vendor.sh: Properly verify SHA512SUM on extraction

I currently check the downloaded files e.g. .exe file, but
then I don't check - or even define - sha512sums for the
files extracted from them e.g. me.bin

This patch fixes that. It also caches the hashed files, so
that extraction is faster on a re-run - this makes release
builds go faster, when running ./mk release

If a checksum is not defined, i.e. blank, then a warning is
given, telling you to check a specific directory. This way,
when adding new vendor files, you can add it first without
specifying the checksum, e.g. me.bin checksum. Then you can
manually inspect the files that were extracted, and define it,
then test again.

In a given pkg.cfg for config/vendor, the following variables
are now available for use:

FSPM_bin_hash for fsp m module
FSPS_bin_hash for fsp s module
EC_FW1_hash for KBC1126 EC firmware (1st file)
EC_FW2_hash for KBC1126 EC firmware (2nd file)
ME_bin_hash for me.bin
MRC_bin_hash for mrc.bin (broadwell boards)
REF_bin_hash for refcode (broadwell boards)
SCH5545EC_bin_hash for sch5545 firmware (Dell Precision T1650)
TBFW_bin_hash for Lenovo ThunderBolt firmware (e.g. T480/T480s)
E6400_VGA_bin_hash for Dell E6400 Nvidia VGA ROM

In practise, most people use release archives, and the
inject script, so I knew those were reliable, because the ROM
images were hashed prior to removing files. This patch benefits
people using lbmk.git directly, without using release files,
because now they know they have a valid file e.g. me.bin

Previously, only the download was checked, not the extracted
files, which meant that the only thing preventing a brick was
the code not being buggy. Any number of bugs could pop up in
the future, so this new level of integrity will protect against
such a scenario, and provide early warning prompting bug fixes.

Signed-off-by: Leah Rowe <leah@libreboot.org>

1 files changed, 17 insertions, 9 deletions

diff --git a/include/get.sh b/include/get.sh
index 74adb6be..4bcccceb 100644
--- a/include/get.sh
+++ b/include/get.sh
@@ -84,8 +84,11 @@ xbmkget()
 	[ "$1" = "curl" ] || [ "$1" = "copy" ] || [ "$1" = "git" ] || \
 	    err "Bad dlop (arg 1): xbmkget $*"
 
+	echk="f" && [ "$1" = "git" ] && echk="d"
+
 	for url in "$2" "$3"; do
-		[ -n "$url" ] && try_file "$url" "$@" && return 0
+		[ -n "$url" ] && try_file "$url" "$@" && \
+		    eval "[ -$echk \"$4\" ] && return 0"
 	done && err "$1 $2 $3 $4: not downloaded"; :
 }
 
@@ -100,11 +103,10 @@ try_file()
 	echk="d" && [ "$2" != "git" ] && echk="f" && \
 	    bad_checksum "$6" "$cached" 2>/dev/null && x_ rm -f "$cached"
 
-	e "$cached" $echk || try_$2 "$cached" "$@" || return 1
-	if e "$5" $echk && [ "$2" != "git" ]; then
-		bad_checksum "$6" "$5" 2>/dev/null && x_ cp "$cached" "$5"
-	fi
-	e "$cached" $echk missing && return 1
+	eval "[ -$echk \"$cached\" ] || try_$2 \"\$cached\" \"\$@\" || return 1"
+	[ "$2" != "git" ] && [ -f "$5" ] && \
+	    bad_checksum "$6" "$5" 2>/dev/null && x_ cp "$cached" "$5"
+	eval "[ -$echk \"$cached\" ] || return 1"
 
 	if [ "$2" = "git" ]; then
 		tmpclone "$cached" "$5" "$6" "$7" || return 1
@@ -113,6 +115,8 @@ try_file()
 		[ "$cached" != "$5" ] && x_ cp "$cached" "$5"
 		bad_checksum "$6" "$5" && x_ rm -f "$5" && return 1; :
 	fi
+
+	eval "[ -$echk \"$5\" ] || return 1"
 }
 
 try_curl()
@@ -146,9 +150,13 @@ try_git()
 
 bad_checksum()
 {
-	[ ! -f "$2" ] || [ "$(sha512sum "$2" | awk '{print $1}')" != "$1" ] \
-	    || return 1
-	printf "Bad checksum for file: %s\n" "$2" 1>&2
+	[ ! -f "$2" ] && printf "File '%s' missing (sha512sum '%s')\n" \
+	    "$2" "$1" 1>&2 && return 0
+	fchksum="$(x_ sha512sum "$2" | awk '{print $1}')" || \
+	    err "Can't get sha512sum on '$2' (checking for sha512sum '$1')"
+	[ "$fchksum" != "$1" ] || return 1
+	printf "WARNING: BAD checksum for '%s' - expected '%s', got '%s'\n" \
+	    "$2" "$1" "$fchksum" 1>&2
 	x_ rm -f "$2"
 }