Add simple patch system as a standalone service (#5935)

Sometimes we need to fix minor issues like changing the key or fixing other small problem on live OS. We can ship this as a part of BSP package, but its handling should be made easy. This downloads script from CDN, verify its signature and executes after apt upgrade starts installing packages. * Record patch output to syslog * Enable armbian-live-patch as additional service and run patch mechanism at startup * Additional security check
2026-01-06 09:58:46 -08:00 · 2023-11-27 13:01:20 +01:00
parent be3a656ec0
commit e95fbdcfad
5 changed files with 85 additions and 0 deletions
--- a/lib/functions/bsp/armbian-bsp-cli-deb.sh
+++ b/lib/functions/bsp/armbian-bsp-cli-deb.sh
@@ -398,6 +398,7 @@ function board_side_bsp_cli_postrm() { # not run here
 	if [[ remove == "$1" ]] || [[ abort-install == "$1" ]]; then
 		systemctl disable armbian-hardware-monitor.service armbian-hardware-optimize.service > /dev/null 2>&1
 		systemctl disable armbian-zram-config.service armbian-ramlog.service > /dev/null 2>&1
+		systemctl disable armbian-live-patch.service > /dev/null 2>&1
 	fi
 }

--- a/lib/functions/rootfs/distro-agnostic.sh
+++ b/lib/functions/rootfs/distro-agnostic.sh
@@ -398,6 +398,7 @@ function install_distribution_agnostic() {
 	[[ -f "${SDCARD}"/lib/systemd/system/armbian-resize-filesystem.service ]] && chroot_sdcard systemctl --no-reload enable armbian-resize-filesystem.service
 	[[ -f "${SDCARD}"/lib/systemd/system/armbian-hardware-monitor.service ]] && chroot_sdcard systemctl --no-reload enable armbian-hardware-monitor.service
 	[[ -f "${SDCARD}"/lib/systemd/system/armbian-led-state.service ]] && chroot_sdcard systemctl --no-reload enable armbian-led-state.service
+	[[ -f "${SDCARD}"/lib/systemd/system/armbian-live-patch.service ]] && chroot_sdcard systemctl --no-reload enable armbian-live-patch.service

 	# copy "first run automated config, optional user configured"
 	run_host_command_logged cp -v "${SRC}"/packages/bsp/armbian_first_run.txt.template "${SDCARD}"/boot/armbian_first_run.txt.template
--- a/packages/bsp/common/etc/apt/apt.conf.d/02-armbian-preupdate
+++ b/packages/bsp/common/etc/apt/apt.conf.d/02-armbian-preupdate
@@ -0,0 +1 @@
+DPkg::Pre-Install-Pkgs {"/usr/lib/armbian/armbian-live-patch apt";};
--- a/packages/bsp/common/lib/systemd/system/armbian-live-patch.service
+++ b/packages/bsp/common/lib/systemd/system/armbian-live-patch.service
@@ -0,0 +1,24 @@
+# Armbian simple patch system service
+# Sometimes we need to fix minor issues like changing the key or fixing other small problem on live OS. 
+# This downloads patch script from CDN, verify its signature and executes it at various stages
+#
+# Currently execute by: booting the system up, at apt upgrade stage, right before installing packages
+#
+# GH Action script for automatic signing and upload:
+# https://github.com/armbian/os/tree/main/live-patch
+
+[Unit]
+Description=Armbian simple patch
+Wants=time-sync.target
+Before=time-sync.target
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/lib/armbian/armbian-live-patch startup
+ExecStop=/usr/lib/armbian/armbian-live-patch stop
+RemainAfterExit=no
+TimeoutStartSec=2m
+
+[Install]
+WantedBy=multi-user.target
--- a/packages/bsp/common/usr/lib/armbian/armbian-live-patch
+++ b/packages/bsp/common/usr/lib/armbian/armbian-live-patch
@@ -0,0 +1,58 @@
+#!/bin/bash
+#
+
+SERVER_PATH="https://dl.armbian.com/_patch"
+
+# exit if dependencies are not met
+if ! command -v "wget" &> /dev/null; then
+        echo "Warning: patch system is not working as dependencies are not met (wget)"| logger -t "armbian-live-patch"
+        exit 0
+fi
+
+if ! command -v gpg &> /dev/null; then
+        echo "Warning: patch system is not working as dependencies are not met (gpg)"| logger -t "armbian-live-patch"
+        exit 0
+fi
+
+case $1 in
+	apt)
+                PATCH="${SERVER_PATH}/01-pre-apt-upgrade.sh"
+                PATCH_SIG="${SERVER_PATH}/01-pre-apt-upgrade.sh.asc"
+        ;;
+        startup)
+                PATCH="${SERVER_PATH}/02-startup.sh"
+                PATCH_SIG="${SERVER_PATH}/02-startup.sh.asc"
+        ;;
+	stop)
+		exit 0
+	;;
+        *)
+                echo "Warning: patch was not selected (apt|startup)"| logger -t "armbian-live-patch"
+                exit 0
+        ;;
+esac
+
+echo "Armbian live patch $1"
+
+TMP_DIR=$(mktemp -d -t test-XXXX)
+timeout 10 wget -q --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 3 ${PATCH} -P ${TMP_DIR}
+timeout 10 wget -q --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 3 ${PATCH_SIG} -P ${TMP_DIR}
+
+# Check if installed key is ours
+gpg --keyring /usr/share/keyrings/armbian.gpg --list-keys | grep DF00FAF1C577104B50BF1D0093D6889F9F0E78D5
+if [[ $? != 0 ]]; then
+	echo "Warning: signing key invalid or expired"| logger -t "armbian-live-patch"
+fi
+
+# Check if file is signed with Armbian key
+gpg --keyring /usr/share/keyrings/armbian.gpg --verify ${TMP_DIR}/${PATCH_SIG##*/} ${TMP_DIR}/${PATCH##*/} > ${TMP_DIR}/live-patch.log 2>/dev/null
+
+if [[ $? == 0 ]]; then
+        echo "Patch file is signed with Armbian GPG key"
+        echo "Running Armbian Live Patch"
+        bash ${TMP_DIR}/${PATCH##*/} | logger -t "armbian-live-patch"
+        rm -rf ${TMP_DIR}/${PATCH##*/}
+else
+        echo "Warning: we could not download patch files. Run manually: sudo bash $0 $1"| logger -t "armbian-live-patch"
+fi
+exit 0
				`@@ -0,0 +1 @@`
				`DPkg::Pre-Install-Pkgs {"/usr/lib/armbian/armbian-live-patch apt";};`