=================================================================== RCS file: /cvs/openbsd/fw_update/fw_install.sh,v retrieving revision 1.1 retrieving revision 1.18 diff -u -r1.1 -r1.18 --- openbsd/fw_update/fw_install.sh 2021/09/30 04:06:56 1.1 +++ openbsd/fw_update/fw_install.sh 2021/10/18 00:33:07 1.18 @@ -13,107 +13,211 @@ done } -set -A _KERNV -- $( scan_dmesg '/^OpenBSD \([1-9][0-9]*\.[0-9]\)\([^ ]*\) .*/ { s//\1 \2/p; q; }' ) -VNAME=${_KERNV[0]} -OSDIR=$VNAME -if ((${#_KERNV[*]} > 1)) && [ "$_KERNV[1]" = "-current" -o "$_KERNV[1]" = "-beta" ]; then - OSDIR=snapshots -fi +# tmpdir, do_as, unpriv, and unpriv2 are from install.sub -FWURL=http://firmware.openbsd.org/firmware/${OSDIR} -PKGDIR=${DESTDIR}/var/db/pkg -PATTERNS="file:${0%/*}/firmware_patterns" +# Create a temporary directory based on the supplied directory name prefix. +tmpdir() { + local _i=1 _dir -drivers=$( - last='' - ftp -D "Detecting" -Vmo- $PATTERNS | - while read d m; do - [ "$last" = "$d" ] && continue - [ "$m" ] || m="^$d[0-9][0-9]* at " - [ "$( scan_dmesg "/$m/ { p; q; }" )" ] || continue - echo $d - last=$d + until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do + ((++_i < 10000)) || return 1 done -) + echo "$_dir" +} -if [ -z "$drivers" ]; then - echo "No devices found which need firmware files to be downloaded." >&2 - exit 0 -fi +# Run a command ($2+) as unprivileged user ($1). +# Take extra care that after "cmd" no "user" processes exist. +# +# Optionally: +# - create "file" and chown it to "user" +# - after "cmd", chown "file" back to root +# +# Usage: do_as user [-f file] cmd +do_as() { + (( $# >= 2 )) || return -tmpdir=${DESTDIR}/tmp/fw_update -[ -e "$tmpdir" ] && rm -rf "$tmpdir" -mkdir -p "$tmpdir" -cd "$tmpdir" + local _file _rc _user=$1 + shift -# TODO: Drop privs during fetch and verify -ftp -D Get -Vm "$FWURL/SHA256.sig" + if [[ $1 == -f ]]; then + _file=$2 + shift 2 + fi -# Probably should bundle the firmware sigfile on the installer, -# although we can just get it from the recently installed system. -if [ "$DESTDIR" ]; then - sigfile=$( sed -n '/^untrusted comment: verify with \(.*\)$/ { s//\1/p; q; }' SHA256.sig ) - if [ ! -e "/etc/signify/$sigfile" ] \ - && [ -e "${DESTDIR}/etc/signify/$sigfile" ]; then - cp -a "${DESTDIR}/etc/signify/$sigfile" "/etc/signify/$sigfile" + if [[ -n $_file ]]; then + >$_file + chown "$_user" "$_file" fi -fi -signify -Ve -x SHA256.sig -m - < SHA256.sig > SHA256 + doas -u "$_user" "$@" + _rc=$? -for d in $drivers; do - firmware=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" SHA256 ) - installed=$( installed_firmware $d ) - - for i in $installed; do - if [ "$firmware" = "$i.tgz" ]; then - echo "Firmware for $d already installed ($installed)" - continue 2 - fi + while doas -u "$_user" kill -9 -1 2>/dev/null; do + echo "Processes still running for user $_user after: $@" + sleep 1 done - mkdir $d + [[ -n $_file ]] && chown root "$_file" - # TODO: Drop privs during fetch and verify - ftp -D "Get/Verify" -Vmo- "$FWURL/$firmware" | sha256 -bph "$d/h" > "$firmware" - fgrep -qx "SHA256 ($firmware) = $(<$d/h)" SHA256 + return $_rc +} - # TODO: Check hash for files before deleting - if [ "$installed" ] && [ -e "${PKGDIR}/$installed/+CONTENTS" ]; then - echo "Uninstalling $installed" - cwd=${PKGDIR}/$installed +unpriv() { + do_as _sndio "$@" +} - remove="${cwd}/+CONTENTS ${cwd}" +unpriv2() { + do_as _file "$@" +} - while read c g; do - case $c in - @cwd) cwd=$g - ;; - @*) continue - ;; - *) remove="$cwd/$c $remove" - ;; - esac - done < "${PKGDIR}/$installed/+CONTENTS" +_issue= +fail() { + echo $_issue >&2 + exit 1 +} - for r in $remove ; do - if [ -d "$r" ]; then - # Try hard not to actually remove recursively - # without rmdir on the install media. - [ "$r/*" = $( echo "$r"/* ) ] && rm -rf "$r" - else - rm -f "$r" - fi +VNAME=$(sysctl -n kern.osrelease) +VERSION="${VNAME%.*}${VNAME#*.}" +FWDIR="$VNAME" + +# TODO: We need the firmware for the system we just installed +# not the one we booted from. For example: +# * booting from a snapshot bsd.rd that thinks it is the 7.0 release +# will install the firmware from the 7.0 directory instead of +# from the snapshots dir. +# If they're using sysupgrade, then the installer kernel will be correct. +# If we're doing this in the installer we can check what they picked +# for downloading sets and use that value. +# Otherwise, the fw_update after first boot will fix it up for us. + +HTTP_FWDIR=$FWDIR +set -- $(scan_dmesg "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p") +[[ $1 == -!(stable) ]] && HTTP_FWDIR=snapshots + +FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR} +FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub +PKGDIR=${DESTDIR}/var/db/pkg +PATTERNS="file:${0%/*}/firmware_patterns" + +fw_update() { + local _tmpsrc _f _r _remove _i _installed + local _src=$FWURL _t=Get _cfile="/tmp/SHA256" _srclocal=false + local _d _drivers=$( + last='' + ftp -D "Detecting" -Vmo- $PATTERNS | + while read _d _m; do + grep=grep + [ "$last" = "$_d" ] && continue + [ "$_m" ] || _m="^$_d[0-9][0-9]* at " + [ "$_m" = "${_m#^}" ] && grep=fgrep + $grep -q "$_m" /var/run/dmesg.boot || continue + echo $_d + last=$_d done + ) + + if [ -z "$_drivers" ]; then + echo "No devices found which need firmware files to be downloaded." >&2 + return fi - # TODO: Add some details about the install to +CONTENTS like pkg_add - # TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall - echo "Installing $firmware" - tar -zxphf "$firmware" -C /etc "firmware/*" - mkdir -p ${PKGDIR}/${firmware%.tgz}/ - tar -zxphf "$firmware" -C "${PKGDIR}/${firmware%.tgz}" "+*" - ed -s "${PKGDIR}/${firmware%.tgz}/+CONTENTS" <$_tmpsrc/t && + $_unpriv cat $_tmpsrc/t + ) >/dev/null 2>&1 || + rm -r $_tmpsrc + fi + + [[ ! -d $_tmpsrc ]] && + _issue="Cannot create prefetch area" && fail + + # Cleanup from previous runs. + rm -f $_cfile $_cfile.sig + + _t=Get/Verify + + ! $_unpriv ftp -D "$_t" -Vmo - "$_src/SHA256.sig" >"$_cfile.sig" && + _issue="Cannot fetch SHA256.sig" && fail + + # Verify signature file with public keys. + ! unpriv -f "$_cfile" \ + signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" && + _issue="Signature check of SHA256.sig failed" && fail + + for _d in $_drivers; do + _f=$( sed -n "s/.*(\($_d-firmware-.*\.tgz\)).*/\1/p" "$_cfile" ) + _installed=$( installed_firmware "$_d" ) + + for _i in $_installed; do + if [ "$_f" = "$_i.tgz" ]; then + echo "Firmware for $_d already installed ($_installed)" + continue 2 + fi + done + + rm -f /tmp/h /tmp/fail + + # Fetch firmware file and create a checksum by piping through + # sha256. Create a flag file in case ftp failed. Firmware + # from net is written to the prefetch area. + ( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) | + ( $_srclocal && unpriv2 sha256 -b >/tmp/h || + unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" ) + + # Handle failed transfer. + if [[ -f /tmp/fail ]]; then + rm -f "$_tmpsrc/$_f" + _issue="Fetching of $_f failed!" + fail + fi + + # Verify firmware by comparing its checksum with SHA256. + if fgrep -qx "SHA256 ($_f) = $(