Mike Banon has uploaded this change for review.

View Change

tint: introduce the new tint build system with checksum verification

Three stages of the new tint build system:

1) generate_core.sh extracts the core part from buildgcc script,
most importantly the checksum calculation/verification functions.

2) tintify_core.sh adds the tint-specific footer/header to the core,
such as the properties of current version including its checksum.

3) tint.sh - generated and "tintified" core script - builds a tint.

Signed-off-by: Mike Banon <mikebdp2@gmail.com>
Change-Id: I20d7cd477595aa73f3cab9c78235f4de9813b989
---
M payloads/external/tint/Makefile
A payloads/external/tint/generate_core.sh
R payloads/external/tint/tint-0.04-nmu1_libpayload.patch
A payloads/external/tint/tintify_core.sh
4 files changed, 252 insertions(+), 21 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/87/33887/1
diff --git a/payloads/external/tint/Makefile b/payloads/external/tint/Makefile
index 253bfea..95cbd87 100644
--- a/payloads/external/tint/Makefile
+++ b/payloads/external/tint/Makefile
@@ -1,5 +1,25 @@
-project_url=https://mirror.fsf.org/trisquel/pool/main/t/tint/tint_0.04+nmu1.tar.gz
-archive_name=tint_0.04+nmu1.tar.gz
+#
+# TINT build system - helps to securely download TINT with a checksum verification and build it.
+#
+
+#
+# Properties of the current TINT version
+#
+
+TINT_VERSION=0.04-nmu1
+TINT_EXT_VERSION=0.04+nmu1
+TINT_ARCHIVE_LINK="https://mirror.fsf.org/trisquel/pool/main/t/tint/tint_${TINT_EXT_VERSION}.tar.gz"
+TINT_ARCHIVE="tint_${TINT_VERSION}.tar.gz"
+TINT_DIR="tint-${TINT_VERSION}"
+TINT_CHECKSUM="7fcaa428c6d0de7096d1e4fbfd14848096ae5aad"
+
+#
+# Locations of the input/output scripts
+#
+
+buildgcc="./../../../util/crossgcc/buildgcc"
+corescript="./core.sh"
+tintified="./tint.sh"

unexport KCONFIG_AUTOHEADER
unexport KCONFIG_AUTOCONFIG
@@ -10,28 +30,39 @@

all: tint

-tint: patch
- echo " MAKE TINT "
- $(MAKE) -C tint
+################################################################################
+#
+# Three stages of TINT build system:
+#
+# 1) generate_core.sh extracts the core part from buildgcc script,
+# most importantly the checksum calculation/verification functions.
+#
+# 2) tintify_core.sh adds the TINT-specific footer/header to the core,
+# such as the properties of current version including its checksum.
+#
+# 3) tint.sh - generated and "tintified" core script - builds a TINT.
+#
+################################################################################

-patch: download
- cd tint; \
- if [ -e debian ]; then \
- rm -rf debian typedefs.h Makefile; \
- touch Makefile; \
- patch -l -p1 < ../libpayload_tint.patch; \
- fi
-
-download:
- test -d tint || { wget $(project_url); \
- tar -xvf $(archive_name); \
- rm $(archive_name); \
- mv tint-0.04+nmu1 tint; }
+tint:
+ if [ ! -f ${tintified} ]; then \
+ chmod +x "./generate_core.sh" ; \
+ "./generate_core.sh" ${buildgcc} ${corescript} "prepare_before_patch" ; \
+ chmod +x "./tintify_core.sh" ; \
+ "./tintify_core.sh" ${corescript} ${tintified} \
+ ${TINT_ARCHIVE_LINK} ${TINT_ARCHIVE} ${TINT_DIR} ${TINT_CHECKSUM} ; \
+ fi ; \
+ chmod +x ${tintified}
+ ${tintified}

clean:
- test -d tint && $(MAKE) -C tint clean || exit 0
+ test -d "./tint/" && $(MAKE) -C "./tint/" clean || exit 0

distclean:
- rm -rf tint
+ rm -rf "./tint/"
+ rm -f ${corescript}
+ rm -f ${tintified}

-.PHONY: download patch tint clean distclean
+.PHONY: tint clean distclean
+
+#
diff --git a/payloads/external/tint/generate_core.sh b/payloads/external/tint/generate_core.sh
new file mode 100755
index 0000000..bb0de2d
--- /dev/null
+++ b/payloads/external/tint/generate_core.sh
@@ -0,0 +1,102 @@
+#!/bin/sh
+#
+# generate_core.sh extracts the core part from buildgcc script,
+# most importantly the checksum calculation/verification functions.
+#
+# Copyright (C) 2019 Mike Banon <mikebdp2@gmail.com>
+#
+##############################################################################
+#
+# USAGE:
+# ./generate_core.sh <buildgcc> <corescript> prepare_before_patch
+# where
+# buildgcc - path to input buildgcc script
+# corescript - path to output core part script
+# prepare_before_patch - optional argument to insert prepare_${package}
+# call into the unpack_and_patch function, e.g.
+# for removing some files with rm command
+# in order to reduce the size of patch file
+#
+##############################################################################
+
+buildgcc="$1"
+corescript="$2"
+prepare_before_patch="$3"
+
+#
+# Imports the source file fragment between start and end into the
+# destination file, optionally excluding the last line if not needed
+#
+
+import_from_file() {
+ source="$1"
+ destination="$2"
+ start="$3"
+ end="$4"
+ last_line_disabled="$5"
+ if [ -z "${last_line_disabled}" ] ; then
+ sed -n "/^${start}/,/^${end}/{/^${start}/{p;n};{p}}" "$source" >> "$destination"
+ else
+ sed -n "/^${start}/,/^${end}/{/^${start}/{p;n};/^${end}/{q};{p}}" "$source" >> "$destination"
+ fi
+}
+
+#
+# Import the color defines together with UNAME/HALT_FOR_TOOLS variables
+#
+
+import_from_file "$buildgcc" "$corescript" "red=" "HALT_FOR_TOOLS=0" || exit "$?"
+
+#
+# Import the core functions
+#
+
+FUNCTIONS="please_install searchtool download compute_hash error_hash_mismatch verify_hash unpack_and_patch"
+
+for F in $FUNCTIONS ; do
+ import_from_file "$buildgcc" "$corescript" "$F()" "}" || exit "$?"
+done
+
+#
+# Import a fragment where we find tar/patch/make and other essential tools
+#
+
+import_from_file "$buildgcc" "$corescript" "# Find all the required tools" "# Allow" "last_line_disabled" || exit "$?"
+
+#
+# Import a fragment with conditional exit if some required tools were not found
+#
+
+import_from_file "$buildgcc" "$corescript" "if \[ \"\$HALT_FOR_TOOLS" "fi" || exit "$?"
+
+#
+# Avoid the unnecessary subdirectories holding a single file each
+#
+
+sed -i -e "s/patches\///g" "$corescript"
+sed -i -e "s/sum\///g" "$corescript"
+sed -i -e "s/tarballs\///g" "$corescript"
+sed -i -e "s/cd tarballs || exit 1//g" "$corescript"
+sed -i -e "s/cd \.\.//g" "$corescript"
+
+#
+# Get the known checksum without using a dedicated single-line file
+#
+
+sed -i -e "s/\tknown_hash=\"\$(get_known_hash.*/\tknown_hash=\"\$2\"/g" "$corescript"
+
+#
+# Update the paths printed at the error messages
+#
+
+sed -i -e "s/util\/crossgcc\///g" "$corescript"
+
+#
+# Insert prepare_${package} function call between the unpack and patch operations
+#
+
+if [ ! -z "${prepare_before_patch}" ] ; then
+ sed -i -e "/\$TAR \$FLAGS \"\$(basename \"\$archive\")\"/a prepare_\${package} || exit \"\$?\"" "$corescript"
+fi
+
+#
diff --git a/payloads/external/tint/libpayload_tint.patch b/payloads/external/tint/tint-0.04-nmu1_libpayload.patch
similarity index 100%
rename from payloads/external/tint/libpayload_tint.patch
rename to payloads/external/tint/tint-0.04-nmu1_libpayload.patch
diff --git a/payloads/external/tint/tintify_core.sh b/payloads/external/tint/tintify_core.sh
new file mode 100755
index 0000000..77abc14
--- /dev/null
+++ b/payloads/external/tint/tintify_core.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+#
+# tintify_core.sh adds the TINT-specific footer/header to the core,
+# such as the properties of current TINT version including its checksum.
+#
+# Copyright (C) 2019 Mike Banon <mikebdp2@gmail.com>
+#
+################################################################################
+#
+# USAGE:
+# ./tintify_core.sh <corescript> <tintified> \
+# <TINT_ARCHIVE_LINK> <TINT_ARCHIVE> <TINT_DIR> <TINT_CHECKSUM>
+# where
+# corescript - path to input core script
+# tintified - path to output tint script
+#
+################################################################################
+
+corescript="$1"
+tintified="$2"
+
+#
+# TINT-specific header
+#
+
+#
+# Insert the properties of the current TINT version
+#
+
+echo "#!/bin/sh" > "$tintified"
+echo "TINT_ARCHIVE_LINK=${3}" >> "$tintified"
+echo "TINT_ARCHIVE=${4}" >> "$tintified"
+echo "TINT_DIR=${5}" >> "$tintified"
+echo "TINT_CHECKSUM=${6}" >> "$tintified"
+
+#
+# Add the replace_plus_with_minus() function - needed to fix the version number
+#
+
+echo "replace_plus_with_minus() {" >> "$tintified"
+echo "for x in *\"+\"*; do" >> "$tintified"
+echo "y=\$(printf %sa \"\$x\" | tr \"+\" \"-\")" >> "$tintified"
+echo "mv -- \"\$x\" \"\${y%a}\"" >> "$tintified"
+echo "done" >> "$tintified"
+echo "}" >> "$tintified"
+
+#
+# Add the prepare_TINT() function, it will remove the unneeded debian directory
+# as well as typedefs.h and old Makefile to significantly reduce the patch size
+#
+
+echo "prepare_TINT() {" >> "$tintified"
+echo "replace_plus_with_minus" >> "$tintified"
+echo "if [ ! -z ./\${TINT_DIR} ] && [ -e ./\${TINT_DIR}/debian ] ; then" >> "$tintified"
+echo "rm -rf ./\${TINT_DIR}/debian ./\${TINT_DIR}/typedefs.h ./\${TINT_DIR}/Makefile;" >> "$tintified"
+echo "touch ./\${TINT_DIR}/Makefile;" >> "$tintified"
+echo "fi" >> "$tintified"
+echo "}" >> "$tintified"
+
+#
+# Importing the core script
+#
+
+cat "$corescript" >> "$tintified"
+
+#
+# download() function adjustments - became necessary after a version number fix
+#
+
+sed -i -e "/download() {/a package=\$1\narchive_link=\"\$(eval echo \\\\\$\$package\"_ARCHIVE_LINK\")\"" "$tintified"
+sed -i -e "s/downloading from \$archive/&_link/g" "$tintified"
+sed -i -e "s/\(download_showing_percentage \"\$archive\)./\1_link\"\nreplace_plus_with_minus/g" "$tintified"
+
+#
+# TINT-specific footer
+#
+
+echo "if [ ! -d tint ] ; then" >> "$tintified"
+
+echo "printf \"Downloading and verifying TINT tarball ... \\n\"" >> "$tintified"
+echo "download TINT || exit \"\$?\"" >> "$tintified"
+echo "verify_hash TINT \${TINT_CHECKSUM} || exit \"\$?\"" >> "$tintified"
+echo "printf \"Downloaded TINT tarball ... \${green}ok\${NC}\\n\"" >> "$tintified"
+
+echo "printf \"Unpacking and patching TINT... \\n\"" >> "$tintified"
+echo "unpack_and_patch TINT || exit 1" >> "$tintified"
+echo "printf \"Unpacked and patched TINT... \${green}ok\${NC}\\n\"" >> "$tintified"
+
+echo "mv ./\${TINT_DIR} ./tint" >> "$tintified"
+echo "fi" >> "$tintified"
+
+echo "printf \"Building TINT ... \\n\"" >> "$tintified"
+echo "make -C ./tint" >> "$tintified"
+echo "printf \"TINT built ... \${green}ok\${NC}\\n\"" >> "$tintified"
+
+chmod +x "$tintified"
+
+#

To view, visit change 33887. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I20d7cd477595aa73f3cab9c78235f4de9813b989
Gerrit-Change-Number: 33887
Gerrit-PatchSet: 1
Gerrit-Owner: Mike Banon <mikebdp2@gmail.com>
Gerrit-MessageType: newchange