=================================================================== RCS file: /cvs/openbsd/fw_update/fw_install.sh,v retrieving revision 1.35 retrieving revision 1.57 diff -u -r1.35 -r1.57 --- openbsd/fw_update/fw_install.sh 2021/11/24 02:09:35 1.35 +++ openbsd/fw_update/fw_install.sh 2021/12/08 03:45:05 1.57 @@ -1,242 +1,231 @@ #!/bin/ksh -set -e +# $OpenBSD: fw_install.sh,v 1.57 2021/12/08 03:45:05 afresh1 Exp $ +# +# Copyright (c) 2021 Andrew Hewus Fresh +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# Fake up some things from install.sub that we don't need to actually do -prefetcharea_fs_list() { - echo "${DESTDIR}/tmp" -} +set -o errexit -o pipefail -o nounset -# tmpdir, do_as, unpriv, and unpriv2 are from install.sub +CFILE=SHA256.sig +DESTDIR=${DESTDIR:-} +FWPATTERNS="${DESTDIR}/usr/share/misc/firmware_patterns" -# Create a temporary directory based on the supplied directory name prefix. +VNAME=${VNAME:-$(sysctl -n kern.osrelease)} +VERSION=${VERSION:-"${VNAME%.*}${VNAME#*.}"} + +HTTP_FWDIR="$VNAME" +VTYPE=$( sed -n "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p" \ + /var/run/dmesg.boot | sed '$!d' ) +[[ $VTYPE == -!(stable) ]] && HTTP_FWDIR=snapshots + +FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR} +FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub + tmpdir() { local _i=1 _dir - until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do - ((++_i < 10000)) || return 1 - done + # If we're not in the installer, + # we have mktemp and a more hostile environment + if [ -x /usr/bin/mktemp ]; then + _dir=$( mktemp -d "${1}-XXXXXXXXX" ) + else + until _dir="${1}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do + ((++_i < 10000)) || return 1 + done + fi + echo "$_dir" } -# Run a command ($2+) as unprivileged user ($1). -# Take extra care that after "cmd" no "user" processes exist. -# -# Optionally: -# - create "file" and chown it to "user" -# - after "cmd", chown "file" back to root -# -# Usage: do_as user [-f file] cmd -do_as() { - (( $# >= 2 )) || return +realpath () { + if [ -x /usr/bin/realpath ]; then + /usr/bin/realpath "$1" + elif [ "$1" = "${1%/*}" ]; then + echo "${PWD}/$1" + else + echo "$( cd "${1%/*}" && pwd )/${1##*/}" + fi +} - local _file _rc _user=$1 - shift +fetch() { + local _file=$1 _user=_file _exit - if [[ $1 == -f ]]; then - _file=$2 - shift 2 + >"$_file" + chown "$_user" "$_file" + + # If we're not in the installer, we have su(1) + # and doas(1) is unlikely to be configured. + if [ -x /usr/bin/su ]; then + /usr/bin/su -s /bin/ksh "$_user" -c \ + "/usr/bin/ftp -D 'Get/Verify' -Vm \ + -o '$_file' '${FWURL}/${_file}'" + _exit="$?" + else + /usr/bin/doas -u "$_user" \ + ftp -D 'Get/Verify' -Vm \ + -o "$_file" "${FWURL}/${_file}" + _exit="$?" fi - if [[ -n $_file ]]; then - >$_file - chown "$_user" "$_file" + if [ "$_exit" -ne 0 ]; then + rm -f "$_file" + echo "Cannot fetch $_file" >&2 + return 1 fi - doas -u "$_user" "$@" - _rc=$? + chown root "$_file" +} - while doas -u "$_user" kill -9 -1 2>/dev/null; do - echo "Processes still running for user $_user after: $@" - sleep 1 - done +verify() { + # On the installer we don't get sha256 -C, so fake it. + if ! fgrep -qx "SHA256 ($1) = $( /bin/sha256 -qb "$1" )" "$CFILE"; then + echo "Checksum test for $1 failed." >&2 + return 1 + fi +} - [[ -n $_file ]] && chown root "$_file" +devices_needing_firmware() { + local _d _m _grep _dmesgtail _last='' - return $_rc + # When we're not in the installer, the dmesg.boot can + # contain multiple boots, so only look in the last one + _dmesgtail=$( sed -n 'H;/^OpenBSD/h;${g;p;}' /var/run/dmesg.boot ) + + grep -v '^[[:space:]]*#' "$FWPATTERNS" | + while read -r _d _m; do + _grep="grep" + [ "$_last" = "$_d" ] && continue + [ "$_m" ] || _m="^${_d}[0-9][0-9]* at " + [ "$_m" = "${_m#^}" ] && _grep="fgrep" + + echo "$_dmesgtail" | $_grep -q "$_m" || continue + echo "$_d" + _last="$_d" + done } -unpriv() { - do_as _sndio "$@" +firmware_filename() { + local _f + _f="$( sed -n "s/.*(\($1-firmware-.*\.tgz\)).*/\1/p" "$CFILE" | sed '$!d' )" + ! [ "$_f" ] && echo "Unable to find firmware for $1" >&2 && return 1 + echo "$_f" } -unpriv2() { - do_as _file "$@" +firmware_devicename() { + local _d="${1##*/}" + _d="${_d%-firmware-*}" + echo "$_d" } -VNAME=${VNAME:-$(sysctl -n kern.osrelease)} -VERSION=${VERSION:-"${VNAME%.*}${VNAME#*.}"} -FWDIR=${FWDIR:-$VNAME} -MODE=${MODE:-install} +installed_firmware() { + for fw in "${DESTDIR}/var/db/pkg/$1-firmware"*; do + [ -e "$fw" ] || continue + echo "${fw##*/}" + done +} -# TODO: We need the firmware for the system we just installed -# not the one we booted from. For example: -# * booting from a snapshot bsd.rd that thinks it is the 7.0 release -# will install the firmware from the 7.0 directory instead of -# from the snapshots dir. -# If they're using sysupgrade, then the installer kernel will be correct. -# If we're doing this in the installer we can check what they picked -# for downloading sets and use that value. -# Otherwise, the fw_update after first boot will fix it up for us. +add_firmware () { + local _f="$1" _pkgdir="${DESTDIR}/var/db/pkg" + ftp -D "Install" -Vmo- "file:${1}" | + tar -s ",^\+,${_pkgdir}/${_f%.tgz}/+," \ + -s ",^firmware,${DESTDIR}/etc/firmware," \ + -C / -zxphf - "+*" "firmware/*" -HTTP_FWDIR=$FWDIR -set -- sed -n "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p" /var/run/dmesg.boot -[[ $1 == -!(stable) ]] && HTTP_FWDIR=snapshots + # TODO: Should we mark these so real fw_update can -Drepair? + ed -s "${_pkgdir}/${_f%.tgz}/+CONTENTS" <&2 && return - - for _tmpfs in $_tmpfs_list; do - # Try to clean up from previous runs, assuming - # the _tmpfs selection yields the same mount - # point. - for _tmpsrc in $_tmpfs/firmware.+([0-9]).+([0-9]); do - [[ -d $_tmpsrc ]] && rm -r $_tmpsrc - done - - # Create a download directory for the firmware and - # check that the _sndio user can read files from - # it. Otherwise cleanup and skip the filesystem. - if _tmpsrc=$(tmpdir "$_tmpfs/firmware"); then - ( - >$_tmpsrc/t && - $_unpriv cat $_tmpsrc/t - ) >/dev/null 2>&1 && break || - rm -r $_tmpsrc + # We specifically rm -f here because not removing files/dirs + # is probably not worth failing over. + for _r in "${_remove[@]}" ; do + if [ -d "$_r" ]; then + # Try hard not to actually remove recursively + # without rmdir on the install media. + [ "$_r/*" = "$( echo "$_r"/* )" ] && rm -rf "$_r" + else + rm -f "$_r" fi done +} - [[ ! -d $_tmpsrc ]] && - echo "Cannot create prefetch area" >&2 && return 1 +set -A devices -- $( devices_needing_firmware ) - # Cleanup from previous runs. - rm -f $_cfile $_cfile.sig +if [ ! "${devices:-}" ]; then + echo "No devices found which need firmware files to be downloaded." + exit +fi - _t=Get/Verify +TMPDIR=$( tmpdir "${DESTDIR}/tmp/fw_install" ) +cd "$TMPDIR" - ! $_unpriv ftp -D "$_t" -Vmo - "$_src/SHA256.sig" >"$_cfile.sig" && - echo "Cannot fetch SHA256.sig" >&2 && return 1 +# To unpriv we need to let the unpriv user into this dir +chmod go+x . - # Verify signature file with public keys. - ! $_unpriv -f "$_cfile" \ - signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" && - echo "Signature check of SHA256.sig failed" >&2 && return 1 +fetch "$CFILE" +! signify -qVep "$FWPUB_KEY" -x "$CFILE" -m "$CFILE" && + echo "Signature check of SHA256.sig failed" >&2 && exit 1 - for _d in $_drivers; do - _f=$( sed -n "s/.*(\($_d-firmware-.*\.tgz\)).*/\1/p" "$_cfile" ) - _installed=$( - for fw in "${_pkgdir}/$_d-firmware"*; do - [ -e "$fw" ] || continue - echo ${fw##*/} - done - ) +for d in "${devices[@]}"; do + f=$( firmware_filename "$d" || true ) + [ "$f" ] || continue + set -A installed -- $( installed_firmware "$d" ) - for _i in $_installed; do - if [ "$_f" = "$_i.tgz" ]; then - echo "$_i already installed" + if [ "${installed:-}" ]; then + for i in "${installed[@]:-}"; do + if [ "$f" = "$i.tgz" ]; then + echo "$i already installed" continue 2 fi done + fi - rm -f /tmp/h /tmp/fail + fetch "$f" || continue + verify "$f" || continue - # Fetch firmware file and create a checksum by piping through - # sha256. Create a flag file in case ftp failed. Firmware - # from net is written to the prefetch area. - ( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) | - ( $_srclocal && unpriv2 sha256 -b >/tmp/h || - unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" ) + if [ "${installed:-}" ]; then + for i in "${installed[@]}"; do + delete_firmware "$i" + done + fi - # Handle failed transfer. - if [[ -f /tmp/fail ]]; then - rm -f "$_tmpsrc/$_f" - echo "Fetching of $_f failed!" >&2 - continue - fi + add_firmware "$f" +done - # Verify firmware by comparing its checksum with SHA256. - if ! fgrep -qx "SHA256 ($_f) = $(&2 - continue - fi - - # TODO: Check hash for files before deleting - if [ "$_installed" ] && [ -e "${_pkgdir}/$_installed/+CONTENTS" ]; then - echo "Uninstalling $_installed" - cwd=${_pkgdir}/$_installed - - set -A _remove -- "${cwd}/+CONTENTS" "${cwd}" - - while read c g; do - case $c in - @cwd) cwd="${DESTDIR}/$g" - ;; - @*) continue - ;; - *) set -A _remove -- "$cwd/$c" "${_remove[@]}" - ;; - esac - done < "${_pkgdir}/$_installed/+CONTENTS" - - # We specifically rm -f here because not removing files/dirs - # is probably not worth failing over. - for _r in "${_remove[@]}" ; do - if [ -d "$_r" ]; then - # Try hard not to actually remove recursively - # without rmdir on the install media. - [ "$_r/*" = $( echo "$_r"/* ) ] && rm -rf "$_r" - else - rm -f "$_r" - fi - done - fi - - # TODO: Should we mark these so real fw_update can -Drepair? - ftp -D "Install" -Vmo- "file:$_tmpsrc/$_f" | - tar -s ",^\+,${_pkgdir}/${_f%.tgz}/+," \ - -s ",^firmware,${DESTDIR}/etc/firmware," \ - -C / -zxphf - "+*" "firmware/*" - - ed -s "${_pkgdir}/${_f%.tgz}/+CONTENTS" <