summaryrefslogtreecommitdiff
path: root/resources/scripts/update/blobs/download
diff options
context:
space:
mode:
authorLeah Rowe <leah@libreboot.org>2023-08-24 20:19:41 +0100
committerLeah Rowe <leah@libreboot.org>2023-08-26 16:58:32 +0100
commit1c8401be25e4749a2eee5ddc77ce7c6ac880c910 (patch)
tree22789efec9b91ffddb21653a30b8591a8b63d3bf /resources/scripts/update/blobs/download
parent50c395df59564c19d3a24262810c8dd5ed115db5 (diff)
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
Diffstat (limited to 'resources/scripts/update/blobs/download')
-rwxr-xr-xresources/scripts/update/blobs/download205
1 files changed, 115 insertions, 90 deletions
diff --git a/resources/scripts/update/blobs/download b/resources/scripts/update/blobs/download
index c1babd13..422f0b3c 100755
--- a/resources/scripts/update/blobs/download
+++ b/resources/scripts/update/blobs/download
@@ -52,12 +52,15 @@ CONFIG_SMSC_SCH5545_EC_FW_FILE=""
main()
{
+ [ $# -gt 0 ] || \
+ err "No argument given"
+
board="${1}"
boarddir="${cbcfgsdir}/${board}"
- [ ! -d "${boarddir}" ] && \
+ [ -d "${boarddir}" ] || \
err "Board target, ${board}, not defined"
- [ ! -f "${boarddir}/target.cfg" ] && \
+ [ -f "${boarddir}/target.cfg" ] || \
err "Target missing target.cfg"
no_config="printf \"No config for target, %s\\n\" ${board} 1>&2; exit 0"
@@ -65,7 +68,7 @@ main()
[ -f "${x}" ] && no_config=""
done
eval "${no_config}"
-
+
detect_firmware || exit 0
scan_sources_config
@@ -89,7 +92,7 @@ detect_firmware()
[ "${CONFIG_INCLUDE_SMSC_SCH5545_EC_FW}" = "y" ] && \
needs="${needs} SCH5545EC"
[ -z ${needs+x} ] && \
- printf 'No binary blobs needed for this board\n' && \
+ printf "No binary blobs needed for this board\n" && \
return 1
printf "Firmware needed for board '%s':\n%s\n" ${board} ${needs}
}
@@ -155,16 +158,19 @@ build_dependencies()
{
[ -d ${cbdir} ] || \
./fetch_trees coreboot ${cbdir##*/} || \
- err "can't download to ${cbdir}"
+ err "build_dependencies: can't fetch ${cbdir}"
for d in uefitool biosutilities bios_extract me_cleaner; do
[ -d "${d}" ] && continue
- ./fetch ${d} || err "can't download ${d}"
+ ./fetch "${d}" || \
+ err "build_dependencies: can't fetch ${d}"
done
[ -f uefitool/uefiextract ] || \
- ./build src for -b uefitool || err "can't build uefitool"
- [ -f ${cbdir}/util/kbc1126/kbc1126_ec_dump ] || \
+ ./build src for -b uefitool || \
+ err "build_dependencies: can't build uefitool"
+ if [ ! -f ${cbdir}/util/kbc1126/kbc1126_ec_dump ]; then
make -BC ${cbdir}/util/kbc1126 || \
- err "can't build kbc1126_ec_dump"
+ err "build_dependencies: can't build kbc1126_ec_dump"
+ fi
}
download_blobs()
@@ -184,8 +190,9 @@ download_blobs()
esac
done
- [ -z ${_failed+x} ] || \
- err "failed to obtain ${_failed}\nTry manual extraction?"
+ if [ ! -z ${_failed+x} ]; then
+ err "download_blobs: can't download blobs: ${_failed}\n"
+ fi
}
download_blob_intel_me()
@@ -203,11 +210,13 @@ extract_blob_intel_me()
_me_destination=${CONFIG_ME_BIN_PATH#../../}
[ -d "${_me_destination%/*}" ] || \
- mkdir -p ${_me_destination%/*}
- [ -d "${appdir}" ] && \
- rm -Rf ${appdir}
+ mkdir -p ${_me_destination%/*} || \
+ err "extract_blob_intel_me: mkdir ${_me_destination%/*}"
+ [ ! -d "${appdir}" ] || \
+ rm -Rf "${appdir}" || \
+ err "extract_blob_intel_me: can't rm -Rf \"${appdir}\""
if [ -f "${_me_destination}" ]; then
- printf 'me already downloaded\n'
+ printf "Intel ME firmware already downloaded\n" 1>&2
return 0
fi
@@ -216,12 +225,16 @@ extract_blob_intel_me()
innoextract ${dl_path} -d ${appdir} || \
7z x ${dl_path} -o${appdir} || \
unar "${dl_path}" -o "${appdir}" || \
- err "Could not extract vendor update"
+ err "extract_blob_intel_me: could not extract vendor update"
bruteforce_extract_blob_intel_me "$(pwd)/${_me_destination}" \
- "$(pwd)/${appdir}" || err "Could not extract Intel ME firmware"
+ "$(pwd)/${appdir}" || \
+ err "extract_blob_intel_me: could not extract Intel ME firmware"
- printf "Truncated and cleaned me output to ${_me_destination}\n"
+ [ -f "${_me_destination}" ] || \
+ err "extract_blob_intel_me, ${board}: me.bin missing"
+
+ printf "Truncated and cleaned me output to: %s\n" "${_me_destination}"
}
# cursed, carcinogenic code. TODO rewrite it better
@@ -237,7 +250,8 @@ bruteforce_extract_blob_intel_me()
(
printf "Entering %s\n" "${cdir}"
- cd "${cdir}" || err "cannot enter directory, ${cdir}"
+ cd "${cdir}" || \
+ err "bruteforce_extract_blob_intel_me: can't cd \"${cdir}\""
for i in *; do
if [ -f "${_me_destination}" ]; then
# me.bin found, so avoid needless further traversal
@@ -247,37 +261,33 @@ bruteforce_extract_blob_intel_me()
continue
elif [ -f "${i}" ]; then
"${mecleaner}" -r -t -O "${sdir}/vendorfile" \
- -M "${_me_destination}" "${i}" \
- && break # (we found me.bin)
+ -M "${_me_destination}" "${i}" \
+ && break # (we found me.bin)
"${mecleaner}" -r -t -O "${_me_destination}" "${i}" \
- && break # (we found me.bin)
+ && break # (we found me.bin)
"${me7updateparser}" -O ${_me_destination} "${i}" \
- && break # (we found me.bin)
+ && break # (we found me.bin)
_7ztest="${_7ztest}a"
7z x "${i}" -o${_7ztest} \
|| innoextract "${i}" -d "${_7ztest}" \
|| unar "${i}" -o "${_7ztest}" \
|| continue
bruteforce_extract_blob_intel_me "${_me_destination}" \
- "${cdir}/${_7ztest}"
+ "${cdir}/${_7ztest}"
elif [ -d "$i" ]; then
bruteforce_extract_blob_intel_me "${_me_destination}" \
- "${cdir}/${i}"
+ "${cdir}/${i}"
else
printf "SKIPPING: %s\n" "${i}"
continue
fi
cdir="${1}"
- cd "${cdir}"
+ cd "${cdir}" # audit note: we already checked this (see above)
done
)
- rm -Rf "${sdir}"
-
- if [ ! -f "${_me_destination}" ]; then
- printf "me.bin not found in vendor update for: %s\n" ${board}
- return 1
- fi
+ rm -Rf "${sdir}" || \
+ err "bruteforce_extract_blob_intel_me: can't rm -Rf \"${sdir}\""
}
download_ec()
@@ -295,39 +305,48 @@ extract_blob_kbc1126_ec()
_ec_destination=${CONFIG_KBC1126_FW1#../../}
[ -d "${_ec_destination%/*}" ] || \
- mkdir -p "${_ec_destination%/*}"
- [ -d "${appdir}" ] && \
- rm -Rf "${appdir}"
+ mkdir -p "${_ec_destination%/*}" || \
+ err "extract_blob_kbc1126_ec: !mkdir ${_ec_destination%/*}"
+ [ ! -d "${appdir}" ] || \
+ rm -Rf "${appdir}" || \
+ err "extract_blob_kbc1126_ec: !rm -Rf ${appdir}"
if [ -f "${_ec_destination}" ]; then
- printf "ec already downloaded\n"
+ printf "KBC1126 EC firmware already downloaded\n" 1>&2
return 0
fi
- unar "${dl_path}" -o "${appdir}"
+ unar "${dl_path}" -o "${appdir}" || \
+ err "extract_blob_kbc1126_ec: !unar \"${dl_path}\" -o \"${appdir}\""
(
- cd "${appdir}/${dl_path##*/}"
+ cd "${appdir}/${dl_path##*/}" || \
+ err "extract_blob_kbc1126_ec: !cd \"${appdir}/${dl_path##*/}\""
- mv Rompaq/68*.BIN ec.bin
+ mv Rompaq/68*.BIN ec.bin || :
if [ ! -f ec.bin ]; then
unar -D ROM.CAB Rom.bin || \
unar -D Rom.CAB Rom.bin || \
- unar -D 68*.CAB Rom.bin
- mv Rom.bin ec.bin
+ unar -D 68*.CAB Rom.bin || \
+ err "extract_blob_kbc1126_ec: can't extract ec.bin"
+ mv Rom.bin ec.bin || \
+ err "extract_blob_kbc1126_ec: *didn't* extract ec.bin"
fi
+ [ -f ec.bin ] || \
+ err "extract_blob_kbc1126_ec: ${board}: can't extract ec.bin"
- [ -f ec.bin ] || err "could not extract ec.bin for board, ${board}"
- "${kbc1126_ec_dump}" ec.bin
+ "${kbc1126_ec_dump}" ec.bin || \
+ err "extract_blob_kbc1126_ec: ${board}: can't extract ecfw1/2.bin"
)
+ ec_ex="y"
for i in 1 2; do
- [ -f "${appdir}/${dl_path##*/}/ec.bin.fw${i}" ] && continue
- printf "Could not extract EC firmware for: %s\n" \
- ${board}
- return 1
+ [ -f "${appdir}/${dl_path##*/}/ec.bin.fw${i}" ] || ec_ex="n"
done
+ [ "${ec_ex}" = "y" ] || \
+ err "extract_blob_kbc1126_ec: ${board}: didn't extract ecfw1/2.bin"
- cp "${appdir}/${dl_path##*/}"/ec.bin.fw* "${_ec_destination%/*}/"
+ cp "${appdir}/${dl_path##*/}"/ec.bin.fw* "${_ec_destination%/*}/" || \
+ err "extract_blob_kbc1126_ec: cant mv ecfw1/2 ${_ec_destination%/*}"
}
download_e6400vga()
@@ -345,37 +364,41 @@ extract_e6400vga()
_vga_destination=${CONFIG_VGA_BIOS_FILE#../../}
if [ -f "${_vga_destination}" ]; then
- printf 'vga rom already downloaded\n'
+ printf "extract_e6400vga: vga rom already downloaded\n" 1>&2
return 0
fi
[ -d "${_vga_destination%/*}" ] || \
- mkdir -p ${_vga_destination%/*}
- [ -d "${appdir}" ] && \
- rm -Rf ${appdir}
-
- mkdir -p "${appdir}"
- cp "${dl_path}" "${appdir}"
-
- if [ "${e6400_vga_offset}" = "" ]; then
- printf "E6400 VGA offset not defined\n"
- return 1
- elif [ "${e6400_vga_romname}" = "" ]; then
- printf "E6400 VGA ROM name not defined\n"
- return 1
- fi
+ mkdir -p ${_vga_destination%/*} || \
+ err "extract_e6400vga: can't mkdir ${_vga_destination%/*}"
+ [ ! -d "${appdir}" ] || \
+ rm -Rf ${appdir} || \
+ err "extract_e6400vga: can't rm -Rf ${appdir}"
+
+ mkdir -p "${appdir}" || \
+ err "extract_e6400vga: can't mkdir ${appdir}"
+ cp "${dl_path}" "${appdir}" || \
+ err "extract_e6400vga: can't copy vendor update"
+
+ [ "${e6400_vga_offset}" = "" ] && \
+ err "extract_e6400vga: E6400 VGA offset not defined"
+ [ "${e6400_vga_romname}" = "" ] && \
+ err "extract_e6400vga: E6400 VGA ROM name not defined"
(
- cd "${appdir}"
- tail -c +${e6400_vga_offset} "${dl_path##*/}" \
- | gunzip > bios.bin
+ cd "${appdir}" || \
+ err "extract_e6400vga: can't cd ${appdir}"
+ tail -c +${e6400_vga_offset} "${dl_path##*/}" | gunzip > bios.bin || \
+ err "extract_e6400vga: can't gunzip > bios.bin"
+
[ -f "bios.bin" ] || \
- err "Could not extract bios.bin from Dell E6400 update"
+ err "extract_e6400vga: can't extract bios.bin from update"
"${e6400_unpack}" bios.bin || printf "TODO: fix dell extract util\n"
[ -f "${e6400_vga_romname}" ] || \
- err "Could not extract VGA ROM from Dell E6400 BIOS update"
+ err "extract_e6400vga: can't extract vga rom from bios.bin"
)
- cp "${appdir}"/"${e6400_vga_romname}" "${_vga_destination}"
+ cp "${appdir}"/"${e6400_vga_romname}" "${_vga_destination}" || \
+ err "extract_e6400vga: can't copy vga rom to ${_vga_destination}"
printf "E6400 Nvidia ROM saved to: %s\n" "${_vga_destination}"
}
@@ -398,16 +421,18 @@ extract_sch5545ec()
_sch5545ec_destination=${CONFIG_SMSC_SCH5545_EC_FW_FILE#../../}
if [ -f "${_sch5545ec_destination}" ]; then
- printf 'sch5545 firmware already downloaded\n'
+ printf "sch5545 firmware already downloaded\n" 1>&2
return 0
fi
- [ -d "${appdir}" ] rm -Rf "${appdir}"
+ [ ! -d "${appdir}" ] || rm -Rf "${appdir}" || \
+ err "extract_sch5545ec: can't remove ${appdir}"
- mkdir -p "${appdir}/"
- cp "${dl_path}" "${appdir}/"
+ mkdir -p "${appdir}/" || err "extract_sch5545ec: !mkdir ${appdir}"
+ cp "${dl_path}" "${appdir}/" || \
+ err "extract_sch5545ec: can't copy vendor update file"
python "${pfs_extract}" "${appdir}/${dlsum}" -e || \
- err "cannot extract archive (dell, sch5545)"
+ err "extract_sch5545ec: can't extract from vendor update"
# full system ROM (UEFI), to extract with UEFIExtract:
_bios="${appdir}/${dlsum}_extracted/Firmware"
@@ -419,15 +444,16 @@ extract_sch5545ec()
_sch5545ec_fw="${_sch5545ec_fw}/0 Raw section/body.bin" # <-- this!
# this makes the file defined by _sch5545ec_fw available to copy
- "${uefiextract}" "${_bios}" || err "cannot extract dell uefi image"
+ "${uefiextract}" "${_bios}" || \
+ err "extract_sch5545ec: cannot extract from uefi image"
cp "${_sch5545ec_fw}" "${_sch5545ec_destination}" || \
- err "cannot copy sch5545ec firmware file"
+ err "extract_sch5545ec: cannot copy sch5545ec firmware file"
}
fetch_update()
{
- printf "Fetching vendor update for board: %s\n" ${board}
+ printf "Fetching vendor update for board: %s\n" "${board}"
fw_type="${1}"
dl=""
@@ -450,39 +476,38 @@ fetch_update()
dl_bkup="${sch5545ec_dl_url_bkup}"
dlsum="${sch5545ec_dl_hash}"
else
- printf "Unsupported download type: %s\n" ${fw_type}
- return 1
+ err "fetch_update: Unsupported download type: ${fw_type}"
fi
- if [ -z "${dl_url+x}" ] && [ "${fw_type}" != "e6400vga" ]; then
- printf "No vendor update specified for board: %s\n" ${board}
- return 1
- fi
+ [ -z "${dl_url+x}" ] && [ "${fw_type}" != "e6400vga" ] && \
+ err "fetch_update ${fw_type}: dl_url unspecified for: ${board}"
dl_path=${blobdir}/cache/${dlsum}
- mkdir -p ${blobdir}/cache
+ mkdir -p ${blobdir}/cache || err "fetch_update: !mkdir ${blobdir}/cache"
dl_fail="y"
vendor_checksum ${dlsum} && dl_fail="n"
for x in "${dl}" "${dl_bkup}"; do
[ "${dl_fail}" = "n" ] && break
- rm -f "${dl_path}"
- wget -U "${agent}" ${x} -O ${dl_path}
+ [ -z "${x}" ] && continue
+ rm -f "${dl_path}" || \
+ err "fetch_update ${fw_type}: !rm -f ${dl_path}"
+ wget -U "${agent}" ${x} -O ${dl_path} || continue
vendor_checksum ${dlsum} && dl_fail="n"
done
if [ "${dl_fail}" = "y" ]; then
- printf "Could not download blob file\n" 1>&2
- return 1
+ printf "ERROR: invalid vendor updates for: %s\n" "${board}" 1>&2
+ err "fetch_update ${fw_type}: matched vendor update unavailable"
fi
}
vendor_checksum()
{
if [ ! -f "${dl_path}" ]; then
- printf "Vendor update not found on disk for: %s\n" ${board}
+ printf "Vendor update not found on disk for: %s\n" ${board} 1>&2
return 1
elif [ "$(sha1sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then
- printf "Bad checksum on vendor update for: %s\n" ${board}
+ printf "Bad checksum on vendor update for: %s\n" ${board} 1>&2
return 1
fi
}