q "$_m" || continue
         last=''                  echo "$_d"
         ftp -D "Detecting" -Vmo- $PATTERNS |                  _last="$_d"
         while read d m; do  
                 grep=grep  
                 [ "$last" = "$d" ] && continue  
                 [ "$m" ] || m="^$d[0-9][0-9]* at "  
                 [ "$m" = "${m#^}" ] && grep=fgrep  
                 $grep -q "$m" /var/run/dmesg.boot || continue  
                 echo $d  
                 last=$d  
         done          done
 )  }
   
 if [ -z "$drivers" ]; then  firmware_filename() {
         echo "No devices found which need firmware files to be downloaded." >&2          sed -n "s/.*(\($1-firmware-.*\.tgz\)).*/\1/p" "$CFILE" | sed '$!d'
         exit 0  }
 fi  
   
 tmpdir=${DESTDIR}/tmp/fw_update  installed_firmware() {
 [ -e "$tmpdir" ] && rm -rf "$tmpdir"          for fw in "${DESTDIR}/var/db/pkg/$1-firmware"*; do
 mkdir -p "$tmpdir"                  [ -e "$fw" ] || continue
 cd "$tmpdir"                  echo "${fw##*/}"
           done
   }
   
 # TODO: Drop privs during fetch and verify  add_firmware () {
 ftp -D Get -Vm "$FWURL/SHA256.sig"          local _f="$1" _pkgdir="${DESTDIR}/var/db/pkg"
           ftp -D "Install" -Vmo- "file:${1}" |
                   tar -s ",^\+,${_pkgdir}/${_f%.tgz}/+," \
                   -s ",^firmware,${DESTDIR}/etc/firmware," \
                   -C / -zxphf - "+*" "firmware/*"
   
 # Probably should bundle the firmware sigfile on the installer,          # TODO: Should we mark these so real fw_update can -Drepair?
 # although we can just get it from the recently installed system.          ed -s "${_pkgdir}/${_f%.tgz}/+CONTENTS" <<EOL
 if [ "$DESTDIR" ]; then  /^@comment pkgpath/ -1a
         sigfile=$( sed -n '/^untrusted comment: verify with \(.*\)$/ { s//\1/p; q; }' SHA256.sig )  @option manual-installation
         if [ ! -e "/etc/signify/$sigfile" ] \  @option firmware
           && [ -e "${DESTDIR}/etc/signify/$sigfile" ]; then  @comment install-script
                 cp -a "${DESTDIR}/etc/signify/$sigfile" "/etc/signify/$sigfile"  .
         fi  w
 fi  EOL
   }
   
 signify -Ve -x SHA256.sig -m - < SHA256.sig > SHA256  delete_firmware() {
           local _cwd _pkg="$1" _pkgdir="${DESTDIR}/var/db/pkg"
   
 for d in $drivers; do          # TODO: Check hash for files before deleting
         firmware=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" SHA256 )          echo "Uninstalling $_pkg"
         installed=$( installed_firmware $d )          _cwd="${_pkgdir}/$_pkg"
   
         for i in $installed; do          set -A _remove -- "${_cwd}/+CONTENTS" "${_cwd}"
                 if [ "$firmware" = "$i.tgz" ]; then  
                         echo "Firmware for $d already installed ($installed)"          while read -r c g; do
                         continue 2                  case $c in
                   @cwd) _cwd="${DESTDIR}$g"
                     ;;
                   @*) continue
                     ;;
                   *)  set -A _remove -- "$_cwd/$c" "${_remove[@]}"
                     ;;
                   esac
           done < "${_pkgdir}/${_pkg}/+CONTENTS"
   
           # We specifically rm -f here because not removing files/dirs
           # is probably not worth failing over.
           for _r in "${_remove[@]}" ; do
                   if [ -d "$_r" ]; then
                           # Try hard not to actually remove recursively
                           # without rmdir on the install media.
                           [ "$_r/*" = "$( echo "$_r"/* )" ] && rm -rf "$_r"
                   else
                           rm -f "$_r"
                 fi                  fi
         done          done
   }
   
         mkdir $d  set -A devices -- $( devices_needing_firmware )
   
         # TODO: Drop privs during fetch and verify  if [ ! "${devices:-}" ]; then
         ftp -D "Get/Verify" -Vmo- "$FWURL/$firmware" | sha256 -bph "$d/h" > "$firmware"          echo "No devices found which need firmware files to be downloaded."
         fgrep -qx "SHA256 ($firmware) = $(<$d/h)" SHA256          exit
   fi
   
         # TODO: Check hash for files before deleting  TMPDIR=$( tmpdir "${DESTDIR}/tmp/fw_install" )
         if [ "$installed" ] && [ -e "${PKGDIR}/$installed/+CONTENTS" ]; then  cd "$TMPDIR"
                 echo "Uninstalling $installed"  
                 cwd=${PKGDIR}/$installed  
   
                 remove="${cwd}/+CONTENTS ${cwd}"  # To unpriv we need to let the unpriv user into this dir
   chmod go+x .
   
                 while read c g; do  fetch "$CFILE"
                         case $c in  ! signify -Vep "$FWPUB_KEY" -x "$CFILE" -m "$CFILE" &&
                         @cwd) cwd=$g      echo "Signature check of SHA256.sig failed" >&2 && exit 1
                           ;;  
                         @*) continue  
                           ;;  
                         *)  remove="$cwd/$c $remove"  
                           ;;  
                         esac  
                 done < "${PKGDIR}/$installed/+CONTENTS"  
   
                 for r in $remove ; do  for d in "${devices[@]}"; do
                         if [ -d "$r" ]; then          f=$( firmware_filename "$d" )
                                 # Try hard not to actually remove recursively          [ "$f" ] || continue
                                 # without rmdir on the install media.          set -A installed -- $( installed_firmware "$d" )
                                 [ "$r/*" = $( echo "$r"/* ) ] && rm -rf "$r"  
                         else          if [ "${installed:-}" ]; then
                                 rm -f "$r"                  for i in "${installed[@]:-}"; do
                           if [ "$f" = "$i.tgz" ]; then
                                   echo "$i already installed"
                                   continue 2
                         fi                          fi
                 done                  done
         fi          fi
   
         # TODO: Add some details about the install to +CONTENTS like pkg_add          fetch  "$f" || continue
         # TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall          verify "$f" || continue
         echo "Installing $firmware"  
         tar -zxphf "$firmware" -C /etc "firmware/*"          if [ "${installed:-}" ]; then
         mkdir -p ${PKGDIR}/${firmware%.tgz}/                  for i in "${installed[@]}"; do
         tar -zxphf "$firmware" -C "${PKGDIR}/${firmware%.tgz}" "+*"                          delete_firmware "$i"
         ed -s "${PKGDIR}/${firmware%.tgz}/+CONTENTS" <<EOL                  done
 /^@comment pkgpath/ -1a          fi
 @option manual-installation  
 @option firmware          add_firmware "$f"
 @comment install-script  
 .  
 w  
 EOL  
 done  done
   
Legend:
Removed from v.1.7  
changed lines
  Added in v.1.51
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>