=================================================================== RCS file: /cvs/openbsd/fw_update/fw_install.sh,v retrieving revision 1.10 retrieving revision 1.51 diff -u -r1.10 -r1.51 --- openbsd/fw_update/fw_install.sh 2021/10/17 03:05:29 1.10 +++ openbsd/fw_update/fw_install.sh 2021/12/07 02:42:01 1.51 @@ -1,219 +1,211 @@ #!/bin/ksh -set -e +# $OpenBSD: fw_install.sh,v 1.51 2021/12/07 02:42:01 afresh1 Exp $ +# +# Copyright (c) 2021 Andrew Hewus Fresh +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -scan_dmesg() { - # no bsort for now - sed -n "$1" /var/run/dmesg.boot -} +set -o errexit -o pipefail -o nounset -installed_firmware() { - for fw in ${PKGDIR}/$1-firmware*; do - [ -e "$fw" ] || continue - echo ${fw##*/} - done -} +CFILE=SHA256.sig +DESTDIR=${DESTDIR:-} +FWPATTERNS="${DESTDIR}/usr/share/misc/firmware_patterns" -# tmpdir, do_as, unpriv, and unpriv2 are from install.sub +VNAME=${VNAME:-$(sysctl -n kern.osrelease)} +VERSION=${VERSION:-"${VNAME%.*}${VNAME#*.}"} -# Create a temporary directory based on the supplied directory name prefix. +HTTP_FWDIR="$VNAME" +VTYPE=$( sed -n "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p" /var/run/dmesg.boot | sed '$!d' ) +[[ $VTYPE == -!(stable) ]] && HTTP_FWDIR=snapshots + +FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR} +FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub + tmpdir() { local _i=1 _dir - until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do - ((++_i < 10000)) || return 1 - done + # If we're not in the installer, + # we have mktemp and a more hostile environment + if [ -x /usr/bin/mktemp ]; then + _dir=$( mktemp -d "${1}-XXXXXXXXX" ) + else + until _dir="${1}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do + ((++_i < 10000)) || return 1 + done + fi + echo "$_dir" } -# Run a command ($2+) as unprivileged user ($1). -# Take extra care that after "cmd" no "user" processes exist. -# -# Optionally: -# - create "file" and chown it to "user" -# - after "cmd", chown "file" back to root -# -# Usage: do_as user [-f file] cmd -do_as() { - (( $# >= 2 )) || return +fetch() { + local _file=$1 _user=_file _exit - local _file _rc _user=$1 - shift + >"$_file" + chown "$_user" "$_file" - if [[ $1 == -f ]]; then - _file=$2 - shift 2 + # If we're not in the installer, we have su(1) + # and doas(1) is unlikely to be configured. + if [ -x /usr/bin/sh ]; then + /usr/bin/su -s /bin/ksh "$_user" -c \ + "/usr/bin/ftp -D 'Get/Verify' -Vm \ + -o '$_file' '${FWURL}/${_file}'" + _exit="$?" + else + /usr/bin/doas -u "$_user" \ + ftp -D 'Get/Verify' -Vm \ + -o "$_file" "${FWURL}/${_file}" + _exit="$?" fi - if [[ -n $_file ]]; then - >$_file - chown "$_user" "$_file" + if [ "$_exit" -ne 0 ]; then + rm -f "$_file" + echo "Cannot fetch $_file" >&2 + return 1 fi - doas -u "$_user" "$@" - _rc=$? + chown root "$_file" +} - while doas -u "$_user" kill -9 -1 2>/dev/null; do - echo "Processes still running for user $_user after: $@" - sleep 1 - done +verify() { + # On the installer we don't get sha256 -C, so fake it. + if ! fgrep -qx "SHA256 ($1) = $( /bin/sha256 -qb "$1" )" "$CFILE"; then + echo "Checksum test for $1 failed." >&2 + return 1 + fi +} - [[ -n $_file ]] && chown root "$_file" +devices_needing_firmware() { + local _d _m _grep _dmesgtail _last='' - return $_rc -} + # When we're not in the installer, the dmesg.boot can + # contain multiple boots, so only look in the last one + _dmesgtail=$( sed -n 'H;/^OpenBSD/h;${g;p;}' /var/run/dmesg.boot ) -unpriv() { - do_as _sndio "$@" -} + grep -v '^[[:space:]]*#' "$FWPATTERNS" | + while read -r _d _m; do + _grep="grep" + [ "$_last" = "$_d" ] && continue + [ "$_m" ] || _m="^${_d}[0-9][0-9]* at " + [ "$_m" = "${_m#^}" ] && _grep="fgrep" -unpriv2() { - do_as _file "$@" + echo "$_dmesgtail" | $_grep -q "$_m" || continue + echo "$_d" + _last="$_d" + done } -_issue= -fail() { - echo $_issue >&2 - exit 1 +firmware_filename() { + sed -n "s/.*(\($1-firmware-.*\.tgz\)).*/\1/p" "$CFILE" | sed '$!d' } -VNAME=$(sysctl -n kern.osrelease) -VERSION="${VNAME%.*}${VNAME#*.}" -FWDIR="$VNAME" - -HTTP_FWDIR=$FWDIR -set -- $(scan_dmesg "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p") -[[ $1 == -!(stable) ]] && HTTP_FWDIR=snapshots - -FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR} -FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub -PKGDIR=${DESTDIR}/var/db/pkg -PATTERNS="file:${0%/*}/firmware_patterns" - -drivers=$( - last='' - ftp -D "Detecting" -Vmo- $PATTERNS | - while read d m; do - grep=grep - [ "$last" = "$d" ] && continue - [ "$m" ] || m="^$d[0-9][0-9]* at " - [ "$m" = "${m#^}" ] && grep=fgrep - $grep -q "$m" /var/run/dmesg.boot || continue - echo $d - last=$d +installed_firmware() { + for fw in "${DESTDIR}/var/db/pkg/$1-firmware"*; do + [ -e "$fw" ] || continue + echo "${fw##*/}" done -) +} -if [ -z "$drivers" ]; then - echo "No devices found which need firmware files to be downloaded." >&2 - exit 0 -fi +add_firmware () { + local _f="$1" _pkgdir="${DESTDIR}/var/db/pkg" + ftp -D "Install" -Vmo- "file:${1}" | + tar -s ",^\+,${_pkgdir}/${_f%.tgz}/+," \ + -s ",^firmware,${DESTDIR}/etc/firmware," \ + -C / -zxphf - "+*" "firmware/*" -_src=$FWURL -if _tmpsrc=$( tmpdir "${DESTDIR}/tmp/fw_update" ); then - ( - >$_tmpsrc/t && - $_unpriv cat $_tmpsrc/t - ) >/dev/null 2>&1 || - rm -r $_tmpsrc -fi + # TODO: Should we mark these so real fw_update can -Drepair? + ed -s "${_pkgdir}/${_f%.tgz}/+CONTENTS" <"$_cfile.sig" && - _issue="Cannot fetch SHA256.sig" && fail + while read -r c g; do + case $c in + @cwd) _cwd="${DESTDIR}$g" + ;; + @*) continue + ;; + *) set -A _remove -- "$_cwd/$c" "${_remove[@]}" + ;; + esac + done < "${_pkgdir}/${_pkg}/+CONTENTS" -# Verify signature file with public keys. -! unpriv -f "$_cfile" \ - signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" && - _issue="Signature check of SHA256.sig failed" && fail - -for d in $drivers; do - _f=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" "$_cfile" ) - installed=$( installed_firmware "$d" ) - - for i in $installed; do - if [ "$_f" = "$i.tgz" ]; then - echo "Firmware for $d already installed ($installed)" - continue 2 + # We specifically rm -f here because not removing files/dirs + # is probably not worth failing over. + for _r in "${_remove[@]}" ; do + if [ -d "$_r" ]; then + # Try hard not to actually remove recursively + # without rmdir on the install media. + [ "$_r/*" = "$( echo "$_r"/* )" ] && rm -rf "$_r" + else + rm -f "$_r" fi done +} - rm -f /tmp/h /tmp/fail +set -A devices -- $( devices_needing_firmware ) - _t=Get/Verify - # Fetch firmware file and create a checksum by piping through - # sha256. Create a flag file in case ftp failed. Firmware - # from net is written to the prefetch area. - ( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) | - ( $_srclocal && unpriv2 sha256 -b >/tmp/h || - unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" ) +if [ ! "${devices:-}" ]; then + echo "No devices found which need firmware files to be downloaded." + exit +fi - # Handle failed transfer. - if [[ -f /tmp/fail ]]; then - rm -f "$_tmpsrc/$_f" - _issue="Fetching of $_f failed!" - fail - fi +TMPDIR=$( tmpdir "${DESTDIR}/tmp/fw_install" ) +cd "$TMPDIR" - # Verify firmware by comparing its checksum with SHA256. - if fgrep -qx "SHA256 ($_f) = $(&2 && exit 1 - set -A _remove -- "${cwd}/+CONTENTS" "${cwd}" +for d in "${devices[@]}"; do + f=$( firmware_filename "$d" ) + [ "$f" ] || continue + set -A installed -- $( installed_firmware "$d" ) - while read c g; do - case $c in - @cwd) cwd=$g - ;; - @*) continue - ;; - *) set -A _remove -- "$cwd/$c" "${_remove[@]}" - ;; - esac - done < "${PKGDIR}/$installed/+CONTENTS" - - for _r in "${_remove[@]}"; do - if [ -d "$_r" ]; then - # Try hard not to actually remove recursively - # without rmdir on the install media. - [ "$_r/*" = $( echo "$_r"/* ) ] && rm -rf "$_r" - else - rm -f "$_r" + if [ "${installed:-}" ]; then + for i in "${installed[@]:-}"; do + if [ "$f" = "$i.tgz" ]; then + echo "$i already installed" + continue 2 fi done fi - # TODO: Add some details about the install to +CONTENTS like pkg_add - # TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall - echo "Installing $_f" - tar -zxphf "$_f" -C /etc "firmware/*" - mkdir -p ${PKGDIR}/${_f%.tgz}/ - tar -zxphf "$_f" -C "${PKGDIR}/${_f%.tgz}" "+*" - ed -s "${PKGDIR}/${_f%.tgz}/+CONTENTS" <