Adrian Schmutzler 02d6ac1060 base-files: fwtool: make compat_version backward compatible
So far, the compatibility mechanism only works if both device and
image are already updated to the new routines. This patch extends
the sysupgrade metadata and fwtool_check_image() to account for
"older" images as well:

The basic mechanism for older devices to check for image compatibility
is the supported_devices entry. This can be exploited by putting
a custom message into this variable of the metadata, so older FW
will produce a mismatch and print the message as it thinks it's the
list of supported devices. So, we have two cases:

device 1.0, image 1.0:
  The metadata will just contain supported_devices as before.

device 1.0, image 1.1:
  The metadata will contain:

  "new_supported_devices":["device_string1", "device_string2", ...],
  "supported_devices":["Image version 1.1 incompatible to device: ..."]

  If the device is "legacy", i.e. does not have the updated fwtool.sh,
  it will just fail with image check and print the content of
  supported_devices. If DEVICE_COMPAT_MESSAGE is set, this will be
  printed on old devices as well through the same mechanism. Otherwise
  a generic "Please check documentation ..." is appended.

  Upgrade can still be performed with -F like when
  SUPPORTED_DEVICES has been removed to prevent bricking.

  If the device has updated fwtool.sh (but is 1.0), it will just use
  the new_supported_devices instead, and work as intended (flashing
  with -n will work, flashing without will print the appropriate
  warning).

This mechanism should provide a fair tradeoff between simplicity
and functionality.

Since we touched a lot of fields in metadata, this also bumps
metadata_version to 1.1.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-31 11:40:15 +02:00

93 lines
2.6 KiB
Bash

fwtool_check_signature() {
[ $# -gt 1 ] && return 1
[ ! -x /usr/bin/ucert ] && {
if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then
return 1
else
return 0
fi
}
if ! fwtool -q -s /tmp/sysupgrade.ucert "$1"; then
echo "Image signature not found"
[ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && {
echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
}
[ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1
return 0
fi
fwtool -q -T -s /dev/null "$1" | \
ucert -V -m - -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
return $?
}
fwtool_check_image() {
[ $# -gt 1 ] && return 1
. /usr/share/libubox/jshn.sh
if ! fwtool -q -i /tmp/sysupgrade.meta "$1"; then
echo "Image metadata not found"
[ "$REQUIRE_IMAGE_METADATA" = 1 -a "$FORCE" != 1 ] && {
echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
}
[ "$REQUIRE_IMAGE_METADATA" = 1 ] && return 1
return 0
fi
json_load "$(cat /tmp/sysupgrade.meta)" || {
echo "Invalid image metadata"
return 1
}
device="$(cat /tmp/sysinfo/board_name)"
devicecompat="$(uci -q get system.@system[0].compat_version)"
[ -n "$devicecompat" ] || devicecompat="1.0"
json_get_var imagecompat compat_version
json_get_var compatmessage compat_message
[ -n "$imagecompat" ] || imagecompat="1.0"
# select correct supported list based on compat_version
# (using this ensures that compatibility check works for devices
# not knowing about compat-version)
local supported=supported_devices
[ "$imagecompat" != "1.0" ] && supported=new_supported_devices
json_select $supported || return 1
json_get_keys dev_keys
for k in $dev_keys; do
json_get_var dev "$k"
if [ "$dev" = "$device" ]; then
# major compat version -> no sysupgrade
if [ "${devicecompat%.*}" != "${imagecompat%.*}" ]; then
echo "The device is supported, but this image is incompatible for sysupgrade based on the image version ($devicecompat->$imagecompat)."
[ -n "$compatmessage" ] && echo "$compatmessage"
return 1
fi
# minor compat version -> sysupgrade with -n required
if [ "${devicecompat#.*}" != "${imagecompat#.*}" ] && [ "$SAVE_CONFIG" = "1" ]; then
echo "The device is supported, but the config is incompatible to the new image ($devicecompat->$imagecompat). Please upgrade without keeping config (sysupgrade -n)."
[ -n "$compatmessage" ] && echo "$compatmessage"
return 1
fi
return 0
fi
done
echo "Device $device not supported by this image"
echo -n "Supported devices:"
for k in $dev_keys; do
json_get_var dev "$k"
echo -n " $dev"
done
echo
return 1
}