diff options
author | Leah Rowe <leah@libreboot.org> | 2023-08-24 20:19:41 +0100 |
---|---|---|
committer | Leah Rowe <leah@libreboot.org> | 2023-08-26 16:58:32 +0100 |
commit | 1c8401be25e4749a2eee5ddc77ce7c6ac880c910 (patch) | |
tree | 22789efec9b91ffddb21653a30b8591a8b63d3bf /resources/scripts/update/blobs/mrc | |
parent | 50c395df59564c19d3a24262810c8dd5ed115db5 (diff) |
much, much stricter, more verbose error handling
lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.
also: in "fetch", remove the downloaded program
if fail() was called.
this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.
where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.
also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.
also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout
as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error
mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.
certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds
certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.
doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.
Signed-off-by: Leah Rowe <leah@libreboot.org>
Diffstat (limited to 'resources/scripts/update/blobs/mrc')
-rwxr-xr-x | resources/scripts/update/blobs/mrc | 49 |
1 files changed, 32 insertions, 17 deletions
diff --git a/resources/scripts/update/blobs/mrc b/resources/scripts/update/blobs/mrc index 57cbede6..74899990 100755 --- a/resources/scripts/update/blobs/mrc +++ b/resources/scripts/update/blobs/mrc @@ -72,23 +72,23 @@ check_existing() build_dependencies() { [ -d "${cbdir}/" ] || ./fetch_trees coreboot default || \ - err "cannot fetch coreboot/default" + err "build_dependencies: cannot fetch coreboot/default" ./build coreboot utils default || \ - err "cannot build cbutils/default" + err "build_dependencies: cannot build cbutils/default" } fetch_mrc() { - mkdir -p mrc/haswell/ || err "cannot mkdir mrc/haswell" + mkdir -p mrc/haswell/ || err "fetch_mrc: !mkdir mrc/haswell" ( - cd mrc/haswell/ + cd mrc/haswell/ || err "fetch_mrc: !cd mrc/haswell" download_image ${_url} ${_file} ${_sha1sum} [ -f ${_file} ] || \ download_image ${_url2} ${_file} ${_sha1sum} [ -f $_file ] || \ - err "%{_file} not downloaded / verification failed." + err "fetch_mrc: ${_file} not downloaded / verification failed." extract_partition ROOT-A ${_file} root-a.ext2 extract_shellball root-a.ext2 chromeos-firmwareupdate-${_board} @@ -96,9 +96,9 @@ fetch_mrc() extract_coreboot chromeos-firmwareupdate-${_board} ../../${cbfstool} coreboot-*.bin extract -f mrc.bin -n mrc.bin \ - -r RO_SECTION || err "Could not fetch mrc.bin" + -r RO_SECTION || err "fetch_mrc: could not fetch mrc.bin" rm -f "chromeos-firmwareupdate-${_board}" coreboot-*.bin \ - "${_file}" "root-a.ext2" + "${_file}" "root-a.ext2" || err "fetch_mrc: cannot remove files" printf "\n\nmrc.bin saved to ${_mrc_complete}\n\n" ) @@ -111,16 +111,16 @@ download_image() _sha1sum=${3} printf "Downloading recovery image\n" - curl "$url" > "$_file.zip" + curl "$url" > "$_file.zip" || err "download_image: curl failed" printf "Verifying recovery image checksum\n" if [ "$(sha1sum ${_file}.zip | awk '{print $1}')" = "${_sha1sum}" ] then - unzip -q "${_file}.zip" - rm "${_file}.zip" + unzip -q "${_file}.zip" || err "download_image: cannot unzip" + rm -f "${_file}.zip" || err "download_image: can't rm zip {1}" return 0 fi - rm "${_file}.zip" - err "Bad checksum. Recovery image deleted" + rm -f "${_file}.zip" || err "download_image: bad hash, and can't rm zip" + err "download_image: Bad checksum. Recovery image deleted" } extract_partition() @@ -138,7 +138,8 @@ extract_partition() SIZE=$(( $( echo ${ROOTP} | cut -f4 -d\ | tr -d "B" ) )) dd if=${FILE} of=${ROOTFS} bs=${_bs} skip=$(( ${START} / ${_bs} )) \ - count=$(( ${SIZE} / ${_bs} )) > /dev/null + count=$(( ${SIZE} / ${_bs} )) || \ + err "extract_partition: can't extract root file system" } extract_shellball() @@ -148,7 +149,7 @@ extract_shellball() printf "Extracting chromeos-firmwareupdate\n" printf "cd /usr/sbin\ndump chromeos-firmwareupdate ${SHELLBALL}\nquit" \ - | debugfs ${ROOTFS} > /dev/null 2>&1 + | debugfs ${ROOTFS} || err "extract_shellball: debugfs" } extract_coreboot() @@ -157,13 +158,27 @@ extract_coreboot() _unpacked=$( mktemp -d ) printf "Extracting coreboot image\n" - sh ${_shellball} --unpack ${_unpacked} > /dev/null + + [ -f "${_shellball}" ] || \ + err "extract_coreboot: shellball missing in google peppy image" + + sh ${_shellball} --unpack ${_unpacked} || \ + err "extract_coreboot: shellball exits with non-zero status" + + # TODO: audit the f* out of that shellball, for each mrc version. + # it has to be updated for each mrc update. we should ideally + # implement the functionality ourselves. + + [ -f "${_unpacked}/VERSION" ] || \ + err "extract_coreboot: VERSION file missing on google coreboot rom" _version=$( cat ${_unpacked}/VERSION | grep BIOS\ version: | \ cut -f2 -d: | tr -d \ ) - cp ${_unpacked}/bios.bin coreboot-${_version}.bin - rm -r "${_unpacked}" + cp ${_unpacked}/bios.bin coreboot-${_version}.bin || \ + err "extract_coreboot: cannot copy google peppy rom" + rm -Rf "${_unpacked}" || \ + err "extract_coreboot: cannot remove extracted google peppy archive" } main $@ |