#!/bin/ksh # $OpenBSD$ set -e # Fake up some things from install.sub that we don't need to actually do prefetcharea_fs_list() { echo "${DESTDIR}/tmp" } # tmpdir, do_as, unpriv, and unpriv2 are from install.sub # Create a temporary directory based on the supplied directory name prefix. tmpdir() { local _i=1 _dir until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do ((++_i < 10000)) || return 1 done echo "$_dir" } # Run a command ($2+) as unprivileged user ($1). # Take extra care that after "cmd" no "user" processes exist. # # Optionally: # - create "file" and chown it to "user" # - after "cmd", chown "file" back to root # # Usage: do_as user [-f file] cmd do_as() { (( $# >= 2 )) || return local _file _rc _user=$1 shift if [[ $1 == -f ]]; then _file=$2 shift 2 fi if [[ -n $_file ]]; then >$_file chown "$_user" "$_file" fi doas -u "$_user" "$@" _rc=$? while doas -u "$_user" kill -9 -1 2>/dev/null; do echo "Processes still running for user $_user after: $@" sleep 1 done [[ -n $_file ]] && chown root "$_file" return $_rc } unpriv() { do_as _sndio "$@" } unpriv2() { do_as _file "$@" } VNAME=${VNAME:-$(sysctl -n kern.osrelease)} VERSION=${VERSION:-"${VNAME%.*}${VNAME#*.}"} FWDIR=${FWDIR:-$VNAME} MODE=${MODE:-install} # TODO: We need the firmware for the system we just installed # not the one we booted from. For example: # * booting from a snapshot bsd.rd that thinks it is the 7.0 release # will install the firmware from the 7.0 directory instead of # from the snapshots dir. # If they're using sysupgrade, then the installer kernel will be correct. # If we're doing this in the installer we can check what they picked # for downloading sets and use that value. # Otherwise, the fw_update after first boot will fix it up for us. HTTP_FWDIR=$FWDIR set -- sed -n "/^OpenBSD $VNAME\([^ ]*\).*$/s//\1/p" /var/run/dmesg.boot [[ $1 == -!(stable) ]] && HTTP_FWDIR=snapshots FWURL=http://firmware.openbsd.org/firmware/${HTTP_FWDIR} FWPUB_KEY=${DESTDIR}/etc/signify/openbsd-${VERSION}-fw.pub FWPATTERNS="${DESTDIR}/usr/share/misc/firmware_patterns" # TODO: support srclocal installation of firmware somehow fw_install() { local _src=$1 _tmpfs_list _tmpfs _tmpsrc \ _t=Get _cfile="/tmp/SHA256" _pkgdir=${DESTDIR}/var/db/pkg \ _f _r _remove _i _installed local _srclocal=false _unpriv=unpriv echo "Let's $MODE firmware!" local _d _drivers=$( last='' while read _d _m; do grep=grep [ "$last" = "$_d" ] && continue [ "$_m" ] || _m="^$_d[0-9][0-9]* at " [ "$_m" = "${_m#^}" ] && grep=fgrep $grep -q "$_m" /var/run/dmesg.boot || continue echo $_d last=$_d done < $FWPATTERNS ) if [ -z "$_drivers" ]; then echo "No devices found which need firmware files to be downloaded." return fi ! _tmpfs_list=$(prefetcharea_fs_list) && echo "Cannot determine prefetch area" >&2 && return for _tmpfs in $_tmpfs_list; do # Try to clean up from previous runs, assuming # the _tmpfs selection yields the same mount # point. for _tmpsrc in $_tmpfs/firmware.+([0-9]).+([0-9]); do [[ -d $_tmpsrc ]] && rm -r $_tmpsrc done # Create a download directory for the firmware and # check that the _sndio user can read files from # it. Otherwise cleanup and skip the filesystem. if _tmpsrc=$(tmpdir "$_tmpfs/firmware"); then ( >$_tmpsrc/t && $_unpriv cat $_tmpsrc/t ) >/dev/null 2>&1 && break || rm -r $_tmpsrc fi done [[ ! -d $_tmpsrc ]] && echo "Cannot create prefetch area" >&2 && return 1 # Cleanup from previous runs. rm -f $_cfile $_cfile.sig _t=Get/Verify ! $_unpriv ftp -D "$_t" -Vmo - "$_src/SHA256.sig" >"$_cfile.sig" && echo "Cannot fetch SHA256.sig" >&2 && return 1 # Verify signature file with public keys. ! $_unpriv -f "$_cfile" \ signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" && echo "Signature check of SHA256.sig failed" >&2 && return 1 for _d in $_drivers; do _f=$( sed -n "s/.*(\($_d-firmware-.*\.tgz\)).*/\1/p" "$_cfile" ) _installed=$( for fw in "${_pkgdir}/$_d-firmware"*; do [ -e "$fw" ] || continue echo ${fw##*/} done ) for _i in $_installed; do if [ "$_f" = "$_i.tgz" ]; then echo "$_i already installed" continue 2 fi done rm -f /tmp/h /tmp/fail # Fetch firmware file and create a checksum by piping through # sha256. Create a flag file in case ftp failed. Firmware # from net is written to the prefetch area. ( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) | ( $_srclocal && unpriv2 sha256 -b >/tmp/h || unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" ) # Handle failed transfer. if [[ -f /tmp/fail ]]; then rm -f "$_tmpsrc/$_f" echo "Fetching of $_f failed!" >&2 continue fi # Verify firmware by comparing its checksum with SHA256. if ! fgrep -qx "SHA256 ($_f) = $(&2 continue fi # TODO: Check hash for files before deleting if [ "$_installed" ] && [ -e "${_pkgdir}/$_installed/+CONTENTS" ]; then echo "Uninstalling $_installed" cwd=${_pkgdir}/$_installed set -A _remove -- "${cwd}/+CONTENTS" "${cwd}" while read c g; do case $c in @cwd) cwd="${DESTDIR}/$g" ;; @*) continue ;; *) set -A _remove -- "$cwd/$c" "${_remove[@]}" ;; esac done < "${_pkgdir}/$_installed/+CONTENTS" # We specifically rm -f here because not removing files/dirs # is probably not worth failing over. for _r in "${_remove[@]}" ; do if [ -d "$_r" ]; then # Try hard not to actually remove recursively # without rmdir on the install media. [ "$_r/*" = $( echo "$_r"/* ) ] && rm -rf "$_r" else rm -f "$_r" fi done fi # TODO: Should we mark these so real fw_update can -Drepair? ftp -D "Install" -Vmo- "file:$_tmpsrc/$_f" | tar -s ",^\+,${_pkgdir}/${_f%.tgz}/+," \ -s ",^firmware,${DESTDIR}/etc/firmware," \ -C / -zxphf - "+*" "firmware/*" ed -s "${_pkgdir}/${_f%.tgz}/+CONTENTS" <