dasharo-deploy: add capsule & fum checks

Workaround for https://github.com/Dasharo/dasharo-issues/issues/1759

Signed-off-by: Michał Iwanicki <michal.iwanicki@3mdeb.com>

include/dts-environment.sh

@@ -228,3 +228,11 @@ fi
 # Try to fetch config and fw binaries locally. Used mainly as a workaround for
 # no internet connection when booting via iPXE on MTL iGPU 0.9.0
 FETCH_LOCALLY="false"
+
+# Set by firmware
+# https://github.com/Dasharo/edk2/blob/edbff52d39d1420a22cc4df8b56d8e78dd43fce4/DasharoModulePkg/Library/DasharoVariablesLib/DasharoVariablesLib.c#L573-L579
+FUM_EFIVAR="/sys/firmware/efi/efivars/FirmwareUpdateMode-d15b327e-ff2d-4fc1-abf6-c12bd08c1359"
+# Empty - we haven't checked yet
+# "true" - we are in FUM
+# "false" - we are not in FUM
+export IN_FUM

include/dts-functions.sh

@@ -369,10 +369,10 @@ check_flash_chip() {
   return 0
 }
 
+# compare_versions ver1 ver2
+# return 1 if ver2 > ver1
+# return 0 otherwise
 compare_versions() {
-  # compare_versions ver1 ver2
-  # return 1 if ver2 > ver1
-  # return 0 otherwise
   local ver1="$1"
   local ver2="$2"
 
@@ -383,9 +383,9 @@ compare_versions() {
   fi
 }
 
+# semver_version_compare ver1 ver2
+# print to stdout: 0 if ver1 == ver2, 1 if ver1 > ver2 and -1 if ver1 < ver2
 semver_version_compare() {
-  # semver_version_compare ver1 ver2
-  # echo 0 if ver1 == ver2, 1 if ver1 > ver2 and -1 if ver1 < ver2
   local ver1="$1"
   local ver2="$2"
   local compare=
@@ -1853,3 +1853,46 @@ dump_pcrs() {
     done
   done
 }
+
+# Check if we are in Firmware Update Mode
+check_if_in_fum() {
+  if [ -z "${IN_FUM}" ]; then
+    if $FSREAD_TOOL test -f "${FUM_EFIVAR}"; then
+      IN_FUM="true"
+      return 0
+    fi
+    IN_FUM="false"
+    return 1
+  elif [ "${IN_FUM}" = "true" ]; then
+    return 0
+  elif [ "${IN_FUM}" = "false" ]; then
+    return 1
+  else
+    # Fairly safe default, we don't want to error_exit in function called in
+    # dts-boot. Shouldn't happen unless there is bug in code.
+    print_warning "Couldn't detect if we are in Firmware Update Mode, assuming no."
+    return 1
+  fi
+}
+
+# return 0 if not in FUM or in FUM and firmware supports capsule update,
+# otherwise return 1. Has to be called after board_config().
+check_if_fum_and_capsule_supported() {
+  if check_if_in_fum && {
+    [ -z "${DASHARO_SUPPORT_CAP_WITH_FUM_FROM}" ] ||
+      [ "$(semver_version_compare "${DASHARO_VERSION}" "${DASHARO_SUPPORT_CAP_WITH_FUM_FROM}")" = -1 ]
+  }; then
+    return 1
+  fi
+  return 0
+}
+
+# error_exit with relevant message if using capsules while in FUM mode is not
+# supported. Has to be called after board_config().
+fum_and_capsule_check() {
+  if ! check_if_fum_and_capsule_supported; then
+    error_exit "Current firmware doesn't support capsules while in Firmware Update Mode.
+Please boot DTS normally, either via USB or iPXE.
+You can read more at: https://docs.dasharo.com/guides/firmware-update/#known-issues"
+  fi
+}

scripts/dasharo-deploy.sh

@@ -1306,6 +1306,9 @@ update_workflow() {
   fi
 
   check_if_cpu_compatible
+  if [ "$FIRMWARE_VERSION" == "community_cap" ] || [ "$FIRMWARE_VERSION" == "dpp_cap" ]; then
+    fum_and_capsule_check
+  fi
 
   if [ "$HAVE_EC" == "true" ]; then
     download_ec
@@ -1655,6 +1658,7 @@ fuse_workflow() {
   if [ -z "$INTEL_BTG_HASH" ]; then
     error_exit "Platform config is missing hash of the key used to sign firmware"
   fi
+  fum_and_capsule_check
 
   BIOS_LINK="${EOM_LINK_COMM_CAP}"
   BIOS_HASH_LINK="${EOM_HASH_LINK_COMM_CAP}"

scripts/dts-boot.sh

@@ -5,7 +5,6 @@
 # SPDX-License-Identifier: Apache-2.0
 
 SBIN_DIR="/usr/sbin"
-FUM_EFIVAR="/sys/firmware/efi/efivars/FirmwareUpdateMode-d15b327e-ff2d-4fc1-abf6-c12bd08c1359"
 
 # shellcheck source=../dts-profile.sh
 source "/etc/profile.d/dts-profile.sh"
@@ -44,7 +43,9 @@ source $DTS_HAL
 
 mkdir -p "$TEMP_DIR"
 
-if $FSREAD_TOOL test -f "${FUM_EFIVAR}"; then
+# clear in case of nested dts-boot situation
+export IN_FUM=
+if check_if_in_fum; then
   choice="$(
     ask_for_choice "You have entered Firmware Update Mode." \
       "1" "If you wish to continue with unattended firmware update process" \