version 1.6, 2021/10/14 02:39:43 |
version 1.34, 2021/11/19 03:47:12 |
|
|
#!/bin/ksh |
#!/bin/ksh |
set -e |
set -e |
|
|
scan_dmesg() { |
# Fake up some things from install.sub that we don't need to actually do |
# no bsort for now |
prefetcharea_fs_list() { |
sed -n "$1" /var/run/dmesg.boot |
echo "${DESTDIR}/tmp" |
} |
} |
|
|
installed_firmware() { |
# tmpdir, do_as, unpriv, and unpriv2 are from install.sub |
for fw in ${PKGDIR}/$1-firmware*; do |
|
[ -e "$fw" ] || continue |
# Create a temporary directory based on the supplied directory name prefix. |
echo ${fw##*/} |
tmpdir() { |
|
local _i=1 _dir |
|
|
|
until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do |
|
((++_i < 10000)) || return 1 |
done |
done |
|
echo "$_dir" |
} |
} |
|
|
# do_as, unpriv, and unpriv2 are from install.sub |
|
|
|
# Run a command ($2+) as unprivileged user ($1). |
# Run a command ($2+) as unprivileged user ($1). |
# Take extra care that after "cmd" no "user" processes exist. |
# Take extra care that after "cmd" no "user" processes exist. |
# |
# |
|
|
do_as _file "$@" |
do_as _file "$@" |
} |
} |
|
|
set -A _KERNV -- $( scan_dmesg '/^OpenBSD \([1-9][0-9]*\.[0-9]\)\([^ ]*\) .*/ { s//\1 \2/p; q; }' ) |
VNAME=${VNAME:-$(sysctl -n kern.osrelease)} |
VNAME=${_KERNV[0]} |
VERSION=${VERSION:-"${VNAME%.*}${VNAME#*.}"} |
OSDIR=$VNAME |
FWDIR=${FWDIR:-$VNAME} |
if ((${#_KERNV[*]} > 1)) && [ "$_KERNV[1]" = "-current" -o "$_KERNV[1]" = "-beta" ]; then |
MODE=${MODE:-install} |
OSDIR=snapshots |
|
fi |
|
|
|
FWURL=http://firmware.openbsd.org/firmware/${OSDIR} |
# TODO: We need the firmware for the system we just installed |
PKGDIR=${DESTDIR}/var/db/pkg |
# not the one we booted from. For example: |
PATTERNS="file:${0%/*}/firmware_patterns" |
# * booting from a snapshot bsd.rd that thinks it is the 7.0 release |
|
# will install the firmware from the 7.0 directory instead of |
|
# from the snapshots dir. |
|
# If they're using sysupgrade, then the installer kernel will be correct. |
|
# If we're doing this in the installer we can check what they picked |
|
# for downloading sets and use that value. |
|
# Otherwise, the fw_update after first boot will fix it up for us. |
|
|
drivers=$( |
HTTP_FWDIR=$FWDIR |
last='' |
set -- sed -n "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p" /var/run/dmesg.boot |
ftp -D "Detecting" -Vmo- $PATTERNS | |
[[ $1 == -!(stable) ]] && HTTP_FWDIR=snapshots |
while read d m; do |
|
grep=grep |
|
[ "$last" = "$d" ] && continue |
|
[ "$m" ] || m="^$d[0-9][0-9]* at " |
|
[ "$m" = "${m#^}" ] && grep=fgrep |
|
$grep -q "$m" /var/run/dmesg.boot || continue |
|
echo $d |
|
last=$d |
|
done |
|
) |
|
|
|
if [ -z "$drivers" ]; then |
FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR} |
echo "No devices found which need firmware files to be downloaded." >&2 |
FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub |
exit 0 |
FWPATTERNS="file:${0%/*}/firmware_patterns" |
fi |
|
|
|
tmpdir=${DESTDIR}/tmp/fw_update |
# TODO: support srclocal installation of firmware somehow |
[ -e "$tmpdir" ] && rm -rf "$tmpdir" |
fw_update() { |
mkdir -p "$tmpdir" |
local _src=$1 _tmpfs_list _tmpfs _tmpsrc \ |
cd "$tmpdir" |
_t=Get _cfile="/tmp/SHA256" _pkgdir=${DESTDIR}/var/db/pkg \ |
|
_f _r _remove _i _installed |
|
local _srclocal=false _unpriv=unpriv |
|
|
# TODO: Drop privs during fetch and verify |
echo "Let's $MODE firmware!" |
ftp -D Get -Vm "$FWURL/SHA256.sig" |
local _d _drivers=$( |
|
last='' |
|
$_unpriv ftp -D "Detecting" -Vmo- $FWPATTERNS | |
|
while read _d _m; do |
|
grep=grep |
|
[ "$last" = "$_d" ] && continue |
|
[ "$_m" ] || _m="^$_d[0-9][0-9]* at " |
|
[ "$_m" = "${_m#^}" ] && grep=fgrep |
|
$grep -q "$_m" /var/run/dmesg.boot || continue |
|
echo $_d |
|
last=$_d |
|
done |
|
) |
|
|
# Probably should bundle the firmware sigfile on the installer, |
if [ -z "$_drivers" ]; then |
# although we can just get it from the recently installed system. |
echo "No devices found which need firmware files to be downloaded." |
if [ "$DESTDIR" ]; then |
return |
sigfile=$( sed -n '/^untrusted comment: verify with \(.*\)$/ { s//\1/p; q; }' SHA256.sig ) |
|
if [ ! -e "/etc/signify/$sigfile" ] \ |
|
&& [ -e "${DESTDIR}/etc/signify/$sigfile" ]; then |
|
cp -a "${DESTDIR}/etc/signify/$sigfile" "/etc/signify/$sigfile" |
|
fi |
fi |
fi |
|
|
|
signify -Ve -x SHA256.sig -m - < SHA256.sig > SHA256 |
! _tmpfs_list=$(prefetcharea_fs_list) && |
|
echo "Cannot determine prefetch area" >&2 && return |
|
|
for d in $drivers; do |
for _tmpfs in $_tmpfs_list; do |
firmware=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" SHA256 ) |
# Try to clean up from previous runs, assuming |
installed=$( installed_firmware $d ) |
# the _tmpfs selection yields the same mount |
|
# point. |
|
for _tmpsrc in $_tmpfs/firmware.+([0-9]).+([0-9]); do |
|
[[ -d $_tmpsrc ]] && rm -r $_tmpsrc |
|
done |
|
|
for i in $installed; do |
# Create a download directory for the firmware and |
if [ "$firmware" = "$i.tgz" ]; then |
# check that the _sndio user can read files from |
echo "Firmware for $d already installed ($installed)" |
# it. Otherwise cleanup and skip the filesystem. |
continue 2 |
if _tmpsrc=$(tmpdir "$_tmpfs/firmware"); then |
|
( |
|
>$_tmpsrc/t && |
|
$_unpriv cat $_tmpsrc/t |
|
) >/dev/null 2>&1 && break || |
|
rm -r $_tmpsrc |
fi |
fi |
done |
done |
|
|
mkdir $d |
[[ ! -d $_tmpsrc ]] && |
|
echo "Cannot create prefetch area" >&2 && return 1 |
|
|
# TODO: Drop privs during fetch and verify |
# Cleanup from previous runs. |
ftp -D "Get/Verify" -Vmo- "$FWURL/$firmware" | sha256 -bph "$d/h" > "$firmware" |
rm -f $_cfile $_cfile.sig |
fgrep -qx "SHA256 ($firmware) = $(<$d/h)" SHA256 |
|
|
|
# TODO: Check hash for files before deleting |
_t=Get/Verify |
if [ "$installed" ] && [ -e "${PKGDIR}/$installed/+CONTENTS" ]; then |
|
echo "Uninstalling $installed" |
|
cwd=${PKGDIR}/$installed |
|
|
|
remove="${cwd}/+CONTENTS ${cwd}" |
! $_unpriv ftp -D "$_t" -Vmo - "$_src/SHA256.sig" >"$_cfile.sig" && |
|
echo "Cannot fetch SHA256.sig" >&2 && return 1 |
|
|
while read c g; do |
# Verify signature file with public keys. |
case $c in |
! $_unpriv -f "$_cfile" \ |
@cwd) cwd=$g |
signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" && |
;; |
echo "Signature check of SHA256.sig failed" >&2 && return 1 |
@*) continue |
|
;; |
|
*) remove="$cwd/$c $remove" |
|
;; |
|
esac |
|
done < "${PKGDIR}/$installed/+CONTENTS" |
|
|
|
for r in $remove ; do |
for _d in $_drivers; do |
if [ -d "$r" ]; then |
_f=$( sed -n "s/.*(\($_d-firmware-.*\.tgz\)).*/\1/p" "$_cfile" ) |
# Try hard not to actually remove recursively |
_installed=$( |
# without rmdir on the install media. |
for fw in "${_pkgdir}/$_d-firmware"*; do |
[ "$r/*" = $( echo "$r"/* ) ] && rm -rf "$r" |
[ -e "$fw" ] || continue |
else |
echo ${fw##*/} |
rm -f "$r" |
done |
|
) |
|
|
|
for _i in $_installed; do |
|
if [ "$_f" = "$_i.tgz" ]; then |
|
echo "$_i already installed" |
|
continue 2 |
fi |
fi |
done |
done |
fi |
|
|
|
# TODO: Add some details about the install to +CONTENTS like pkg_add |
rm -f /tmp/h /tmp/fail |
# TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall |
|
echo "Installing $firmware" |
# Fetch firmware file and create a checksum by piping through |
tar -zxphf "$firmware" -C /etc "firmware/*" |
# sha256. Create a flag file in case ftp failed. Firmware |
mkdir -p ${PKGDIR}/${firmware%.tgz}/ |
# from net is written to the prefetch area. |
tar -zxphf "$firmware" -C "${PKGDIR}/${firmware%.tgz}" "+*" |
( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) | |
ed -s "${PKGDIR}/${firmware%.tgz}/+CONTENTS" <<EOL |
( $_srclocal && unpriv2 sha256 -b >/tmp/h || |
|
unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" ) |
|
|
|
# Handle failed transfer. |
|
if [[ -f /tmp/fail ]]; then |
|
rm -f "$_tmpsrc/$_f" |
|
echo "Fetching of $_f failed!" >&2 |
|
continue |
|
fi |
|
|
|
# Verify firmware by comparing its checksum with SHA256. |
|
if ! fgrep -qx "SHA256 ($_f) = $(</tmp/h)" "$_cfile"; then |
|
[[ -d "$_tmpsrc" ]] && rm -rf "$_tmpsrc" |
|
echo "Checksum test for $_f failed." >&2 |
|
continue |
|
fi |
|
|
|
# TODO: Check hash for files before deleting |
|
if [ "$_installed" ] && [ -e "${_pkgdir}/$_installed/+CONTENTS" ]; then |
|
echo "Uninstalling $_installed" |
|
cwd=${_pkgdir}/$_installed |
|
|
|
set -A _remove -- "${cwd}/+CONTENTS" "${cwd}" |
|
|
|
while read c g; do |
|
case $c in |
|
@cwd) cwd="${DESTDIR}/$g" |
|
;; |
|
@*) continue |
|
;; |
|
*) set -A _remove -- "$cwd/$c" "${_remove[@]}" |
|
;; |
|
esac |
|
done < "${_pkgdir}/$_installed/+CONTENTS" |
|
|
|
# We specifically rm -f here because not removing files/dirs |
|
# is probably not worth failing over. |
|
for _r in "${_remove[@]}" ; do |
|
if [ -d "$_r" ]; then |
|
# Try hard not to actually remove recursively |
|
# without rmdir on the install media. |
|
[ "$_r/*" = $( echo "$_r"/* ) ] && rm -rf "$_r" |
|
else |
|
rm -f "$_r" |
|
fi |
|
done |
|
fi |
|
|
|
# TODO: Should we mark these so real fw_update can -Drepair? |
|
ftp -D "Install" -Vmo- "file:$_tmpsrc/$_f" | |
|
tar -s ",^\+,${_pkgdir}/${_f%.tgz}/+," \ |
|
-s ",^firmware,${DESTDIR}/etc/firmware," \ |
|
-C / -zxphf - "+*" "firmware/*" |
|
|
|
ed -s "${_pkgdir}/${_f%.tgz}/+CONTENTS" <<EOL |
/^@comment pkgpath/ -1a |
/^@comment pkgpath/ -1a |
@option manual-installation |
@option manual-installation |
@option firmware |
@option firmware |
|
|
. |
. |
w |
w |
EOL |
EOL |
done |
done |
|
} |
|
|
|
fw_update "$FWURL" |