version 1.3, 2021/10/05 01:48:59 |
version 1.8, 2021/10/16 19:31:13 |
|
|
done |
done |
} |
} |
|
|
set -A _KERNV -- $( scan_dmesg '/^OpenBSD \([1-9][0-9]*\.[0-9]\)\([^ ]*\) .*/ { s//\1 \2/p; q; }' ) |
# tmpdir, do_as, unpriv, and unpriv2 are from install.sub |
VNAME=${_KERNV[0]} |
|
OSDIR=$VNAME |
|
if ((${#_KERNV[*]} > 1)) && [ "$_KERNV[1]" = "-current" -o "$_KERNV[1]" = "-beta" ]; then |
|
OSDIR=snapshots |
|
fi |
|
|
|
FWURL=http://firmware.openbsd.org/firmware/${OSDIR} |
# Create a temporary directory based on the supplied directory name prefix. |
|
tmpdir() { |
|
local _i=1 _dir |
|
|
|
until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do |
|
((++_i < 10000)) || return 1 |
|
done |
|
echo "$_dir" |
|
} |
|
|
|
# Run a command ($2+) as unprivileged user ($1). |
|
# Take extra care that after "cmd" no "user" processes exist. |
|
# |
|
# Optionally: |
|
# - create "file" and chown it to "user" |
|
# - after "cmd", chown "file" back to root |
|
# |
|
# Usage: do_as user [-f file] cmd |
|
do_as() { |
|
(( $# >= 2 )) || return |
|
|
|
local _file _rc _user=$1 |
|
shift |
|
|
|
if [[ $1 == -f ]]; then |
|
_file=$2 |
|
shift 2 |
|
fi |
|
|
|
if [[ -n $_file ]]; then |
|
>$_file |
|
chown "$_user" "$_file" |
|
fi |
|
|
|
doas -u "$_user" "$@" |
|
_rc=$? |
|
|
|
while doas -u "$_user" kill -9 -1 2>/dev/null; do |
|
echo "Processes still running for user $_user after: $@" |
|
sleep 1 |
|
done |
|
|
|
[[ -n $_file ]] && chown root "$_file" |
|
|
|
return $_rc |
|
} |
|
|
|
unpriv() { |
|
do_as _sndio "$@" |
|
} |
|
|
|
unpriv2() { |
|
do_as _file "$@" |
|
} |
|
|
|
_issue= |
|
fail() { |
|
echo $_issue >&2 |
|
exit 1 |
|
} |
|
|
|
VNAME=$(sysctl -n kern.osrelease) |
|
VERSION="${VNAME%.*}${VNAME#*.}" |
|
FWDIR="$VNAME" |
|
|
|
HTTP_FWDIR=$FWDIR |
|
set -- $(scan_dmesg "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p") |
|
[[ $1 == -!(stable) ]] && HTTP_FWDIR=snapshots |
|
|
|
FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR} |
|
FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub |
PKGDIR=${DESTDIR}/var/db/pkg |
PKGDIR=${DESTDIR}/var/db/pkg |
PATTERNS="file:${0%/*}/firmware_patterns" |
PATTERNS="file:${0%/*}/firmware_patterns" |
|
|
|
|
last='' |
last='' |
ftp -D "Detecting" -Vmo- $PATTERNS | |
ftp -D "Detecting" -Vmo- $PATTERNS | |
while read d m; do |
while read d m; do |
grep=fgrep |
grep=grep |
[ "$last" = "$d" ] && continue |
[ "$last" = "$d" ] && continue |
[ "$m" ] || m="^$d[0-9][0-9]* at " |
[ "$m" ] || m="^$d[0-9][0-9]* at " |
[ "$m" != "${m#^}" ] && grep=grep |
[ "$m" = "${m#^}" ] && grep=fgrep |
$grep -q "$m" /var/run/dmesg.boot || continue |
$grep -q "$m" /var/run/dmesg.boot || continue |
echo $d |
echo $d |
last=$d |
last=$d |
|
|
exit 0 |
exit 0 |
fi |
fi |
|
|
tmpdir=${DESTDIR}/tmp/fw_update |
_src=$FWURL |
[ -e "$tmpdir" ] && rm -rf "$tmpdir" |
if _tmpsrc=$( tmpdir "${DESTDIR}/tmp/fw_update" ); then |
mkdir -p "$tmpdir" |
( |
cd "$tmpdir" |
>$_tmpsrc/t && |
|
$_unpriv cat $_tmpsrc/t |
|
) >/dev/null 2>&1 || |
|
rm -r $_tmpsrc |
|
fi |
|
|
# TODO: Drop privs during fetch and verify |
[[ ! -d $_tmpsrc ]] && |
ftp -D Get -Vm "$FWURL/SHA256.sig" |
_issue="Cannot create prefetch area" && fail |
|
|
# Probably should bundle the firmware sigfile on the installer, |
cd "$_tmpsrc" |
# although we can just get it from the recently installed system. |
|
if [ "$DESTDIR" ]; then |
|
sigfile=$( sed -n '/^untrusted comment: verify with \(.*\)$/ { s//\1/p; q; }' SHA256.sig ) |
|
if [ ! -e "/etc/signify/$sigfile" ] \ |
|
&& [ -e "${DESTDIR}/etc/signify/$sigfile" ]; then |
|
cp -a "${DESTDIR}/etc/signify/$sigfile" "/etc/signify/$sigfile" |
|
fi |
|
fi |
|
|
|
signify -Ve -x SHA256.sig -m - < SHA256.sig > SHA256 |
_t=Get |
|
_cfile="$_tmpsrc/SHA256" |
|
_srclocal=false |
|
|
|
! $_unpriv ftp -D "$_t" -Vmo - "$_src/SHA256.sig" >"$_cfile.sig" && |
|
_issue="Cannot fetch SHA256.sig" && fail |
|
|
|
# Verify signature file with public keys. |
|
! unpriv -f "$_cfile" \ |
|
signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" && |
|
_issue="Signature check of SHA256.sig failed" && fail |
|
|
for d in $drivers; do |
for d in $drivers; do |
firmware=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" SHA256 ) |
_f=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" "$_cfile" ) |
installed=$( installed_firmware $d ) |
installed=$( installed_firmware "$d" ) |
|
|
for i in $installed; do |
for i in $installed; do |
if [ "$firmware" = "$i.tgz" ]; then |
if [ "$_f" = "$i.tgz" ]; then |
echo "Firmware for $d already installed ($installed)" |
echo "Firmware for $d already installed ($installed)" |
continue 2 |
continue 2 |
fi |
fi |
done |
done |
|
|
mkdir $d |
rm -f /tmp/h /tmp/fail |
|
|
# TODO: Drop privs during fetch and verify |
_t=Get/Verify |
ftp -D "Get/Verify" -Vmo- "$FWURL/$firmware" | sha256 -bph "$d/h" > "$firmware" |
# Fetch firmware file and create a checksum by piping through |
fgrep -qx "SHA256 ($firmware) = $(<$d/h)" SHA256 |
# sha256. Create a flag file in case ftp failed. Firmware |
|
# from net is written to the prefetch area. |
|
( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) | |
|
( $_srclocal && unpriv2 sha256 -b >/tmp/h || |
|
unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" ) |
|
|
|
# Handle failed transfer. |
|
if [[ -f /tmp/fail ]]; then |
|
rm -f "$_tmpsrc/$_f" |
|
_issue="Fetching of $_f failed!" |
|
fail |
|
fi |
|
|
|
# Verify firmware by comparing its checksum with SHA256. |
|
if fgrep -qx "SHA256 ($_f) = $(</tmp/h)" "$_cfile"; then |
|
#_unver=$(rmel $_f $_unver) |
|
true |
|
else |
|
[[ -d "$_tmpsrc" ]] && rm -rf "$_tmpsrc" |
|
_issue="Checksum test for $_f failed." |
|
fail |
|
fi |
|
|
# TODO: Check hash for files before deleting |
# TODO: Check hash for files before deleting |
if [ "$installed" ] && [ -e "${PKGDIR}/$installed/+CONTENTS" ]; then |
if [ "$installed" ] && [ -e "${PKGDIR}/$installed/+CONTENTS" ]; then |
echo "Uninstalling $installed" |
echo "Uninstalling $installed" |
|
|
|
|
# TODO: Add some details about the install to +CONTENTS like pkg_add |
# TODO: Add some details about the install to +CONTENTS like pkg_add |
# TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall |
# TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall |
echo "Installing $firmware" |
echo "Installing $_f" |
tar -zxphf "$firmware" -C /etc "firmware/*" |
tar -zxphf "$_f" -C /etc "firmware/*" |
mkdir -p ${PKGDIR}/${firmware%.tgz}/ |
mkdir -p ${PKGDIR}/${firmware%.tgz}/ |
tar -zxphf "$firmware" -C "${PKGDIR}/${firmware%.tgz}" "+*" |
tar -zxphf "$_f" -C "${PKGDIR}/${firmware%.tgz}" "+*" |
ed -s "${PKGDIR}/${firmware%.tgz}/+CONTENTS" <<EOL |
ed -s "${PKGDIR}/${firmware%.tgz}/+CONTENTS" <<EOL |
/^@comment pkgpath/ -1a |
/^@comment pkgpath/ -1a |
@option manual-installation |
@option manual-installation |
@option firmware |
@option firmware |