From d668f3a35296f0bc7884b18d49f523d7bb331c30 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Thu, 15 May 2025 21:51:36 +0100 Subject: vendor.sh: Properly verify SHA512SUM on extraction I currently check the downloaded files e.g. .exe file, but then I don't check - or even define - sha512sums for the files extracted from them e.g. me.bin This patch fixes that. It also caches the hashed files, so that extraction is faster on a re-run - this makes release builds go faster, when running ./mk release If a checksum is not defined, i.e. blank, then a warning is given, telling you to check a specific directory. This way, when adding new vendor files, you can add it first without specifying the checksum, e.g. me.bin checksum. Then you can manually inspect the files that were extracted, and define it, then test again. In a given pkg.cfg for config/vendor, the following variables are now available for use: FSPM_bin_hash for fsp m module FSPS_bin_hash for fsp s module EC_FW1_hash for KBC1126 EC firmware (1st file) EC_FW2_hash for KBC1126 EC firmware (2nd file) ME_bin_hash for me.bin MRC_bin_hash for mrc.bin (broadwell boards) REF_bin_hash for refcode (broadwell boards) SCH5545EC_bin_hash for sch5545 firmware (Dell Precision T1650) TBFW_bin_hash for Lenovo ThunderBolt firmware (e.g. T480/T480s) E6400_VGA_bin_hash for Dell E6400 Nvidia VGA ROM In practise, most people use release archives, and the inject script, so I knew those were reliable, because the ROM images were hashed prior to removing files. This patch benefits people using lbmk.git directly, without using release files, because now they know they have a valid file e.g. me.bin Previously, only the download was checked, not the extracted files, which meant that the only thing preventing a brick was the code not being buggy. Any number of bugs could pop up in the future, so this new level of integrity will protect against such a scenario, and provide early warning prompting bug fixes. Signed-off-by: Leah Rowe --- include/get.sh | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) (limited to 'include/get.sh') diff --git a/include/get.sh b/include/get.sh index 74adb6be..4bcccceb 100644 --- a/include/get.sh +++ b/include/get.sh @@ -84,8 +84,11 @@ xbmkget() [ "$1" = "curl" ] || [ "$1" = "copy" ] || [ "$1" = "git" ] || \ err "Bad dlop (arg 1): xbmkget $*" + echk="f" && [ "$1" = "git" ] && echk="d" + for url in "$2" "$3"; do - [ -n "$url" ] && try_file "$url" "$@" && return 0 + [ -n "$url" ] && try_file "$url" "$@" && \ + eval "[ -$echk \"$4\" ] && return 0" done && err "$1 $2 $3 $4: not downloaded"; : } @@ -100,11 +103,10 @@ try_file() echk="d" && [ "$2" != "git" ] && echk="f" && \ bad_checksum "$6" "$cached" 2>/dev/null && x_ rm -f "$cached" - e "$cached" $echk || try_$2 "$cached" "$@" || return 1 - if e "$5" $echk && [ "$2" != "git" ]; then - bad_checksum "$6" "$5" 2>/dev/null && x_ cp "$cached" "$5" - fi - e "$cached" $echk missing && return 1 + eval "[ -$echk \"$cached\" ] || try_$2 \"\$cached\" \"\$@\" || return 1" + [ "$2" != "git" ] && [ -f "$5" ] && \ + bad_checksum "$6" "$5" 2>/dev/null && x_ cp "$cached" "$5" + eval "[ -$echk \"$cached\" ] || return 1" if [ "$2" = "git" ]; then tmpclone "$cached" "$5" "$6" "$7" || return 1 @@ -113,6 +115,8 @@ try_file() [ "$cached" != "$5" ] && x_ cp "$cached" "$5" bad_checksum "$6" "$5" && x_ rm -f "$5" && return 1; : fi + + eval "[ -$echk \"$5\" ] || return 1" } try_curl() @@ -146,9 +150,13 @@ try_git() bad_checksum() { - [ ! -f "$2" ] || [ "$(sha512sum "$2" | awk '{print $1}')" != "$1" ] \ - || return 1 - printf "Bad checksum for file: %s\n" "$2" 1>&2 + [ ! -f "$2" ] && printf "File '%s' missing (sha512sum '%s')\n" \ + "$2" "$1" 1>&2 && return 0 + fchksum="$(x_ sha512sum "$2" | awk '{print $1}')" || \ + err "Can't get sha512sum on '$2' (checking for sha512sum '$1')" + [ "$fchksum" != "$1" ] || return 1 + printf "WARNING: BAD checksum for '%s' - expected '%s', got '%s'\n" \ + "$2" "$1" "$fchksum" 1>&2 x_ rm -f "$2" } -- cgit v1.2.1 From 6dea381614d01abb58a3534cc62c2346ba654beb Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Sat, 17 May 2025 09:46:54 +0100 Subject: get.sh: fix bad mkdir command this is the mkdir call that createsn the directory where a cached git repository is moved to, during creation. Signed-off-by: Leah Rowe --- include/get.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/get.sh') diff --git a/include/get.sh b/include/get.sh index 4bcccceb..c9bf840d 100644 --- a/include/get.sh +++ b/include/get.sh @@ -139,7 +139,7 @@ try_git() x_ rm -Rf "$tmpgitcache" [ -d "$gitdest" ] || ( x_ git clone "$2" "$tmpgitcache" ) || return 1 - [ -d "$gitdest" ] || x_ mkdir -p "${gitdest##*/}" + [ -d "$gitdest" ] || x_ mkdir -p "${gitdest%/*}" [ -d "$gitdest" ] || x_ mv "$tmpgitcache" "$gitdest" ( x_ git -C "$gitdest" remote add main "$4" 2>/dev/null ) || : -- cgit v1.2.1 From d2564fd9457c1fd7533c02341769483e81e9667f Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Sat, 17 May 2025 11:08:06 +0100 Subject: get.sh: simplify tmpclone() Signed-off-by: Leah Rowe --- include/get.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'include/get.sh') diff --git a/include/get.sh b/include/get.sh index c9bf840d..c6c6b75b 100644 --- a/include/get.sh +++ b/include/get.sh @@ -109,7 +109,7 @@ try_file() eval "[ -$echk \"$cached\" ] || return 1" if [ "$2" = "git" ]; then - tmpclone "$cached" "$5" "$6" "$7" || return 1 + [ -d "$5" ] || tmpclone "$cached" "$5" "$6" "$7" || return 1 else bad_checksum "$6" "$cached" && x_ rm -f "$cached" && return 1 [ "$cached" != "$5" ] && x_ cp "$cached" "$5" @@ -162,7 +162,6 @@ bad_checksum() tmpclone() { - [ -d "$2" ] && return 0 printf "Creating git clone '%s' from '%s'\n" "$2" "$1" ( x_ git clone "$1" "$2" ) || return 1 ( x_ git -C "$2" reset --hard "$3" ) || return 1 -- cgit v1.2.1