libreboot
/
lbmk
1
0
Fork 0
Code Packages Projects Releases Activity

./vendor download: more fine-tuned error control 

By default, the build system does set -u -e

Some errors are unavoidable and have to be handled, so
we have to set +u +e (turn off error handling in sh),
when downloading vendor files, but only certain parts of
vendor.sh trigger errors (which cause an exit).

Replace the current bazooka approach with a more fine
grained approach, turning error handling back on again
when it is safe to do so.

In the parts of the code where it is disabled, the code
is written very, very carefully, with errors still handled
manually, but more careful auditing is required.

This change has been tested and makes the command much
safer to run. In security (or any bug auditing), it is
the principle of least privilege that holds true.

Signed-off-by: Leah Rowe <leah@libreboot.org>
20240612_branch
Leah Rowe 2024-05-29 01:49:07 +01:00
parent 0dd0dfaf3d
commit e9b9e825f1
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
include/vendor.sh
View File

@ -28,7 +28,6 @@ eval "$(setvars "" _b EC_url_bkup EC_hash DL_hash DL_url_bkup MRC_refcode_gbe \
vendor_download() vendor_download()
{ {
set +u +e
export PATH="$PATH:/sbin" export PATH="$PATH:/sbin"
[ $# -gt 0 ] || $err "No argument given" [ $# -gt 0 ] || $err "No argument given"
@ -48,7 +47,9 @@ detect_firmware()
[ -d "$boarddir" ] || $err "Target '$board' not defined." [ -d "$boarddir" ] || $err "Target '$board' not defined."
check_defconfig "$boarddir" 1>"$tmpdir/vendorcfg.list" && return 0 check_defconfig "$boarddir" 1>"$tmpdir/vendorcfg.list" && return 0
while read -r cbcfgfile; do while read -r cbcfgfile; do
set +u +e
. "$cbcfgfile" 2>/dev/null . "$cbcfgfile" 2>/dev/null
set -u -e
done < "$tmpdir/vendorcfg.list" done < "$tmpdir/vendorcfg.list"
. "$boarddir/target.cfg" 2>/dev/null . "$boarddir/target.cfg" 2>/dev/null
@ -131,6 +132,7 @@ fetch()
x_ rm -Rf "${_dl}_extracted" x_ rm -Rf "${_dl}_extracted"
mkdirs "$_dest" "extract_$dl_type" || return 0 mkdirs "$_dest" "extract_$dl_type" || return 0
eval "extract_$dl_type" eval "extract_$dl_type"
set -u -e
[ -f "$_dest" ] && return 0 [ -f "$_dest" ] && return 0
$err "extract_$dl_type (fetch): missing file: '$_dest'" $err "extract_$dl_type (fetch): missing file: '$_dest'"
@ -167,6 +169,8 @@ extract_intel_me()
sdir="$(mktemp -d)" sdir="$(mktemp -d)"
[ -z "$sdir" ] && return 0 [ -z "$sdir" ] && return 0
mkdir -p "$sdir" || $err "extract_intel_me: !mkdir -p \"$sdir\"" mkdir -p "$sdir" || $err "extract_intel_me: !mkdir -p \"$sdir\""
set +u +e
( (
[ "${cdir#/a}" != "$cdir" ] && cdir="${cdir#/}" [ "${cdir#/a}" != "$cdir" ] && cdir="${cdir#/}"
cd "$cdir" || $err "extract_intel_me: !cd \"$cdir\"" cd "$cdir" || $err "extract_intel_me: !cd \"$cdir\""
@ -224,6 +228,7 @@ extract_kbc1126ec()
extract_e6400vga() extract_e6400vga()
{ {
set +u +e
for v in E6400_VGA_offset E6400_VGA_romname; do for v in E6400_VGA_offset E6400_VGA_romname; do
eval "[ -z \"\$$v\" ] && $err \"e6400vga: $v undefined\"" eval "[ -z \"\$$v\" ] && $err \"e6400vga: $v undefined\""
done done