Hi Stuart,
On Thu, Apr 16, 2020 at 11:53:19AM +0100, Stuart Henderson wrote:
> Rather than downloading it and deleting it again, it would be more
> useful if BUILDINFO was kept around after installing. Then sysupgrade
> could check to make sure it isn't going backwards with a future update.
> (e.g. if some malicious mirror or mitm intentionally serves an old
> snapshot [with a good signature] to prevent users getting a security
> fix).
>
> I started looking at this a while ago and have had this in my tree (I'd
> forgotten about until I just did a cvs up) - maybe worth some more thought
> (it's not super-robust but I'm not sure if it needs to be..) ENOTIME to
> look at it more now though.
I really like it. I've looked into miniroot directory to implement
bsd.rd part needed for sysupgrade(8) changes. Diff at the end of this
email.
> Index: usr.sbin/sysupgrade/sysupgrade.sh
> ===================================================================
> RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
> retrieving revision 1.37
> diff -u -p -r1.37 sysupgrade.sh
> --- usr.sbin/sysupgrade/sysupgrade.sh 26 Jan 2020 22:08:36 -0000 1.37
> +++ usr.sbin/sysupgrade/sysupgrade.sh 16 Apr 2020 10:40:37 -0000
> @@ -131,6 +131,7 @@ cd ${SETSDIR}
>
> echo "Fetching from ${URL}"
> unpriv -f SHA256.sig ftp -N sysupgrade -Vmo SHA256.sig ${URL}SHA256.sig
> +unpriv -f BUILDINFO ftp -N sysupgrade -Vmo BUILDINFO ${URL}BUILDINFO
>
> _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
> _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub
> @@ -147,11 +148,26 @@ esac
> unpriv -f SHA256 signify -Ve -p "${SIGNIFY_KEY}" -x SHA256.sig -m SHA256
> rm SHA256.sig
>
> +unpriv cksum -qC SHA256 BUILDINFO
> +
> if cmp -s /var/db/installed.SHA256 SHA256 && ! $FORCE; then
> echo "Already on latest snapshot."
> exit 0
> fi
>
> +if [[ -r /var/db/installed.BUILDINFO ]] && ! $FORCE; then
> + read _skip _skip _oldbuildtime _skip < /var/db/installed.BUILDINFO
> + read _skip _skip _newbuildtime _skip < BUILDINFO
> + if [[ $_newbuildtime -lt $_oldbuildtime ]]; then
> + echo "Snapshot on mirror is older than installed version!"
> + exit 1
> + fi
> + if [[ $_newbuildtime -eq $_oldbuildtime ]]; then
> + echo "Already on latest snapshot? Mismatch between BUILDINFO
> and SHA256?"
> + exit 1
> + fi
> +fi
> +
> # INSTALL.*, bsd*, *.tgz
> SETS=$(sed -n -e 's/^SHA256 (\(.*\)) .*/\1/' \
> -e '/^INSTALL\./p;/^bsd/p;/\.tgz$/p' SHA256)
> @@ -187,9 +203,14 @@ Set name(s) = done
> Directory does not contain SHA256.sig. Continue without verification = yes
> __EOT
>
> +# XXX should be done in bsd.rd so that this is present for a clean install
> too
> +cat <<__EOT > /etc/rc.firsttime
> +cp /home/_sysupgrade/BUILDINFO /var/db/installed.BUILDINFO
> +__EOT
> +
> if ! ${KEEP}; then
> CLEAN=$(echo SHA256 ${SETS} | sed -e 's/ /,/g')
> - cat <<__EOT > /etc/rc.firsttime
> + cat <<__EOT >> /etc/rc.firsttime
> rm -f /home/_sysupgrade/{${CLEAN}}
> __EOT
> fi
>
A bit of explanation with `cat -n install.sub | expand -t 2`
1599
1600 # Fetch and verify the set files.
1601 for _f in BUILDINFO $_get_sets; do
1602 $UU && reset_watchdog
1603
I've put BUILDINFO, but I guess it could be added directly to
$_get_sets. However I think it needs to be added after baseXX.tgz set,
so directory /var/db is created before ftp tries to copy it into
/mnt/var/db.
1663
1664 # Install the set files.
1665 for _f in $_get_sets BUILDINFO; do
1666 $UU && reset_watchdog
1667 _fsrc="$_src/$_f"
I'm adding it at the end here, to make sure it's before baseXX.tgz, per
above explanation about /var/db.
1672 # Extract the set files and put the kernel files in place.
1673 case $_f in
I just need a basename of the set and I think using $_f doesn't
introduce any breakage.
I've tested below diff by fresh install of OpenBSD on amd64. It works
for me, file /mnt/var/db/installed.BUILDINFO is created during install
and after reboot file /var/db/installed.BUILDINFO is present on disk.
Here is output of the part which diff modifies:
Set name(s)? (or 'abort' or 'done') [done]
Get/Verify SHA256.sig 100% |**************************| 2141 00:00
Signature Verified
Get/Verify BUILDINFO 100% |**************************| 54 00:00
Get/Verify bsd 100% |**************************| 18117 KB 02:30
Get/Verify bsd.rd 100% |**************************| 10109 KB 00:29
Get/Verify base67.tgz 100% |**************************| 238 MB 13:57
Get/Verify comp67.tgz 100% |**************************| 74451 KB 02:54
Get/Verify man67.tgz 100% |**************************| 7464 KB 00:19
Get/Verify game67.tgz 100% |**************************| 2745 KB 00:07
Get/Verify xbase67.tgz 100% |**************************| 22912 KB 00:58
Get/Verify xshare67.tgz 100% |**************************| 4499 KB 00:10
Get/Verify xfont67.tgz 100% |**************************| 39342 KB 01:30
Get/Verify xserv67.tgz 100% |**************************| 16767 KB 00:32
Installing bsd 100% |**************************| 18117 KB 00:01
Installing bsd.rd 100% |**************************| 10109 KB 00:00
Installing base67.tgz 100% |**************************| 238 MB 00:28
Extracting etc.tgz 100% |**************************| 261 KB 00:00
Installing comp67.tgz 100% |**************************| 74451 KB 00:17
Installing man67.tgz 100% |**************************| 7464 KB 00:03
Installing game67.tgz 100% |**************************| 2745 KB 00:00
Installing xbase67.tgz 100% |**************************| 22912 KB 00:04
Extracting xetc.tgz 100% |**************************| 7023 00:00
Installing xshare67.tgz 100% |**************************| 4499 KB 00:03
Installing xfont67.tgz 100% |**************************| 39342 KB 00:06
Installing xserv67.tgz 100% |**************************| 16767 KB 00:02
Installing BUILDINFO 100% |**************************| 54 00:00
Location of sets? (disk http nfs or 'done') [done]
Index: distrib/miniroot/install.sub
===================================================================
RCS file: /cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.1150
diff -u -p -u -r1.1150 install.sub
--- distrib/miniroot/install.sub 5 Apr 2020 15:15:42 -0000 1.1150
+++ distrib/miniroot/install.sub 9 May 2020 22:29:49 -0000
@@ -1598,7 +1598,7 @@ install_files() {
_issue="Signature check of SHA256.sig failed" && break
# Fetch and verify the set files.
- for _f in $_get_sets; do
+ for _f in BUILDINFO $_get_sets; do
$UU && reset_watchdog
rm -f /tmp/h /tmp/fail
@@ -1662,7 +1662,7 @@ install_files() {
fi
# Install the set files.
- for _f in $_get_sets; do
+ for _f in $_get_sets BUILDINFO; do
$UU && reset_watchdog
_fsrc="$_src/$_f"
@@ -1670,7 +1670,7 @@ install_files() {
[[ -f $_tmpsrc/$_f ]] && _fsrc="file://$_tmpsrc/$_f"
# Extract the set files and put the kernel files in place.
- case $_fsrc in
+ case $_f in
*.tgz) $_unpriv ftp -D Installing -Vmo - "$_fsrc" |
tar -zxphf - -C /mnt &&
if [[ $_f == ?(x)base*.tgz && $MODE == install ]]; then
@@ -1678,6 +1678,11 @@ install_files() {
file:///mnt/var/sysmerge/${_f%%base*}etc.tgz |
tar -zxphf - -C /mnt
fi
+ ;;
+ BUILDINFO)
+ # Keep BUILDINFO for sysupgrade(8).
+ $_unpriv ftp -D Installing -Vmo - \
+ "$_fsrc" >"/mnt/var/db/installed.BUILDINFO"
;;
*) # Make a backup of the existing ramdisk kernel in the
# bsd.rd only download/verify/install case.
--
Regards,
Mikolaj
