From 1c8401be25e4749a2eee5ddc77ce7c6ac880c910 Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Thu, 24 Aug 2023 20:19:41 +0100
Subject: much, much stricter, more verbose error handling

lbmk is much more likely to crash now, in error conditions,
which is a boon for further auditing.

also: in "fetch", remove the downloaded program
if fail() was called.

this would also be done for gnulib, when downloading
grub, but done in such a way that gnulib goes first.

where calls to err write "ERROR" in the string, they
no longer say "ERROR" because the "err" function itself
now does that automatically.

also: listmodes/listoptions (in "lbmk") now reports an
error if no scripts and/or directories are found.

also: where a warning is given, but not an error, i've
gone through in some places and redirected the output
to stderr, not stdout

as part of error checks: running anything as root, except
for the "./build dependencies *" commands, is no longer
permitted and lbmk will throw an error

mrc downloads: debugfs output no longer redirected to /dev/null,
and stderr no longer redirected to stdout. everything is verbose.

certain non-error states are also more verbose. for example,
patch_rom in blobs/inject will now state when injection succeeds

certain actual errors(bugs) were fixed:
for example, build/release/roms now correctly prepares the blobs
hash files for a given target, containing only the files and
checksums in the list. Previously, a printf message was included.
Now, with this new code: blobutil/inject rightly verifies hashes.

doing all of this in one giant patch is cleaner
than 100 patches changing each file. even this is yet part
of a much larger audit going on in the Libreboot project.

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 resources/scripts/update/blobs/extract | 46 +++++++++++++++++++---------------
 1 file changed, 26 insertions(+), 20 deletions(-)

(limited to 'resources/scripts/update/blobs/extract')

diff --git a/resources/scripts/update/blobs/extract b/resources/scripts/update/blobs/extract
index d7a68bf3..b6b3af3b 100755
--- a/resources/scripts/update/blobs/extract
+++ b/resources/scripts/update/blobs/extract
@@ -44,22 +44,27 @@ main()
 
 check_board()
 {
-	[ -f "${vendor_rom}" ] || \
-		err "file does not exist: ${vendor_rom}"
-	[ -d "${boarddir}" ] || \
-		err "build/roms ${board}: target not defined"
-	[ -f "${boarddir}/target.cfg" ] || \
-		err "build/roms ${board}: missing target.cfg"
+	if [ ! -f "${vendor_rom}" ]; then
+		err "check_board: ${board}: file does not exist: ${vendor_rom}"
+	elif [ ! -d "${boarddir}" ]; then
+		err "check_board: ${board}: target not defined"
+	elif [ ! -f "${boarddir}/target.cfg" ]; then
+		err "check_board: ${board}: missing target.cfg"
+	fi
 }
 
 build_dependencies()
 {
-	[ -d me_cleaner ] || \
-		./fetch me_cleaner || err "can't fetch me_cleaner"
-	[ -d ${cbdir} ] || \
-		./fetch_trees coreboot default || err "can't fetch coreboot"
-	[ -f ${ifdtool} ] || \
-		make -C "${ifdtool%/ifdtool}" || err "can't build ifdtool"
+	if [ ! -d me_cleaner ]; then
+		./fetch me_cleaner || \
+		    err "build_dependencies: can't fetch me_cleaner"
+	elif [ ! -d "${cbdir}" ]; then
+		./fetch_trees coreboot default || \
+		    err "build_dependencies: can't fetch coreboot"
+	elif [ ! -f "${ifdtool}" ]; then
+		make -C "${ifdtool%/ifdtool}" || \
+		    err "build_dependencies: can't build ifdtool"
+	fi
 }
 
 extract_blobs()
@@ -67,11 +72,11 @@ extract_blobs()
 	printf "extracting blobs for %s from %s\n" ${board} ${vendor_rom}
 
 	set -- "${boarddir}/config/"*
-	. ${1} 2>/dev/null
+	. "${1}"
 	. "${boarddir}/target.cfg"
 
 	[ "$CONFIG_HAVE_MRC" != "y" ] || \
-		./update blobs mrc || err "could not download mrc"
+		./update blobs mrc || err "extract_blobs: can't fetch mrc"
 
 	_me_destination=${CONFIG_ME_BIN_PATH#../../}
 	_gbe_destination=${CONFIG_GBE_BIN_PATH#../../}
@@ -81,11 +86,11 @@ extract_blobs()
 	extract_blob_intel_gbe_nvm
 
 	# Cleans up other files extracted with ifdtool
-	rm -f flashregion*.bin 2> /dev/null
+	rm -f flashregion*.bin || err "extract_blobs: !rm -f flashregion*.bin"
 
-	[ -f ${_ifd_destination} ] || err "Could not extract IFD"
+	[ -f ${_ifd_destination} ] || err "extract_blobs: Could not extract IFD"
 	printf "gbe, ifd, and me extracted to %s\n" \
-	    ${_me_destination%/*}
+	    "${_me_destination%/*}"
 }
 
 extract_blob_intel_me()
@@ -96,15 +101,16 @@ extract_blob_intel_me()
 		-M ${_me_destination} ${vendor_rom} -t -r -S || \
 	    ${me7updateparser} \
 		-O ${_me_destination} ${vendor_rom} || \
-	    err "me_cleaner failed to extract blobs from rom"
+	    err "extract_blob_intel_me: cannot extract from vendor rom"
 }
 
 extract_blob_intel_gbe_nvm()
 {
 	printf "extracting gigabit ethernet firmware"
-	./${ifdtool} -x ${vendor_rom}
+	./${ifdtool} -x ${vendor_rom} || \
+	    err "extract_blob_intel_gbe_nvm: cannot extract gbe.bin from rom"
 	mv flashregion*gbe.bin ${_gbe_destination} || \
-	    err 'could not extract gbe'
+	    err "extract_blob_intel_gbe_nvm: cannot move gbe.bin"
 }
 
 print_help()
-- 
cgit v1.2.1