===================================================================
RCS file: /cvs/openbsd/fw_update/fw_install.sh,v
retrieving revision 1.2
retrieving revision 1.10
diff -u -r1.2 -r1.10
--- openbsd/fw_update/fw_install.sh	2021/10/05 01:39:05	1.2
+++ openbsd/fw_update/fw_install.sh	2021/10/17 03:05:29	1.10
@@ -13,14 +13,79 @@
 	done
 }
 
-set -A _KERNV -- $( scan_dmesg '/^OpenBSD \([1-9][0-9]*\.[0-9]\)\([^ ]*\) .*/ { s//\1 \2/p; q; }' )
-VNAME=${_KERNV[0]}
-OSDIR=$VNAME
-if ((${#_KERNV[*]} > 1)) && [ "$_KERNV[1]" = "-current" -o "$_KERNV[1]" = "-beta" ]; then
-	OSDIR=snapshots
-fi
+# tmpdir, do_as, unpriv, and unpriv2 are from install.sub
 
-FWURL=http://firmware.openbsd.org/firmware/${OSDIR}
+# Create a temporary directory based on the supplied directory name prefix.
+tmpdir() {
+	local _i=1 _dir
+
+	until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do
+		((++_i < 10000)) || return 1
+	done
+	echo "$_dir"
+}
+
+# Run a command ($2+) as unprivileged user ($1).
+# Take extra care that after "cmd" no "user" processes exist.
+#
+# Optionally:
+#	- create "file" and chown it to "user"
+#	- after "cmd", chown "file" back to root
+#
+# Usage: do_as user [-f file] cmd
+do_as() {
+	(( $# >= 2 )) || return
+
+	local _file _rc _user=$1
+	shift
+
+	if [[ $1 == -f ]]; then
+		_file=$2
+		shift 2
+	fi
+
+	if [[ -n $_file ]]; then
+		>$_file
+		chown "$_user" "$_file"
+	fi
+
+	doas -u "$_user" "$@"
+	_rc=$?
+
+	while doas -u "$_user" kill -9 -1 2>/dev/null; do
+		echo "Processes still running for user $_user after: $@"
+		sleep 1
+	done
+
+	[[ -n $_file ]] && chown root "$_file"
+
+	return $_rc
+}
+
+unpriv() {
+	do_as _sndio "$@"
+}
+
+unpriv2() {
+	do_as _file "$@"
+}
+
+_issue=
+fail() {
+	echo $_issue >&2
+	exit 1
+}
+
+VNAME=$(sysctl -n kern.osrelease)
+VERSION="${VNAME%.*}${VNAME#*.}"
+FWDIR="$VNAME"
+
+HTTP_FWDIR=$FWDIR
+set -- $(scan_dmesg "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p")
+[[ $1 == -!(stable) ]] && HTTP_FWDIR=snapshots
+
+FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR}
+FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub
 PKGDIR=${DESTDIR}/var/db/pkg
 PATTERNS="file:${0%/*}/firmware_patterns"
 
@@ -28,9 +93,11 @@
 	last=''
 	ftp -D "Detecting" -Vmo- $PATTERNS |
 	while read d m; do
+		grep=grep
 		[ "$last" = "$d" ] && continue
 		[ "$m" ] || m="^$d[0-9][0-9]* at "
-		grep -q "$m" /var/run/dmesg.boot || continue
+		[ "$m" = "${m#^}" ] && grep=fgrep
+		$grep -q "$m" /var/run/dmesg.boot || continue
 		echo $d
 		last=$d
 	done
@@ -41,49 +108,76 @@
 	exit 0
 fi
 
-tmpdir=${DESTDIR}/tmp/fw_update
-[ -e "$tmpdir" ] && rm -rf "$tmpdir"
-mkdir -p "$tmpdir"
-cd "$tmpdir"
+_src=$FWURL
+if _tmpsrc=$( tmpdir "${DESTDIR}/tmp/fw_update" ); then
+	(
+	>$_tmpsrc/t &&
+	$_unpriv cat $_tmpsrc/t
+	) >/dev/null 2>&1 ||
+	    rm -r $_tmpsrc
+fi
 
-# TODO: Drop privs during fetch and verify
-ftp -D Get -Vm "$FWURL/SHA256.sig"
+[[ ! -d $_tmpsrc ]] &&
+	_issue="Cannot create prefetch area" && fail
 
-# Probably should bundle the firmware sigfile on the installer,
-# although we can just get it from the recently installed system.
-if [ "$DESTDIR" ]; then
-	sigfile=$( sed -n '/^untrusted comment: verify with \(.*\)$/ { s//\1/p; q; }' SHA256.sig )
-	if [ ! -e "/etc/signify/$sigfile" ] \
-	  && [ -e "${DESTDIR}/etc/signify/$sigfile" ]; then
-		cp -a "${DESTDIR}/etc/signify/$sigfile" "/etc/signify/$sigfile"
-	fi
-fi
+cd "$_tmpsrc"
 
-signify -Ve -x SHA256.sig -m - < SHA256.sig > SHA256
+_t=Get
+_cfile="$_tmpsrc/SHA256"
+_srclocal=false
 
+! $_unpriv ftp -D "$_t" -Vmo - "$_src/SHA256.sig" >"$_cfile.sig" &&
+    _issue="Cannot fetch SHA256.sig" && fail
+
+# Verify signature file with public keys.
+! unpriv -f "$_cfile" \
+    signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" &&
+    _issue="Signature check of SHA256.sig failed" && fail
+
 for d in $drivers; do
-	firmware=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" SHA256 )
-	installed=$( installed_firmware $d )
+	_f=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" "$_cfile" )
+	installed=$( installed_firmware "$d" )
 
 	for i in $installed; do
-		if [ "$firmware" = "$i.tgz" ]; then
+		if [ "$_f" = "$i.tgz" ]; then
 			echo "Firmware for $d already installed ($installed)"
 			continue 2
 		fi
 	done
 
-	mkdir $d
+	rm -f /tmp/h /tmp/fail
 
-	# TODO: Drop privs during fetch and verify
-	ftp -D "Get/Verify" -Vmo- "$FWURL/$firmware" | sha256 -bph "$d/h" > "$firmware"
-	fgrep -qx "SHA256 ($firmware) = $(<$d/h)" SHA256
+	_t=Get/Verify
+	# Fetch firmware file and create a checksum by piping through
+	# sha256. Create a flag file in case ftp failed. Firmware
+	# from net is written to the prefetch area.
+	( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) |
+	( $_srclocal && unpriv2 sha256 -b >/tmp/h ||
+	    unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" )
 
+	# Handle failed transfer.
+	if [[ -f /tmp/fail ]]; then
+		rm -f "$_tmpsrc/$_f"
+		_issue="Fetching of $_f failed!"
+		fail
+	fi
+
+	# Verify firmware by comparing its checksum with SHA256.
+	if fgrep -qx "SHA256 ($_f) = $(</tmp/h)" "$_cfile"; then
+		#_unver=$(rmel $_f $_unver)
+		true
+	else
+		[[ -d "$_tmpsrc" ]] && rm -rf "$_tmpsrc"
+		_issue="Checksum test for $_f failed."
+		fail
+	fi
+
 	# TODO: Check hash for files before deleting
 	if [ "$installed" ] && [ -e "${PKGDIR}/$installed/+CONTENTS" ]; then
 		echo "Uninstalling $installed"
 		cwd=${PKGDIR}/$installed
 
-		remove="${cwd}/+CONTENTS ${cwd}"
+		set -A _remove -- "${cwd}/+CONTENTS" "${cwd}"
 
 		while read c g; do
 			case $c in
@@ -91,29 +185,29 @@
 			  ;;
 			@*) continue
 			  ;;
-			*)  remove="$cwd/$c $remove"
+			*)  set -A _remove -- "$cwd/$c" "${_remove[@]}"
 			  ;;
 			esac
 		done < "${PKGDIR}/$installed/+CONTENTS"
 
-		for r in $remove ; do
-			if [ -d "$r" ]; then
+		for _r in "${_remove[@]}"; do
+			if [ -d "$_r" ]; then
 				# Try hard not to actually remove recursively
 				# without rmdir on the install media.
-				[ "$r/*" = $( echo "$r"/* ) ] && rm -rf "$r"
+				[ "$_r/*" = $( echo "$_r"/* ) ] && rm -rf "$_r"
 			else
-				rm -f "$r"
+				rm -f "$_r"
 			fi
 		done
 	fi
 
 	# TODO: Add some details about the install to +CONTENTS like pkg_add
 	# TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall
-	echo "Installing $firmware"
-	tar -zxphf "$firmware" -C /etc "firmware/*"
-	mkdir -p ${PKGDIR}/${firmware%.tgz}/
-	tar -zxphf "$firmware" -C "${PKGDIR}/${firmware%.tgz}" "+*"
-    ed -s "${PKGDIR}/${firmware%.tgz}/+CONTENTS" <<EOL
+	echo "Installing $_f"
+	tar -zxphf "$_f" -C /etc "firmware/*"
+	mkdir -p ${PKGDIR}/${_f%.tgz}/
+	tar -zxphf "$_f" -C "${PKGDIR}/${_f%.tgz}" "+*"
+	ed -s "${PKGDIR}/${_f%.tgz}/+CONTENTS" <<EOL
 /^@comment pkgpath/ -1a
 @option manual-installation
 @option firmware