build: Optionally provide file checksums in package metadata

This may be useful if you don't entirely trust your flash and want to be able
to check for corruptions.

Signed-off-by: Michal Hrusecky <Michal@Hrusecky.net>
This commit is contained in:
Michal Hrusecky 2018-01-17 13:25:43 +01:00 committed by Jo-Philipp Wich
parent 69dfdda157
commit 74450124f6
4 changed files with 149 additions and 0 deletions

View File

@ -68,6 +68,14 @@ menu "Global build settings"
This removes all ipkg/opkg status data files from the target directory
before building the root filesystem.
config IPK_FILES_CHECKSUMS
bool
prompt "Record files checksums in package metadata"
default n
help
This makes file checksums part of package metadata. It increases size
but provides you with pkg_check command to check for flash coruptions.
config INCLUDE_CONFIG
bool "Include build configuration in firmware" if DEVEL
default n

View File

@ -199,6 +199,15 @@ $(_endef)
$(CheckDependencies)
$(RSTRIP) $$(IDIR_$(1))
ifneq ($$(CONFIG_IPK_FILES_CHECKSUMS),)
(cd $$(IDIR_$(1)); \
( \
find . -type f \! -path ./CONTROL/\* -exec sha256sum \{\} \; 2> /dev/null | \
sed 's|\([[:blank:]]\)\./|\1/|' > $$(IDIR_$(1))/CONTROL/files-sha256 \
) || true \
)
endif
(cd $$(IDIR_$(1))/CONTROL; \
( \
echo "$$$$CONTROL"; \

View File

@ -195,6 +195,8 @@ define Package/base-files/install
mkdir -p $(1)/etc/opkg; \
$(call FeedSourcesAppend,$(1)/etc/opkg/distfeeds.conf); \
$(VERSION_SED_SCRIPT) $(1)/etc/opkg/distfeeds.conf)
$(if $(CONFIG_IPK_FILES_CHECKSUMS), \
rm -f $(1)/sbin/pkg_check,)
endef
ifneq ($(DUMP),1)

View File

@ -0,0 +1,130 @@
#!/bin/sh
#
# Package checksums checking script
# (C) 2018 CZ.NIC, z.s.p.o.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
ERRFATAL="no"
QUIET="yes"
MISSING=""
SUMMARY=""
NL="
"
# Arguments parsing
while expr "x$1" : "x-" > /dev/null; do
if [ "x$1" = "x-s" ]; then
ERRFATAL="yes"
shift
elif [ "x$1" = "x-v" ]; then
QUIET=" no"
shift
else
echo "Usage: $(basename $0) [-s] [-v] [pkg1 pkg2 ...]"
echo
echo " -s Stop on first change"
echo " -v Verbose"
if [ "x$1" = "x-h" ]; then
exit 0
else
echo
echo "ERROR: Unknown option '$1'"
exit 1
fi
fi
done
# Check all packages by default
if [ -z "$1" ]; then
set $(cd /usr/lib/opkg/info/; for i in *.files-sha256sum; do basename $i .files-sha256sum; done)
fi
# Iterate over packages
while [ "$1" ]; do
if [ \! -f "/usr/lib/opkg/info/$1.files-sha256sum" ]; then
if [ "$ERRFATAL" = no ]; then
echo " * No checksums for $1 - skipping"
echo
else
echo " * No checksums for $1 - exiting"
exit 1
fi
if [ -z "$MISSING" ]; then
MISSING="$1"
else
MISSING="$MISSING, $1"
fi
shift
continue
fi
[ $QUIET = yes ] || echo " * Checking package $1:"
ERR=""
CHECK="`sha256sum -c /usr/lib/opkg/info/$1.files-sha256sum 2> /dev/null`"
# Are the changed files config files?
if [ $? -ne 0 ] && [ "`cat "/usr/lib/opkg/info/$1.files-sha256sum"`" ]; then
NEWCHECK="`echo "$CHECK" | grep '^.*: OK$'`"
for i in `echo "$CHECK" | sed -n 's|^\(.*\): FAILED$|\1|p'`; do
if [ "`grep "^$i\$" "/usr/lib/opkg/info/$1.conffiles" 2> /dev/null`" ] || \
[ "`echo "$i" | grep "^/etc/uci-defaults/"`" ]; then
NEWCHECK="${NEWCHECK}${NL}${i}: CONFIGURED"
else
NEWCHECK="${NEWCHECK}${NL}${i}: FAILED"
ERR="y"
fi
done
CHECK="$NEWCHECK"
fi
# Do we have changed files or not?
if [ -z "$ERR" ]; then
[ $QUIET = yes ] || [ -z "`cat "/usr/lib/opkg/info/$1.files-sha256sum"`" ] || echo "$CHECK" | sed 's|^| - |'
[ $QUIET = yes ] || echo " * Package $1 is ok"
[ $QUIET = yes ] || echo
else
if [ $QUIET = yes ]; then
echo " * Changes found in package $1:"
echo "$CHECK" | sed -n 's|^\(.*:[[:blank:]]*FAILED\)$| - \1|p'
else
echo "$CHECK" | sed 's|^| - |'
echo " * Changes found in package $1!"
fi
if [ "$ERRFATAL" = yes ]; then
echo
echo "Exiting on first change found!"
exit 1
fi
for i in `echo "$CHECK" | sed -n 's|^\(.*\): FAILED$|\1|p'`; do
SUMMARY="${SUMMARY}${NL} - $1: $i"
done
echo
fi
shift
done
# If there are changed files, report them
if [ "$SUMMARY" ]; then
echo "Some packages contain changed files!"
echo "Maybe something worth looking into?"
echo "Here is the list of packages and changed files:"
echo "$SUMMARY"
fi
if [ "$MISSING" ]; then
echo "Following packages are missing checksums: $MISSING"
fi
if [ "$MISSING" ] || [ "$SUMMARY" ]; then
exit 1
fi