Re: sysupgrade: add BUILDINFO file to fetched files

Stuart Henderson Thu, 16 Apr 2020 03:54:02 -0700

On 2020/04/13 08:44, Mikolaj Kucharski wrote:
> Hi,
> 
> Would below be okay?
> 
> On Tue, Apr 07, 2020 at 04:46:38AM +0000, Mikolaj Kucharski wrote:
> > Hi,
> > 
> > When I'm upgrading my machines, I find it useful to have BUILDINFO
> > file around. Tested on RPi3.
> > 
> > Please carbon-copy me in any replies. Thank you.
> > 
> > openbsd-rpi# sysupgrade -s -n
> > Fetching from https://cdn.openbsd.org/pub/OpenBSD/snapshots/arm64/
> > SHA256.sig   100% |******************************|  1453       00:00
> > Signature Verified
> > Verifying old sets.
> > BUILDINFO    100% |******************************|    54       00:00
> > Verifying sets.
> > Fetching updated firmware.
> > Will upgrade on next reboot
> > 
> > openbsd-rpi# reboot
> > ... [successfull upgrade]
> > openbsd-rpi# ls -1A /home/_sysupgrade/ | wc -l
> >        0
> > 
> > 
> > OpenBSD 6.6-current (GENERIC.MP) #513: Wed Mar 18 16:41:35 MDT 2020
> >     [email protected]:/usr/src/sys/arch/arm64/compile/GENERIC.MP
> > 
> > 
> > Index: sysupgrade.sh
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
> > retrieving revision 1.37
> > diff -u -p -u -r1.37 sysupgrade.sh
> > --- sysupgrade.sh   26 Jan 2020 22:08:36 -0000      1.37
> > +++ sysupgrade.sh   20 Mar 2020 06:30:51 -0000
> > @@ -152,9 +152,9 @@ if cmp -s /var/db/installed.SHA256 SHA25
> >     exit 0
> >  fi
> >  
> > -# INSTALL.*, bsd*, *.tgz
> > +# BUILDINFO, INSTALL.*, bsd*, *.tgz
> >  SETS=$(sed -n -e 's/^SHA256 (\(.*\)) .*/\1/' \
> > -    -e '/^INSTALL\./p;/^bsd/p;/\.tgz$/p' SHA256)
> > +    -e '/^BUILDINFO$/p;/^INSTALL\./p;/^bsd/p;/\.tgz$/p' SHA256)
> >  
> >  OLD_FILES=$(ls)
> >  OLD_FILES=$(rmel SHA256 $OLD_FILES)
> > 
> 
> -- 
> Regards,
>  Mikolaj
>


Rather than downloading it and deleting it again, it would be more
useful if BUILDINFO was kept around after installing. Then sysupgrade
could check to make sure it isn't going backwards with a future update.
(e.g. if some malicious mirror or mitm intentionally serves an old
snapshot [with a good signature] to prevent users getting a security
fix).

I started looking at this a while ago and have had this in my tree (I'd
forgotten about until I just did a cvs up) - maybe worth some more thought 
(it's not super-robust but I'm not sure if it needs to be..) ENOTIME to
look at it more now though.

Index: usr.sbin/sysupgrade/sysupgrade.sh
===================================================================
RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
retrieving revision 1.37
diff -u -p -r1.37 sysupgrade.sh
--- usr.sbin/sysupgrade/sysupgrade.sh   26 Jan 2020 22:08:36 -0000      1.37
+++ usr.sbin/sysupgrade/sysupgrade.sh   16 Apr 2020 10:40:37 -0000
@@ -131,6 +131,7 @@ cd ${SETSDIR}
 
 echo "Fetching from ${URL}"
 unpriv -f SHA256.sig ftp -N sysupgrade -Vmo SHA256.sig ${URL}SHA256.sig
+unpriv -f BUILDINFO ftp -N sysupgrade -Vmo BUILDINFO ${URL}BUILDINFO
 
 _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
 _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub
@@ -147,11 +148,26 @@ esac
 unpriv -f SHA256 signify -Ve -p "${SIGNIFY_KEY}" -x SHA256.sig -m SHA256
 rm SHA256.sig
 
+unpriv cksum -qC SHA256 BUILDINFO
+
 if cmp -s /var/db/installed.SHA256 SHA256 && ! $FORCE; then
        echo "Already on latest snapshot."
        exit 0
 fi
 
+if [[ -r /var/db/installed.BUILDINFO ]] && ! $FORCE; then
+       read _skip _skip _oldbuildtime _skip < /var/db/installed.BUILDINFO
+       read _skip _skip _newbuildtime _skip < BUILDINFO
+       if [[ $_newbuildtime -lt $_oldbuildtime ]]; then
+               echo "Snapshot on mirror is older than installed version!"
+               exit 1
+       fi
+       if [[ $_newbuildtime -eq $_oldbuildtime ]]; then
+               echo "Already on latest snapshot? Mismatch between BUILDINFO 
and SHA256?"
+               exit 1
+       fi
+fi
+
 # INSTALL.*, bsd*, *.tgz
 SETS=$(sed -n -e 's/^SHA256 (\(.*\)) .*/\1/' \
     -e '/^INSTALL\./p;/^bsd/p;/\.tgz$/p' SHA256)
@@ -187,9 +203,14 @@ Set name(s) = done
 Directory does not contain SHA256.sig. Continue without verification = yes
 __EOT
 
+# XXX should be done in bsd.rd so that this is present for a clean install too
+cat <<__EOT > /etc/rc.firsttime
+cp /home/_sysupgrade/BUILDINFO /var/db/installed.BUILDINFO
+__EOT
+
 if ! ${KEEP}; then
        CLEAN=$(echo SHA256 ${SETS} | sed -e 's/ /,/g')
-       cat <<__EOT > /etc/rc.firsttime
+       cat <<__EOT >> /etc/rc.firsttime
 rm -f /home/_sysupgrade/{${CLEAN}}
 __EOT
 fi

Re: sysupgrade: add BUILDINFO file to fetched files

Reply via email to