===================================================================
RCS file: /cvs/openbsd/fw_update/fw_install.sh,v
retrieving revision 1.6
retrieving revision 1.67
diff -u -r1.6 -r1.67
--- openbsd/fw_update/fw_install.sh	2021/10/14 02:39:43	1.6
+++ openbsd/fw_update/fw_install.sh	2021/12/11 03:25:09	1.67
@@ -1,174 +1,292 @@
 #!/bin/ksh
-set -e
+#	$OpenBSD: fw_install.sh,v 1.67 2021/12/11 03:25:09 afresh1 Exp $
+#
+# Copyright (c) 2021 Andrew Hewus Fresh <afresh1@openbsd.org>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-scan_dmesg() {
-	# no bsort for now
-	sed -n "$1" /var/run/dmesg.boot
+set -o errexit -o pipefail -o nounset
+
+CFILE=SHA256.sig
+DESTDIR=${DESTDIR:-}
+FWPATTERNS="${DESTDIR}/usr/share/misc/firmware_patterns"
+
+VNAME=${VNAME:-$(sysctl -n kern.osrelease)}
+VERSION=${VERSION:-"${VNAME%.*}${VNAME#*.}"}
+
+HTTP_FWDIR="$VNAME"
+VTYPE=$( sed -n "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p" \
+    /var/run/dmesg.boot | sed '$!d' )
+[[ $VTYPE == -!(stable) ]] && HTTP_FWDIR=snapshots
+
+FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR}
+FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub
+
+tmpdir() {
+	local _i=1 _dir
+
+	# If we're not in the installer,
+	# we have mktemp and a more hostile environment
+	if [ -x /usr/bin/mktemp ]; then
+		_dir=$( mktemp -d "${1}-XXXXXXXXX" )
+	else
+		until _dir="${1}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do
+		    ((++_i < 10000)) || return 1
+		done
+	fi
+
+	echo "$_dir"
 }
 
-installed_firmware() {
-	for fw in ${PKGDIR}/$1-firmware*; do
-		[ -e "$fw" ] || continue
-		echo ${fw##*/}
-	done
+realpath () {
+	if [ -x /usr/bin/realpath ]; then
+		/usr/bin/realpath "$1"
+	elif [ "$1" = "${1%/*}" ]; then
+		echo "${PWD}/$1"
+	else
+		echo "$( cd "${1%/*}" && pwd )/${1##*/}"
+	fi
 }
 
-# do_as, unpriv, and unpriv2 are from install.sub
+fetch() {
+	local _file=$1 _user=_file _exit
 
-# Run a command ($2+) as unprivileged user ($1).
-# Take extra care that after "cmd" no "user" processes exist.
-#
-# Optionally:
-#	- create "file" and chown it to "user"
-#	- after "cmd", chown "file" back to root
-#
-# Usage: do_as user [-f file] cmd
-do_as() {
-	(( $# >= 2 )) || return
+	# If we're not in the installer, we have su(1)
+	# and doas(1) is unlikely to be configured.
+	if [ -x /usr/bin/su ]; then
+		/usr/bin/su -s /bin/ksh "$_user" -c \
+		    "/usr/bin/ftp -D 'Get/Verify' -Vm \
+		        -o- '${FWURL}/${_file}'" > "$_file"
+		_exit="$?"
+	else
+		/usr/bin/doas -u "$_user" \
+		    ftp -D 'Get/Verify' -Vm \
+		        -o- "${FWURL}/${_file}" > "$_file"
+		_exit="$?"
+	fi
 
-	local _file _rc _user=$1
-	shift
-
-	if [[ $1 == -f ]]; then
-		_file=$2
-		shift 2
+	if [ "$_exit" -ne 0 ]; then
+		rm -f "$_file"
+		echo "Cannot fetch $_file" >&2
+		return 1
 	fi
+}
 
-	if [[ -n $_file ]]; then
-		>$_file
-		chown "$_user" "$_file"
+verify() {
+	# On the installer we don't get sha256 -C, so fake it.
+	if ! fgrep -qx "SHA256 ($1) = $( /bin/sha256 -qb "$1" )" "$CFILE"; then
+		echo "Checksum test for $1 failed." >&2
+		return 1
 	fi
+}
 
-	doas -u "$_user" "$@"
-	_rc=$?
+devices_needing_firmware() {
+	local _d _m _grep _dmesgtail _last=''
 
-	while doas -u "$_user" kill -9 -1 2>/dev/null; do
-		echo "Processes still running for user $_user after: $@"
-		sleep 1
+	# When we're not in the installer, the dmesg.boot can
+	# contain multiple boots, so only look in the last one
+	_dmesgtail=$( sed -n 'H;/^OpenBSD/h;${g;p;}' /var/run/dmesg.boot )
+
+	grep -v '^[[:space:]]*#' "$FWPATTERNS" |
+	    while read -r _d _m; do
+		_grep="grep"
+		[ "$_last" = "$_d" ] && continue
+		[ "$_m" ] || _m="^${_d}[0-9][0-9]* at "
+		[ "$_m" = "${_m#^}" ] && _grep="fgrep"
+
+		echo "$_dmesgtail" | $_grep -q "$_m" || continue
+		echo "$_d"
+		_last="$_d"
 	done
+}
 
-	[[ -n $_file ]] && chown root "$_file"
+firmware_filename() {
+	local _f
+	_f="$( sed -n "s/.*(\($1-firmware-.*\.tgz\)).*/\1/p" "$CFILE" | sed '$!d' )"
+	! [ "$_f" ] && echo "Unable to find firmware for $1" >&2 && return 1
+	echo "$_f"
+}
 
-	return $_rc
+firmware_devicename() {
+	local _d="${1##*/}"
+	_d="${_d%-firmware-*}"
+	echo "$_d"
 }
 
-unpriv() {
-	do_as _sndio "$@"
+installed_firmware() {
+	for fw in "${DESTDIR}/var/db/pkg/$1-firmware"*; do
+		[ -e "$fw" ] || continue
+		echo "${fw##*/}"
+	done
 }
 
-unpriv2() {
-	do_as _file "$@"
+add_firmware () {
+	local _f="${1##*/}" _pkgdir="${DESTDIR}/var/db/pkg"
+	ftp -D "Install" -Vmo- "file:${1}" |
+		tar -s ",^\+,${_pkgdir}/${_f%.tgz}/+," \
+		-s ",^firmware,${DESTDIR}/etc/firmware," \
+		-C / -zxphf - "+*" "firmware/*"
+
+	# TODO: Should we mark these so real fw_update can -Drepair?
+	ed -s "${_pkgdir}/${_f%.tgz}/+CONTENTS" <<EOL
+/^@comment pkgpath/ -1a
+@option manual-installation
+@option firmware
+@comment install-script
+.
+w
+EOL
 }
 
-set -A _KERNV -- $( scan_dmesg '/^OpenBSD \([1-9][0-9]*\.[0-9]\)\([^ ]*\) .*/ { s//\1 \2/p; q; }' )
-VNAME=${_KERNV[0]}
-OSDIR=$VNAME
-if ((${#_KERNV[*]} > 1)) && [ "$_KERNV[1]" = "-current" -o "$_KERNV[1]" = "-beta" ]; then
-	OSDIR=snapshots
-fi
+delete_firmware() {
+	local _cwd _pkg="$1" _pkgdir="${DESTDIR}/var/db/pkg"
 
-FWURL=http://firmware.openbsd.org/firmware/${OSDIR}
-PKGDIR=${DESTDIR}/var/db/pkg
-PATTERNS="file:${0%/*}/firmware_patterns"
+	# TODO: Check hash for files before deleting
+	echo "Uninstalling $_pkg"
+	_cwd="${_pkgdir}/$_pkg"
 
-drivers=$(
-	last=''
-	ftp -D "Detecting" -Vmo- $PATTERNS |
-	while read d m; do
-		grep=grep
-		[ "$last" = "$d" ] && continue
-		[ "$m" ] || m="^$d[0-9][0-9]* at "
-		[ "$m" = "${m#^}" ] && grep=fgrep
-		$grep -q "$m" /var/run/dmesg.boot || continue
-		echo $d
-		last=$d
+	set -A _remove -- "${_cwd}/+CONTENTS" "${_cwd}"
+
+	while read -r c g; do
+		case $c in
+		@cwd) _cwd="${DESTDIR}$g"
+		  ;;
+		@*) continue
+		  ;;
+		*) set -A _remove -- "$_cwd/$c" "${_remove[@]}"
+		  ;;
+		esac
+	done < "${_pkgdir}/${_pkg}/+CONTENTS"
+
+	# We specifically rm -f here because not removing files/dirs
+	# is probably not worth failing over.
+	for _r in "${_remove[@]}" ; do
+		if [ -d "$_r" ]; then
+			# Try hard not to actually remove recursively
+			# without rmdir on the install media.
+			[ "$_r/*" = "$( echo "$_r"/* )" ] && rm -rf "$_r"
+		else
+			rm -f "$_r"
+		fi
 	done
-)
+}
 
-if [ -z "$drivers" ]; then
-	echo "No devices found which need firmware files to be downloaded." >&2
-	exit 0
+usage() {
+	echo "usage: fw_install [-d dir | -L dir] [driver | file [...]]"
+	exit 2
+}
+
+DOWNLOADDIR=
+LOCALDIR=
+while getopts d:L: name
+do
+       case "$name" in
+       d) DOWNLOADDIR=$OPTARG ;;
+       L) LOCALDIR=$OPTARG    ;;
+       ?) usage 2 ;;
+       esac
+done
+shift $((OPTIND - 1))
+
+if [[ -n "$DOWNLOADDIR" && -n "$LOCALDIR" ]]; then
+	echo "Cannot use -d and -L" >&2
+	usage 2
 fi
 
-tmpdir=${DESTDIR}/tmp/fw_update
-[ -e "$tmpdir" ] && rm -rf "$tmpdir"
-mkdir -p "$tmpdir"
-cd "$tmpdir"
+set -A devices -- "$@"
 
-# TODO: Drop privs during fetch and verify
-ftp -D Get -Vm "$FWURL/SHA256.sig"
+[ "${devices[*]:-}" ] ||
+    set -A devices -- $( devices_needing_firmware )
 
-# Probably should bundle the firmware sigfile on the installer,
-# although we can just get it from the recently installed system.
-if [ "$DESTDIR" ]; then
-	sigfile=$( sed -n '/^untrusted comment: verify with \(.*\)$/ { s//\1/p; q; }' SHA256.sig )
-	if [ ! -e "/etc/signify/$sigfile" ] \
-	  && [ -e "${DESTDIR}/etc/signify/$sigfile" ]; then
-		cp -a "${DESTDIR}/etc/signify/$sigfile" "/etc/signify/$sigfile"
-	fi
+if [ ! "${devices[*]:-}" ]; then
+	echo "No devices found which need firmware files to be downloaded."
+	exit
 fi
 
-signify -Ve -x SHA256.sig -m - < SHA256.sig > SHA256
+# Have to find the full path to firmware files
+# so we can cd and still find them later.
+i=0
+while (( i < "${#devices[@]}" )); do
+	f="${devices[$i]}"
+	d=$( firmware_devicename "$f" )
+	if [ -e "$f" ]; then
+		if [ "$DOWNLOADDIR" ]; then
+			echo "Cannot download local file $f" >&2
+			exit 2
+		fi
+		devices[$i]="$d:$( realpath "$f" )"
+	fi
+	i=$((i + 1))
+done
 
-for d in $drivers; do
-	firmware=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" SHA256 )
-	installed=$( installed_firmware $d )
+if [ "$DOWNLOADDIR" ]; then
+	if ! cd "$DOWNLOADDIR"; then
+		echo "Unable to use $DOWNLOADDIR, make sure it is a directory"
+		exit 2
+	fi
+elif [ "$LOCALDIR" ]; then
+	if ! cd "$LOCALDIR"; then
+		echo "Unable to use $LOCALDIR, make sure it is a directory"
+		exit 2
+	fi
+else
+	TMPDIR=$( tmpdir "${DESTDIR}/tmp/fw_install" )
+	cd "$TMPDIR"
+fi
 
-	for i in $installed; do
-		if [ "$firmware" = "$i.tgz" ]; then
-			echo "Firmware for $d already installed ($installed)"
-			continue 2
-		fi
-	done
+if ! [[ -n "$LOCALDIR" && -e "$CFILE" ]]; then
+	fetch "$CFILE"
+	! signify -qVep "$FWPUB_KEY" -x "$CFILE" -m "$CFILE" &&
+	    echo "Signature check of SHA256.sig failed" >&2 && exit 1
+fi
 
-	mkdir $d
+for d in "${devices[@]}"; do
+	f="${d##*:}"
+	if [ "$f" = "$d" ]; then
+		f=$( firmware_filename "$d" || true )
+		[ "$f" ] || continue
+	else
+		d="${d%:*}"
+	fi
 
-	# TODO: Drop privs during fetch and verify
-	ftp -D "Get/Verify" -Vmo- "$FWURL/$firmware" | sha256 -bph "$d/h" > "$firmware"
-	fgrep -qx "SHA256 ($firmware) = $(<$d/h)" SHA256
+	set -A installed -- $( installed_firmware "$d" )
 
-	# TODO: Check hash for files before deleting
-	if [ "$installed" ] && [ -e "${PKGDIR}/$installed/+CONTENTS" ]; then
-		echo "Uninstalling $installed"
-		cwd=${PKGDIR}/$installed
+	if [ ! "$DOWNLOADDIR" ] && [ "${installed[*]:-}" ]; then
+		for i in "${installed[@]}"; do
+			if [ "${f##*/}" = "$i.tgz" ]; then
+				echo "$i already installed"
+				continue 2
+			fi
+		done
+	fi
 
-		remove="${cwd}/+CONTENTS ${cwd}"
+	if [ ! -e "$f" ]; then
+		[ "$LOCALDIR" ] && echo "Cannot install $f, not found" >&2 && continue
+		fetch  "$f" || continue
+		verify "$f" || continue
+	elif [ "$DOWNLOADDIR" ]; then
+		echo "Already have $f"
+		verify "$f" || continue
+	fi
 
-		while read c g; do
-			case $c in
-			@cwd) cwd=$g
-			  ;;
-			@*) continue
-			  ;;
-			*)  remove="$cwd/$c $remove"
-			  ;;
-			esac
-		done < "${PKGDIR}/$installed/+CONTENTS"
+	[ "$DOWNLOADDIR" ] && continue
 
-		for r in $remove ; do
-			if [ -d "$r" ]; then
-				# Try hard not to actually remove recursively
-				# without rmdir on the install media.
-				[ "$r/*" = $( echo "$r"/* ) ] && rm -rf "$r"
-			else
-				rm -f "$r"
-			fi
+	if [ "${installed[*]:-}" ]; then
+		for i in "${installed[@]}"; do
+			delete_firmware "$i"
 		done
 	fi
 
-	# TODO: Add some details about the install to +CONTENTS like pkg_add
-	# TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall
-	echo "Installing $firmware"
-	tar -zxphf "$firmware" -C /etc "firmware/*"
-	mkdir -p ${PKGDIR}/${firmware%.tgz}/
-	tar -zxphf "$firmware" -C "${PKGDIR}/${firmware%.tgz}" "+*"
-	ed -s "${PKGDIR}/${firmware%.tgz}/+CONTENTS" <<EOL
-/^@comment pkgpath/ -1a
-@option manual-installation
-@option firmware
-@comment install-script
-.
-w
-EOL
+	add_firmware "$f"
 done