summaryrefslogtreecommitdiff
path: root/resources/scripts/update/blobs/mrc
diff options
context:
space:
mode:
authorLeah Rowe <leah@libreboot.org>2023-08-24 20:19:41 +0100
committerLeah Rowe <leah@libreboot.org>2023-08-26 16:58:32 +0100
commit1c8401be25e4749a2eee5ddc77ce7c6ac880c910 (patch)
tree22789efec9b91ffddb21653a30b8591a8b63d3bf /resources/scripts/update/blobs/mrc
parent50c395df59564c19d3a24262810c8dd5ed115db5 (diff)
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe <leah@libreboot.org>
Diffstat (limited to 'resources/scripts/update/blobs/mrc')
-rwxr-xr-xresources/scripts/update/blobs/mrc49
1 files changed, 32 insertions, 17 deletions
diff --git a/resources/scripts/update/blobs/mrc b/resources/scripts/update/blobs/mrc
index 57cbede6..74899990 100755
--- a/resources/scripts/update/blobs/mrc
+++ b/resources/scripts/update/blobs/mrc
@@ -72,23 +72,23 @@ check_existing()
build_dependencies()
{
[ -d "${cbdir}/" ] || ./fetch_trees coreboot default || \
- err "cannot fetch coreboot/default"
+ err "build_dependencies: cannot fetch coreboot/default"
./build coreboot utils default || \
- err "cannot build cbutils/default"
+ err "build_dependencies: cannot build cbutils/default"
}
fetch_mrc()
{
- mkdir -p mrc/haswell/ || err "cannot mkdir mrc/haswell"
+ mkdir -p mrc/haswell/ || err "fetch_mrc: !mkdir mrc/haswell"
(
- cd mrc/haswell/
+ cd mrc/haswell/ || err "fetch_mrc: !cd mrc/haswell"
download_image ${_url} ${_file} ${_sha1sum}
[ -f ${_file} ] || \
download_image ${_url2} ${_file} ${_sha1sum}
[ -f $_file ] || \
- err "%{_file} not downloaded / verification failed."
+ err "fetch_mrc: ${_file} not downloaded / verification failed."
extract_partition ROOT-A ${_file} root-a.ext2
extract_shellball root-a.ext2 chromeos-firmwareupdate-${_board}
@@ -96,9 +96,9 @@ fetch_mrc()
extract_coreboot chromeos-firmwareupdate-${_board}
../../${cbfstool} coreboot-*.bin extract -f mrc.bin -n mrc.bin \
- -r RO_SECTION || err "Could not fetch mrc.bin"
+ -r RO_SECTION || err "fetch_mrc: could not fetch mrc.bin"
rm -f "chromeos-firmwareupdate-${_board}" coreboot-*.bin \
- "${_file}" "root-a.ext2"
+ "${_file}" "root-a.ext2" || err "fetch_mrc: cannot remove files"
printf "\n\nmrc.bin saved to ${_mrc_complete}\n\n"
)
@@ -111,16 +111,16 @@ download_image()
_sha1sum=${3}
printf "Downloading recovery image\n"
- curl "$url" > "$_file.zip"
+ curl "$url" > "$_file.zip" || err "download_image: curl failed"
printf "Verifying recovery image checksum\n"
if [ "$(sha1sum ${_file}.zip | awk '{print $1}')" = "${_sha1sum}" ]
then
- unzip -q "${_file}.zip"
- rm "${_file}.zip"
+ unzip -q "${_file}.zip" || err "download_image: cannot unzip"
+ rm -f "${_file}.zip" || err "download_image: can't rm zip {1}"
return 0
fi
- rm "${_file}.zip"
- err "Bad checksum. Recovery image deleted"
+ rm -f "${_file}.zip" || err "download_image: bad hash, and can't rm zip"
+ err "download_image: Bad checksum. Recovery image deleted"
}
extract_partition()
@@ -138,7 +138,8 @@ extract_partition()
SIZE=$(( $( echo ${ROOTP} | cut -f4 -d\ | tr -d "B" ) ))
dd if=${FILE} of=${ROOTFS} bs=${_bs} skip=$(( ${START} / ${_bs} )) \
- count=$(( ${SIZE} / ${_bs} )) > /dev/null
+ count=$(( ${SIZE} / ${_bs} )) || \
+ err "extract_partition: can't extract root file system"
}
extract_shellball()
@@ -148,7 +149,7 @@ extract_shellball()
printf "Extracting chromeos-firmwareupdate\n"
printf "cd /usr/sbin\ndump chromeos-firmwareupdate ${SHELLBALL}\nquit" \
- | debugfs ${ROOTFS} > /dev/null 2>&1
+ | debugfs ${ROOTFS} || err "extract_shellball: debugfs"
}
extract_coreboot()
@@ -157,13 +158,27 @@ extract_coreboot()
_unpacked=$( mktemp -d )
printf "Extracting coreboot image\n"
- sh ${_shellball} --unpack ${_unpacked} > /dev/null
+
+ [ -f "${_shellball}" ] || \
+ err "extract_coreboot: shellball missing in google peppy image"
+
+ sh ${_shellball} --unpack ${_unpacked} || \
+ err "extract_coreboot: shellball exits with non-zero status"
+
+ # TODO: audit the f* out of that shellball, for each mrc version.
+ # it has to be updated for each mrc update. we should ideally
+ # implement the functionality ourselves.
+
+ [ -f "${_unpacked}/VERSION" ] || \
+ err "extract_coreboot: VERSION file missing on google coreboot rom"
_version=$( cat ${_unpacked}/VERSION | grep BIOS\ version: | \
cut -f2 -d: | tr -d \ )
- cp ${_unpacked}/bios.bin coreboot-${_version}.bin
- rm -r "${_unpacked}"
+ cp ${_unpacked}/bios.bin coreboot-${_version}.bin || \
+ err "extract_coreboot: cannot copy google peppy rom"
+ rm -Rf "${_unpacked}" || \
+ err "extract_coreboot: cannot remove extracted google peppy archive"
}
main $@