From 1c8401be25e4749a2eee5ddc77ce7c6ac880c910 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Thu, 24 Aug 2023 20:19:41 +0100 Subject: much, much stricter, more verbose error handling lbmk is much more likely to crash now, in error conditions, which is a boon for further auditing. also: in "fetch", remove the downloaded program if fail() was called. this would also be done for gnulib, when downloading grub, but done in such a way that gnulib goes first. where calls to err write "ERROR" in the string, they no longer say "ERROR" because the "err" function itself now does that automatically. also: listmodes/listoptions (in "lbmk") now reports an error if no scripts and/or directories are found. also: where a warning is given, but not an error, i've gone through in some places and redirected the output to stderr, not stdout as part of error checks: running anything as root, except for the "./build dependencies *" commands, is no longer permitted and lbmk will throw an error mrc downloads: debugfs output no longer redirected to /dev/null, and stderr no longer redirected to stdout. everything is verbose. certain non-error states are also more verbose. for example, patch_rom in blobs/inject will now state when injection succeeds certain actual errors(bugs) were fixed: for example, build/release/roms now correctly prepares the blobs hash files for a given target, containing only the files and checksums in the list. Previously, a printf message was included. Now, with this new code: blobutil/inject rightly verifies hashes. doing all of this in one giant patch is cleaner than 100 patches changing each file. even this is yet part of a much larger audit going on in the Libreboot project. Signed-off-by: Leah Rowe --- resources/scripts/build/release/roms | 93 ++++++++++++++++------------ resources/scripts/build/release/src | 114 ++++++++++++++++++++++------------- 2 files changed, 128 insertions(+), 79 deletions(-) (limited to 'resources/scripts/build/release') diff --git a/resources/scripts/build/release/roms b/resources/scripts/build/release/roms index 8afba9bf..bdc54c9b 100755 --- a/resources/scripts/build/release/roms +++ b/resources/scripts/build/release/roms @@ -50,20 +50,26 @@ main() init_check() { - [ -f version ] && \ + if [ -f version ]; then version="$(cat version)" [ -f versiondate ] && \ versiondate="$(cat versiondate)" [ ! -d "bin/" ] && \ - err "no ROMs built yet. exiting" - [ ! -d "release/" ] && \ - mkdir -p release/ - [ ! -d "release/${version}/" ] && \ - mkdir -p "release/${version}/" - [ -d "release/${version}/roms/" ] && \ - rm -Rf "release/${version}/roms/" - [ ! -d "release/${version}/roms/" ] && \ - mkdir -p "release/${version}/roms/" + err "init_check: no ROMs built yet (error)" + [ -d "release/" ] || \ + mkdir -p release/ || \ + err "init_check: !mkdir -p release/" + [ -d "release/${version}/" ] || \ + mkdir -p "release/${version}/" || \ + err "init_check: !mkdir -p release/${version}/" + [ ! -d "release/${version}/roms/" ] || \ + rm -Rf "release/${version}/roms/" || \ + err "init_check: !rm -Rf release/${version}/roms/" + + if [ ! -d "release/${version}/roms/" ]; then + mkdir -p "release/${version}/roms/" || \ + err "init_check: !mkdir -p release/${version}/roms/" + fi } make_archive() @@ -90,24 +96,28 @@ make_archive() CONFIG_INCLUDE_SMSC_SCH5545_EC_FW="n" # remove ME/MRC/EC firmware from ROM images - if [ "${CONFIG_HAVE_ME_BIN}" = "y" ] \ - || [ "${target}" = "e6400nvidia_4mb" ]; then + if [ "${CONFIG_HAVE_ME_BIN}" = "y" ] || \ + [ "${target}" = "e6400nvidia_4mb" ]; then strip_archive "${romdir}" fi printf "Generating release/%s/roms/%s-%s_%s.tar.xz\n" \ - "${version}" "${projectname}" \ - "${version}" "${target##*/}" - printf "%s\n" "${version}" > "${romdir}/version" - printf "%s\n" "${versiondate}" > "${romdir}/versiondate" - printf "%s\n" "${projectname}" > "${romdir}/projectname" + "${version}" "${projectname}" "${version}" "${target##*/}" + printf "%s\n" "${version}" > "${romdir}/version" || \ + err "make_archive: can't create ${romdir}/version" + printf "%s\n" "${versiondate}" > "${romdir}/versiondate" || \ + err "make_archive: can't create ${romdir}/versiondate" + printf "%s\n" "${projectname}" > "${romdir}/projectname" || \ + err "make_archive: can't create ${romdir}/projectname" f="release/${version}/roms/${projectname}-${version}_${target##*/}" - tar -c "${romdir}/" | xz -9e > "${f}.tar.xz" + tar -c "${romdir}/" | xz -9e > "${f}.tar.xz" || \ + err "make_archive: can't create ${f}.tar.xz" if [ -d "${romdir}_tmp" ]; then - rm -Rf "${romdir}" - mv "${romdir}_tmp" "${romdir}" + rm -Rf "${romdir}" || err "make_archive: !rm -Rf ${romdir}" + mv "${romdir}_tmp" "${romdir}" || \ + err "make_archive: !mv \"${romdir}_tmp\" \"${romdir}\"" fi } @@ -117,21 +127,25 @@ strip_archive() [ -d coreboot/${tree} ] || \ ./fetch_trees coreboot ${tree} || \ - err "cannot fetch source tree, coreboot/${tree}" + err "strip_archive: coreboot/${tree}: can't fetch source" ./build coreboot utils ${tree} || \ - err "cannot build utils for coreboot/${tree}" + err "strip_archive: coreboot/${tree}: can't build utils" - rm -Rf "${romdir}_tmp" # dirty hack, to reduce disk io later + # dirty hack, to reduce disk io later # rather than using /tmp, which might not be tmpfs - mkdir "${romdir}_tmp" + rm -Rf "${romdir}_tmp" || err "strip_archive: !rm -Rf ${romdir}_tmp" + mkdir "${romdir}_tmp" || err "strip_archive: !mkdir ${romdir}_tmp" # Hash the rom before removing blobs - [ -f "${romdir}/blobhashes" ] || \ - printf "ROMs must match these hashes after blob insertion:" \ - > "${romdir}/blobhashes" + rm -f "${romdir}/blobhashes" || \ + err "strip_archive: !rm -f ${blobdir}/blobhashes" + touch "${romdir}/blobhashes" || \ + err "strip_archive: !touch ${blobdir}/blobhashes" + ( - cd ${romdir} || err "subshell: cd" - sha1sum *.rom >> blobhashes || err "subshell: sha1sum" + cd ${romdir} || err "strip_archive: !cd ${romdir}" + sha1sum *.rom >> blobhashes || \ + err "strip_archive: ${romdir}: !sha1sum *.rom >> blobhashes" ) for romfile in "${romdir}"/*.rom; do @@ -147,32 +161,35 @@ strip_rom_image() if [ "${CONFIG_HAVE_ME_BIN}" = "y" ]; then ${ifdtool} --nuke me "${romfile}" || \ - err "cannot nuke Intel ME region on file, ${romfile}" - mv "${romfile}" "${romdir}_tmp"/ - mv "${romfile}.new" "${romfile}" + err "strip_rom_images: ${romfile}: cannot nuke Intel ME" + mv "${romfile}" "${romdir}_tmp" || \ + err "strip_rom_images: !mv ${romfile} ${romdir}_tmp" + mv "${romfile}.new" "${romfile}" || \ + err "strip_rom_images: !mv ${romfile}.new ${romfile}" fi if [ "${CONFIG_HAVE_MRC}" = "y" ]; then ${cbfstool} "${romfile}" remove -n mrc.bin || \ - err "cannot remove mrc.bin from file, ${romfile}" + err "strip_rom_images: ${romfile}: cannot nuke mrc.bin" ${cbfstool} "${romfile}" print || : fi if [ "${CONFIG_KBC1126_FIRMWARE}" = "y" ]; then ${cbfstool} "${romfile}" remove -n ecfw1.bin || \ - err "cannot remove ecfw1.bin from file, ${romfile}" + err "strip_rom_images: ${romfile}: can't nuke ecfw1.bin" ${cbfstool} "${romfile}" remove -n ecfw2.bin || \ - err "cannot remove ecfw2.bin from file, ${romfile}" + err "strip_rom_images: ${romfile}: can't nuke ecfw2.bin" fi [ "${CONFIG_INCLUDE_SMSC_SCH5545_EC_FW}" != "y" ] || \ ${cbfstool} "${romfile}" remove -n sch5545_ecfw.bin || \ - err "cannot remove sch5545_ecfw.bin from file, ${romfile}" + err "strip_rom_images: ${romfile}: can't nuke sch5545ec fw" # TODO: replace this board-specific hack - [ "${target}" != "e6400nvidia_4mb" ] || \ + if [ "${target}" = "e6400nvidia_4mb" ]; then ${cbfstool} "${romfile}" remove -n "pci10de,06eb.rom" || \ - err "cannot remove pci10de,06eb.rom from file, ${romfile}" + err "strip_rom_images: ${romfile}: can't nuke e6400 vga rom" + fi } main $@ diff --git a/resources/scripts/build/release/src b/resources/scripts/build/release/src index 3f9feb9b..498bfabb 100755 --- a/resources/scripts/build/release/src +++ b/resources/scripts/build/release/src @@ -65,55 +65,68 @@ create_release_directory() dirname="${projectname}-${version}_src" srcdir="${reldir}/${dirname}" - [ ! -d "release/" ] && mkdir -p release/ - [ ! -d "${reldir}/" ] && mkdir -p "${reldir}/" - [ -d "${srcdir}/" ] && \ - rm -Rf "${srcdir}/" - [ -f "${srcdir}.tar.xz" ] && \ - rm -f "${srcdir}.tar.xz/" - - mkdir -p "${srcdir}/" - printf "%s" "${version}" > "${srcdir}"/version + [ -d "release/" ] || mkdir -p release/ || \ + err "create_release_directory: !mkdir -p release/" + [ -d "${reldir}/" ] || mkdir -p "${reldir}/" || \ + err "create_release_directory: !mkdir -p ${reldir}/" + [ ! -d "${srcdir}/" ] || rm -Rf "${srcdir}/" || \ + err "create_release_directory: !rm -Rf ${srcdir}/" + [ ! -f "${srcdir}.tar.xz" ] || \ + rm -f "${srcdir}.tar.xz/" || \ + err "create_release_directory: !rm -f ${srcdir}.tar.xz/" + + mkdir -p "${srcdir}/" || \ + err "create_release_directory: !mkdir -p ${srcdir}/" + printf "%s" "${version}" > "${srcdir}"/version || \ + err "create_release_directory: ${srcdir}/version: can't create file" } download_modules() { for modname in ${trees_fetch_list}; do - [ ! -d "${modname}" ] && ./fetch_trees ${modname} + [ -d "${modname}" ] || ./fetch_trees ${modname} || \ + err "download_modules: couldn't download ${modname} trees" done for modname in ${simple_fetch_list}; do - [ ! -d "${modname}/" ] && ./fetch ${modname} + [ -d "${modname}/" ] || ./fetch ${modname} || \ + err "download_modules: couldn't download ${modname} repo" done } copy_files() { for dir in ${simple_fetch_list} ${dirlist}; do - cp -R "${dir}/" "${srcdir}/" + cp -R "${dir}/" "${srcdir}/" || \ + err "copy_files: !cp -R ${dir}/ ${srcdir}/" done copy_blobs for i in ${filelist}; do if [ ! -f "${i}" ]; then - rm -Rf "${srcdir}" - err "file '${1}' does not exist" + rm -Rf "${srcdir}" || \ + err "copy_files: !rm -Rf ${srcdir}" + err "copy_files: file '${1}' does not exist" fi - cp ${i} "${srcdir}/" + cp "${i}" "${srcdir}/" || \ + err "copy_files: !cp ${i} ${srcdir}/" done } copy_blobs() { - mkdir -p "${srcdir}"/blobs + mkdir -p "${srcdir}"/blobs || \ + err "copy_blobs: !mkdir -p ${srcdir}/blobs" # do not copy intel ME etc, but do copy ifd/gbe files for i in t440p xx20 xx30 hp8200sff hp_ivybridge hp_sandybridge \ hp8300usdt t1650; do for j in ifd gbe 4_ifd 8_ifd 12_ifd 16_ifd; do [ -f "blobs/${i}/${j}.bin" ] || continue [ -e "${srcdir}/blobs/${i}" ] || \ - mkdir -p "${srcdir}/blobs/${i}" - cp blobs/${i}/${j}.bin "${srcdir}/blobs/${i}" + mkdir -p "${srcdir}/blobs/${i}" || \ + err "copy_blobs: ! -d ${srcdir}/blobs/${i}" + cp blobs/${i}/${j}.bin "${srcdir}/blobs/${i}" || \ + err "copy_blobs: ! -f ${srcdir}/blobs/${i}" done done } @@ -121,45 +134,64 @@ copy_blobs() purge_files() { ( - cd "${srcdir}/coreboot/" || err "cd1" + cd "${srcdir}/coreboot/" || err "purge_files 1: !cd ${srcdir}/coreboot/" for i in *; do - [ ! -d "${i}" ] && continue + [ -d "${i}" ] || continue ( - cd "${i}/" || err "cd2" - make distclean || err "make-distclean1" + cd "${i}/" || \ + err "purge_files 2: !cd ${i}/" + make distclean || err "purge_files 1: ${i}: !make distclean" ) - make clean -BC default/util/kbc1126/ || err "make-clean1" + make clean -BC default/util/kbc1126/ || \ + err "purge_files 1: default/util/kbc1126: ! make clean" done ) ( - cd "${srcdir}/" || err "cd3" - ./build clean all || err "build-clean1" + cd "${srcdir}/" || \ + err "purge_files 3: !cd ${srcdir}/" + ./build clean all || \ + err "purge_files 1: ! ./build clean all" for p in bios_extract flashrom grub ich9utils memtest86plus uefitool; do - ./build src for -c "${p}" + ./build src for -c "${p}" || \ + err "purge_files: !./build src for -c ${p}" done - make clean -BC util/nvmutil || err "make-clean2" - make clean -BC util/ich9utils || err "make-clean3" - make clean -BC util/spkmodem_recv || err "make-clean4" - make clean -BC util/e6400-flash-unlock || err "make-clean5" - - rm -Rf coreboot/coreboot/ || err "rm-rf1" + make clean -BC util/nvmutil || \ + err "purge_files 2: !make clean -BC util/nvmutil" + make clean -BC util/ich9utils || \ + err "purge_files 3: !make clean -BC util/ich9utils" + make clean -BC util/spkmodem_recv || \ + err "purge_files 4: !make clean -BC util/spkmodem_recv" + make clean -BC util/e6400-flash-unlock || \ + err "purge_files 5: !make clean -BC util/e6400-flash-unlock" + + rm -Rf coreboot/coreboot/ || \ + err "purge_files 1: !rm -Rf coreboot/coreboot/" rm -Rf .git .gitignore */.git* coreboot/*/.git* \ - coreboot/*/3rdparty/*/.git* || err "rm-rf2" - rm -Rf coreboot/*/util/nvidia/cbootimage/.git* || err "rm-rf3" - rm -Rf u-boot/u-boot/ u-boot/*/.git* || err "rm-rf4" + coreboot/*/3rdparty/*/.git* || \ + err "purge_files rm-rf2: can't purge .git files/directories" + rm -Rf coreboot/*/util/nvidia/cbootimage/.git* || \ + err "purge_files 3: !rm -Rf coreboot/*/util/nvidia/cbootimage/.git*" + rm -Rf u-boot/u-boot/ u-boot/*/.git* || \ + err "purge_files 4: ¬rm -Rf u-boot/u-boot/ u-boot/*/.git*" ) } create_release_archive() { ( - cd "${reldir}/" || err "cd4" - printf "%s\n" "${version}" > "${dirname}/version" - printf "%s\n" "${versiondate}" > "${dirname}/versiondate" - printf "%s\n" "${projectname}" > "${dirname}/projectname" - tar -c "${dirname}/" | xz -9e >"${dirname}.tar.xz" || err "tar" - rm -Rf "${dirname}/" || err "rm-rf5" + cd "${reldir}/" || \ + err "create_release_archive 4: !cd ${reldir}/" + printf "%s\n" "${version}" > "${dirname}/version" || \ + err "create_release_archive: can't create ${dirname}/version" + printf "%s\n" "${versiondate}" > "${dirname}/versiondate" || \ + err "create_release_archive: can't create ${dirname}/versiondate" + printf "%s\n" "${projectname}" > "${dirname}/projectname" || \ + err "create_release_archive: can't create ${dirname}/projectname" + tar -c "${dirname}/" | xz -9e >"${dirname}.tar.xz" || \ + err "create_release_archive: can't create ${dirname}.tar.xz" + rm -Rf "${dirname}/" || \ + err "create_release_archive 5: !rm -Rf ${dirname}/" ) } -- cgit v1.2.1